Experian has clashed with the UK data watchdog over an order requiring the credit reference agency to make fundamental changes to the way it handles customer data.
The Information Commissioner’s Office (ICO) today published the findings of a two-year investigation into Experian, Equifax and Transunion over how they use personal data for direct marketing purposes.
The probe found that the firms were trading people’s data without their knowledge, and that this resulted in products used by commercial organisations, political parties and charities to find new customers and identify the people most likely to be able to afford certain goods or services.
The regulator ordered Experian to improve its compliance with data protection rules within nine months or face a fine of up to £20m or four per cent of annual turnover.
But Experian chief executive Brian Cassin said his company would appeal the decision, adding that the ICO’s view went “beyond the legal requirements”.
“This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the Covid-19 crisis.”
The ICO said it was not taking action against Equifax and Transunion as they had made improvements and withdrawn some products and services.
However, it said that while Experian had made progress in improving compliance, it had not gone far enough.
The enforcement notice requires the company to inform people how it is using their data for marketing purposes and to stop using data derived from the credit referencing side of its business by January next year.
“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data,” said information commissioner Elizabeth Denham.
“The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”