Ruling in Experian GDPR case thrusts ‘legitimate interest’ into spotlight
By 
Neil Hodge2023-02-28T13:00:00
Experian won a legal battle against the U.K. Information Commissioner’s Office (ICO) after the data regulator ordered the credit reference agency to make “fundamental changes” over the way it handled personal data for direct marketing purposes or stop altogether.
In October 2020, following a two-year investigation, the ICO issued Experian an enforcement notice—rather than a fine—for breaching the European Union’s General Data Protection Regulation (GDPR) by processing and selling personal data for postal and telephone marketing campaigns without people’s knowledge or consent.
Through its direct marketing arm, Experian acquired personal data on people from a mix of publicly available sources like the electoral register, other data suppliers, and its own credit reference business, according to the ICO. Rather than try to gain consumers’ consent, Experian allegedly relied on the concept of “legitimate interest” to use personal data to build a profile on around 50 million adults, which it then sold to third parties to help target marketing promotions more effectively.
THIS IS MEMBERS-ONLY CONTENT
You are not logged in and do not have access to members-only content.
If you are already a registered user or a member, SIGN IN now.
Related articles
-
News BriefExperian failed to correct flawed financial data about consumers, CFPB complaint alleges
Experian, the credit reporting giant, let compliance slide when it came to addressing consumer complaints about incorrect data, the Consumer Financial Protection Bureau said in a lawsuit against the credit agency.
-
News BriefTransUnion settles with CFPB, FTC over tenant screening accuracy
Credit reporting agency TransUnion agreed to pay $23 million total across settlements with the Consumer Financial Protection Bureau and Federal Trade Commission for alleged tenant screening and security freeze deficiencies.
-
PremiumExperts: Austrian Post GDPR ruling offers clarity on damages compensation
A decision by Europe’s Supreme Court regarding Austria’s main postal service might make it easier for the bloc’s citizens to bring legal claims for privacy breaches—with potentially unlimited scope for damages.
More from Regulatory Enforcement
-
News BriefFTC orders GoDaddy to upgrade cybersecurity defenses following three breaches
The Federal Trade Commission has ordered web hosting company GoDaddy to implement a “robust” information security program following at least three data breaches that the agency said were aided by lax cybersecurity measures.
-
News BriefFTC shuts down student loan firms over deceptive debt relief practices
The U.S. Federal Trade Commission (FTC) took action against a pair of student loan debt relief companies for allegedly deceiving borrowers. The move came despite the Trump administration’s broader efforts to roll back enforcement actions against businesses since taking office.
-
News BriefCoinbase faces a leftover SEC probe as crypto enforcement loses steam
After dismissing its lawsuit against the crypto exchange Coinbase in March, a second investigation into the exchange by the Securities and Exchange Commission has surfaced, according to a report from the New York Times. This comes as a bit of a surprise after the Trump administration has been scaling down ...