The United Kingdom’s Information Commissioner’s Office issued an enforcement notice against Experian last week, ordering the company to make “fundamental changes” to how it handles consumer data. The two-year investigation found that all three credit reference agencies—Experian, Equifax, and TransUnion—were “trading, enriching, and enhancing people’s personal data without their knowledge,” the ICO said. The enforcement notice was against Experian only because the regulator said Equifax and TransUnion had made the necessary changes already.
Experian has nine months, till July 2021, to make those changes, or risk facing fines of up to either £20 million or 4 percent of global revenue, whichever figure is higher.
The companies were taking consumer data and correlating different pieces of information and combining it with information collected elsewhere to generate fresh, or previously unknown information about individuals, to create in-depth consumer profiles. This type of “invisible” data processing violated data protection laws—specifically, the European Union’s General Data Protection Regulation (GDPR)—because the agencies didn’t clearly explain to consumers what they did with the data. The privacy policies on company websites were not sufficiently clear to explain to consumers how the data was being used. The data was sold to political parties to create profiles of potential voters and to businesses to identify consumers for their goods and services.
The data was also being used in limited ways for marketing purposes. “Some of the CRAs were also using profiling to generate new or previously unknown information about people, which is often privacy invasive,” the ICO said. By January 2021, Experian must stop using personal data derived from the credit referencing side of its business—such as screening out prospective customers from marketing lists on the basis of financial status.
Experian made efforts to improve its data handling practices over the past year, but the ICO said those improvements didn’t go far enough. Experian still needs to improve its privacy information to clearly inform consumers what personal data is being collected, where it comes from, what it is being used for, who the data is being sold to, and why it is being sold. The agency also needs to stop processing data collected unlawfully under GDPR rules, and delete any data supplied without consent.
“Although Experian made progress in improving compliance, it did not go far enough,” the ICO said. “Experian did not accept that they were required to make the changes set out by the ICO, and as such were not prepared to issue privacy information directly to individuals nor cease the use of credit reference data for direct marketing purposes.”
Equifax and TransUnion avoided the enforcement action because their changes were considered sufficient and they withdrew products and services that relied on data that had been handled this way. “I am encouraged by Equifax and TransUnion’s willingness to change their practices and put people’s legal rights first,” said Information Commissioner Elizabeth Denham.
The campaign group Privacy International raised concerns about data brokers in a complaint to the ICO in 2018. Even though data brokers are key actors in the “hidden data ecosystem,” most people will never have heard of these companies, Privacy International said. “People cannot assert their rights if there is no transparency around who is collecting their personal data and for what purpose.”
Regulators have tools other than issuing fines to get organizations to change their behavior. As a regulatory tool, enforcement action is a powerful—and likely the most effective—way to require an organization to stop processing personal data in a certain way.
Experian has nine months to appeal ICO’s findings. Experian claimed the ICO’s interpretation of the GDPR “risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis.” Experian said consumers can see the ways the company work with data and to opt out of data processing via the Experian Consumer Information Portal.
“We use long standing publicly and commercially available sources to build our marketing products, such as the edited electoral roll, the UK Census and market research data. We develop statistical models from data to infer insights useful to businesses and public bodies in order that they can function more efficiently,” said Brian Cassin, CEO of Experian. “We do not track internet activity nor do we collect actual consumer purchases, behavioural data or actual preferences, nor is there any location tracking of individuals.”
The enforcement notice sends a strong message to “this opaque and complex industry,” Privacy International said. Data protection regulators in other countries need to look at data brokers, and ask what they are doing to protect people from their data being exploited. “We have repeatedly said that, when the General Data Protection Regulation (GDPR) came into effect, the real test for GDPR would be in its enforcement.”
The ICO’s investigation didn’t include data collected about an individual’s online behaviors. “We are investigating participants in the online advertising industry separately,” the organization said.