Experian faces enforcement motion after knowledge watchdog investigation
What did the ICO’s investigation find?
The ICO’s investigation found “significant data protection failures” at Experian, Equifax and Transunion.
All three firms are credit reference agencies, which means they collect credit information on customers, which is then used by companies when they’re deciding whether or not to lend to people e.g. if they’re getting a mortgage or taking out a loan.
It found that all three firms were processing people’s personal data without their knowledge. This created products which were used by other organisations – including commercial entities, political parties and charities – to find new customers, identify the people most likely to be able to afford goods and services, and build profiles of people.
The ICO said that significant amounts of the processing was “invisible”, meaning people weren’t aware the organisation was collecting and using their personal data. It also found some credit reference agencies were using profiling to generate new or previously unknown information about people, which is often privacy invasive.
As a result, all three credit reference agencies made improvements to their direct marketing services. Equifax and TransUnion also withdrew some products and services, meaning the ICO is taking no further action against them.
But the watchdog said that Experian had not gone far enough to improve its compliance, and hadn’t been prepared to give privacy information directly to individuals or stop using credit reference data for direct marketing purposes.
As a result, Experian has been given the enforcement notice compelling it to make changes within nine months or risk further action. This could include a fine of up to £20 million or 4% of the organisation’s total annual worldwide turnover.