The Information Commissioner's Office has asked credit rating agency Experian to make a number of changes to the way it collects and processes user data in order to comply with data protection law and to avoid massive fines under GDPR.
The Information Commissioner's Office served an enforcement notice to Experian on Tuesday, asking the rating agency to pull up its socks and comply with data protection law after finding that Experian seriously violated privacy law as far as collecting and processing the data of consumers is concerned.
The enforcement notice follows a two-year investigation by the ICO into how the three major credit rating agencies, namely Experian, Equifax, and TransUnion, used personal data within their data broking businesses for direct marketing purposes.
The ICO found evidence which revealed that the three credit rating agencies traded, enriched, and enhanced people's personal data without their knowledge or consent, and their products were then used by commercial organisations, political parties, and charities to find new customers, build profiles of people, and identify people who could afford their goods and services.
The credit rating agencies also processed the personal data of millions of adults in the UK without informing them and also used their personal data for marketing purposes in violation of data protection law. Following the ICO's findings, Equifax and TransUnion made quick improvements to their data collection and processing activities and also withdrew some products and services that were based on the processing of people's personal data.
However, despite making progress in improving compliance, Experian refused to make changes to their data processing activities as per the directions of the ICO, refused to issue privacy information directly to individuals, and also refused to cease the use of credit reference data for direct marketing purposes.
This forced the ICO to issue an enforcement notice to Experian, directing the rating agency to comply with data protection law and to make changes to their data processing protocols by July 2021. Experian has also been directed to stop using personal data (derived from the credit referencing side of its business) for direct marketing purposes by January 2021. The enforcement notice has also laid out the following requirements:
- Setting out improvements to privacy information to make clear what personal data is collected, where it has come from, what it is being used for, or who the data is being sold to, and why.
- Deleting any data supplied to Experian under the lawful basis of consent which is now being processed using a different lawful basis of legitimate interests.
- Stop the processing of any personal data that has been collected unlawfully.
“The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights,” said Information Commissioner Elizabeth Denham.
“The trade in personal data with other organisations has implications beyond the industry. Disrupting the flow of non-compliant personal data will have a significant impact not just across the sector but will drive benefits for individuals and organisations wherever this data is used.
“I am encouraged by Equifax and TransUnion’s willingness to change their practices and put people’s legal rights first. Now I expect the data broking sector to make the same commitments,” she added.
Welcoming the ICO's decision to put Experian on notice, Iain Lovatt, Chairman and co-founder of BlueVenn, said no organisation should feel they are exempt from the legislation that is there to protect consumers and the incident highlights the fact that there is still a long way to go when it comes to data hygiene, enhancement, and best practices.
"With Google embarking on plans to remove third-party cookies from its Chrome browser by 2022, a broader transition is happening, marking the shift from 3rd party data to 1st party data. It is important that more companies invest in and look to build up their 1st party data intelligence now, through their own profiling tactics, to glean insights that are earned and freely offered up by the consumer. Importantly, there is also less of privacy risk, as all data is organic and therefore more aligned with the regulatory standards of today," he added.