The Information Commissioner’s Office (ICO) on Tuesday issued an enforcement notice against Experian, ordering the credit reference agency to make “fundamental changes” to how it handles personal data related to its direct marketing services in the United Kingdom.

The ICO said the enforcement notice, which is not a fine, follows a two-year investigation into how Experian, Equifax, and TransUnion use personal data within their “offline” data-broking businesses for direct marketing purposes. Equifax and TransUnion did not receive a notice as a result of steps taken in the wake of the investigation.

Experian will appeal the ICO’s findings.

Industry-wide compliance failures

According to findings from the ICO’s investigation, all three credit reference agencies (CRAs) “were trading, enriching, and enhancing people’s personal data without their knowledge.” This so-called “invisible” data processing violated data protection laws—namely, the General Data Protection Regulation (GDPR)—and enabled commercial organizations, political parties, and charities to “find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people,” the ICO said.

The ICO said it found “significant data protection failures” at each CRA. Furthermore, the personal data being provided to each CRA “was being used in limited ways for marketing purposes,” the ICO said. “Some of the CRAs were also using profiling to generate new or previously unknown information about people, which is often privacy invasive.”

Among other thematic failings, privacy information included on the CRA’s Websites about their data broking activities “did not clearly explain what they were doing with people’s data” and “they were using certain lawful bases incorrectly for processing people’s data,” the ICO said.

“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the U.K. little or no choice or control over their personal data,” Information Commissioner Elizabeth Denham said in a press release. “The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”

Experian, Equifax, and TransUnion have since improved their direct marketing services business, the ICO said. Additionally, Equifax and TransUnion withdrew some products and services. Thus, the ICO is not taking further action against them.

“I am encouraged by Equifax and TransUnion’s willingness to change their practices and put people’s legal rights first,” Denham said. “Now I expect the data broking sector to make the same commitments.”

Experian’s compliance obligations

“Although Experian made progress in improving compliance, it did not go far enough,” the ICO said. “Experian did not accept that they were required to make the changes set out by the ICO, and as such were not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes.”

In explaining its decision not to impose a fine, the ICO said an enforcement notice “would be the most effective and proportionate way to achieve compliance in this situation. It is a powerful regulatory tool to require an organization to stop processing personal data in a certain way and the most likely tool to achieve the results necessary to change behavior.”

Specifically, the ICO’s enforcement notice “requires Experian to inform people that it holds their personal data and how it is using or intends to use it for marketing purposes.” Experian must make these changes by July 2021.

By January 2021, Experian must stop using personal data derived from the credit referencing side of its business. “As an example, it should stop screening out prospective customers from marketing lists on the basis of financial status,” the ICO said.

The notice further compels Experian to:

  • Improve privacy information to make clear what personal data is collected, where it has come from, what it is being used for, or who the data is being sold to and why;
  • Delete any data supplied to Experian under the lawful basis of consent; and
  • Stop the processing of any personal data that has been collected unlawfully.

Not implementing these changes could result in an enforcement action against Experian under the GDPR, the ICO said.

The ICO’s investigation didn’t include data collected about an individual’s online behaviors. “We are investigating participants in the online advertising industry separately,” the organization said.

Experian’s response

In a statement, Experian Chief Executive Officer Brian Cassin said, “We disagree with the ICO’s decision today, and we intend to appeal. At heart, this is about the interpretation of GDPR, and we believe the ICO’s view goes beyond the legal requirements.”

Cassin added: “We share the ICO’s goals on the need to provide transparency, maintain privacy, and ensure consumers are in control of their data. The Experian Consumer Information Portal makes it very easy for consumers to fully understand the ways we work with data and to opt out of having their data processed if they wish.”