Leading credit rating agency Experian has vowed to appeal against an enforcement notice served by the Information Commissioner’s Office which found the agency guilty of using people’s personal data for direct marketing without obtaining prior consent.
Earlier this week, the Information Commissioner’s Office served an enforcement notice to Experian, asking the rating agency to pull up its socks and comply with data protection law after finding that Experian seriously violated privacy law as far as collecting and processing the data of consumers is concerned.
The enforcement notice followed a two-year investigation by the ICO into how the three major credit rating agencies, namely Experian, Equifax, and TransUnion, used personal data within their data broking businesses for direct marketing purposes.
The ICO found evidence which revealed that the three credit rating agencies traded, enriched, and enhanced people’s personal data without their knowledge or consent, and their products were then used by commercial organisations, political parties, and charities to find new customers, build profiles of people, and identify people who could afford their goods and services.
While Equifax and TransUnion made quick improvements to their data collection and processing activities and also withdrew some products and services during the course of ICO’s investigation, Experian refused to make changes to their data processing activities as per the directions of the ICO, refused to issue privacy information directly to individuals, and also refused to cease the use of credit reference data for direct marketing purposes.
This forced the ICO to issue an enforcement notice to Experian, directing the rating agency to comply with data protection law and to make changes to their data processing protocols by July 2021. Experian has also been directed to stop using personal data (derived from the credit referencing side of its business) for direct marketing purposes by January 2021.
Experian says it never harvested user data or tracked user behaviour or preferences
Responding to the ICO’s enforcement notice, Experian refuted the ICO’s allegations and vowed to appeal against the enforcement notice, stating that it obtains data from long-standing publicly and commercially available sources such as the edited Electoral Roll, the UK Census, and market research data and does not track users’ purchases, behavioural data or actual preferences.
“We disagree with the ICO’s decision today and we intend to appeal. At heart, this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis,” said Brian Cassin, Chief Executive Officer of Experian.
The agency said it develops statistical models from data to infer insights useful to businesses and public bodies in order that they can function more efficiently. At the same time, it does not track internet activity, actual consumer purchases, behavioural data or actual preferences, or locations of consumers.
“The COVID-19 crisis has clearly demonstrated that data that is managed in a way that properly protects individual privacy can be used as a force for good. Our data has helped local authorities, NHS Trusts, fire services, food banks, councils, and other major charities to get help and support to the most vulnerable during the crisis. Our business data has also been used by the UK government to plan and forecast support measures for businesses.
“We are also deeply concerned about the impact this could have on thousands of small businesses and charities that use our data, particularly as they try to recover from the impact of the COVID-19 crisis,” the agency added.
Image Source: Experian