Experian faces enforcement action after data watchdog investigation
Credit reference agency Experian has been ordered to make changes to how it handles people’s personal data in its direct marketing services.
Experian must tell people that it holds their personal data and make clear how it is using or intends to use it for marketing purposes by July 2021, as part of an enforcement notice from the Information Commissioner’s Office (ICO).
It must also stop using personal data it obtains from credit referencing by January 2021. At the moment it uses this data for limited direct marketing purposes.
This action follows a two-year investigation by the ICO which found millions of adults in the UK were likely to be affected by "invisible" data processing.
The investigation looked at how the three major credit reference agencies - Experian, Equifax and Transunion - were trading people’s personal data without their knowledge.
Use our How to check your credit report for FREE guide to get your report.
What did the ICO's investigation find?
The ICO's investigation found "significant data protection failures" at Experian, Equifax and Transunion.
All three firms are credit reference agencies, which means they collect credit information on customers, which is then used by companies when they're deciding whether or not to lend to people e.g. if they're getting a mortgage or taking out a loan.
It found that all three firms were processing people’s personal data without their knowledge. This created products which were used by other organisations - including commercial entities, political parties and charities - to find new customers, identify the people most likely to be able to afford goods and services, and build profiles of people.
The ICO said that significant amounts of the processing was "invisible", meaning people weren't aware the organisation was collecting and using their personal data. It also found some credit reference agencies were using profiling to generate new or previously unknown information about people, which is often privacy invasive.
As a result, all three credit reference agencies made improvements to their direct marketing services. Equifax and TransUnion also withdrew some products and services, meaning the ICO is taking no further action against them.
But the watchdog said that Experian had not gone far enough to improve its compliance, and hadn't been prepared to give privacy information directly to individuals or stop using credit reference data for direct marketing purposes.
As a result, Experian has been given the enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20 million or 4% of the organisation’s total annual worldwide turnover.
What do the ICO and Experian say?
Information Commissioner Elizabeth Denham said: "Our investigation uncovered data protection failings that likely affected millions of adults in the UK.
"The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data.
"The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights."
Brian Cassin, chief executive officer at Experian, said: "We disagree with the ICO’s decision today and we intend to appeal."
Experian said its consumer information portal makes it very easy for people to fully understand the ways it works with data and to opt out of having their data processed if they wish.