On October 27, 2020, the UK Information Commissioner’s Office ordered Experian Limited, a credit reference agency (CRA), to change the way it handles personal data with regards to its direct marketing services. The ICO reported that it undertook a two-year investigation – prompted by a complaint from Privacy International — that uncovered data protection failures by all three major CRAs, but while Equifax and TransUnion made improvements to their practices (including by withdrawing certain products and services in order to comply with the data protection laws), Experian failed to make a number of requested changes. As a result, the ICO issued the enforcement notice directing Experian to implement the changes within 9 months or risk further action by the ICO.
The ICO’s enforcement notice requires Experian to make a number of compliance changes, including: (1) sending notifications to individuals to inform them of how their data is being used or will be used for direct marketing purposes, and (2) ending by January 2021 the practice of using for direct marketing purposes personal data obtained for credit referencing. Experian must comply with all of the ICO’s requirements by July 2021 subject to any appeal.
More broadly, the ICO published its findings on the direct broking industry in a report entitled, “Investigation into data protection compliance in the direct marketing data broking sector.” The ICO’s work in this area is ongoing; therefore, further audit findings will be published once the audits are concluded.