Context
The Information Commissioner’s Office (ICO) has issued an enforcement notice to Experian Limited, ordering it to make changes to the way in which it handles people’s personal data within its direct marketing services.
The enforcement notice follows a two-year investigation by the ICO into how Experian, Equifax and TransUnion used personal data within their data broking businesses for direct marketing purposes. A complaint from the campaign group Privacy International to the ICO also raised concerns about the data broking industry, specifically Equifax and Experian.
Experian did not accept that it was required to make the changes set out by the ICO, and as such were not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes. As a result, Experian has been given an enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20m or 4% of the organisation’s total annual worldwide turnover.
Findings from the investigation have been published, which can be read in full here: https://ico.org.uk/media/action-weve-taken/2618470/investigation-into-data-protection-compliance-in-the-direct-marketing-data-broking-sector.pdf
Key points to note
- The ICO found that there was significant processing of data where the individual was not aware that their personal data was being collected and used, this is also known as “invisible processing” and is in breach of data protection law.
- As well as the failure to be transparent, the regulator found that personal data provided in order to provide the firm’s statutory credit referencing function, was being used in limited ways for marketing purposes and, in some cases, the firms were also using profiling to generate new, or previously unknown, information about people, which is often privacy invasive.
- Further thematic failings were identified including:
- Privacy information which did not clearly explain what was being done with people’s data.
- Using certain lawful bases incorrectly for processing people’s data.
- The ICO decided an enforcement notice would be the most effective and proportionate way to achieve compliance in this situation. It is a powerful regulatory tool to require an organisation to stop processing personal data in a certain way and the most likely tool to achieve the results necessary to change behaviour.
- The notice requires that:
- Experian informs people that it holds their personal data and how it is using, or intends to use, such data for marketing purposes.
- Experian stops using personal data derived from the credit referencing side of its business by January 2021, which it does currently for limited direct marketing purposes. The ICO noted that, as people have no choice about whether their data is shared with Experian for credit referencing purposes, the processing of this data for marketing purposes is unexpected.
- Other key requirements of the notice include:
- Setting out improvements to privacy information to make clear what personal data is collected, where it has come from, what it is being used for or to whom the data is being sold and why.
- Deleting any data supplied to Experian under the lawful basis of consent which is now being processed using a different lawful basis of legitimate interests.
- Stopping the processing of any personal data which has been collected unlawfully.