Experian won a legal battle against the U.K. Information Commissioner’s Office (ICO) after the data regulator ordered the credit reference agency to make “fundamental changes” over the way it handled personal data for direct marketing purposes or stop altogether.
In October 2020, following a two-year investigation, the ICO issued Experian an enforcement notice—rather than a fine—for breaching the European Union’s General Data Protection Regulation (GDPR) by processing and selling personal data for postal and telephone marketing campaigns without people’s knowledge or consent.
Through its direct marketing arm, Experian acquired personal data on people from a mix of publicly available sources like the electoral register, other data suppliers, and its own credit reference business, according to the ICO. Rather than try to gain consumers’ consent, Experian allegedly relied on the concept of “legitimate interest” to use personal data to build a profile on around 50 million adults, which it then sold to third parties to help target marketing promotions more effectively.
THIS IS MEMBERS-ONLY CONTENT. To continue reading, choose one of the options below.
News and analysis for the well-informed compliance or audit exec.
Trial Membership
First week free, then $499 for an annual Membership
Cancel anytime within the trial period.
Annual Membership best value
Subscribe now for $365
Our lowest price ($1 per day) for one year.
A decision by Europe’s Supreme Court regarding Austria’s main postal service might make it easier for the bloc’s citizens to bring legal claims for privacy breaches—with potentially unlimited scope for damages.
The U.K. Information Commissioner’s Office began publishing the details of cases where organizations breached the General Data Protection Regulation but were not fined. Legal experts share their take on the initiative.
The Information Commissioner’s Office fined catalog retailer Easylife £1.35 million (U.S. $1.5 million) for marketing health-related products to individuals without their consent in violation of the U.K. General Data Protection Regulation.
Accounting firm Prager Metis violated auditor independence rules through use of indemnification provisions in its engagement letters hundreds of times during a period of nearly three years, the Securities and Exchange Commission charged in a lawsuit.
The American branch of South Korea-based Shinhan Bank agreed to pay $25 million across settlements with three separate regulators for admitted violations of the Bank Secrecy Act and anti-money laundering requirements.
Exelon and its subsidiary Commonwealth Edison agreed to pay $46.2 million as part of a settlement with the Securities and Exchange Commission related to their Illinois bribery and lobbying scandal that previously earned ComEd a deferred prosecution agreement.
