One of the “big three” credit reporting agencies (CRAs), Experian handles the most sensitive financial data of hundreds of millions of customers across some 45 countries. While its primary mission is to facilitate assessments of lending risk, Experian also has a data broking department that leverages its position to provide marketing analytics among other services. It is that department that finds itself in trouble with the UK ICO, requiring it to make major changes to its direct marketing services within nine months or face a fine under the terms of the General Data Protection Regulation (GDPR).
UK ICO comes down on CRA “side services”
The UK ICO has been investigating the data broking practices of the three major CRAs for two years now, following complaints from privacy groups about Experian and Equifax. The investigation ended up finding problems with each of the CRA’s data broking departments, but the issues with Equifax and TransUnion were resolved via voluntary compliance with recommendations made by UK ICO (including removal of certain services).
Experian is a different kettle of fish. The CRA’s direct marketing practices appear to be so out of alignment with GDPR rules that it has been threatened with the possibility of a fine by the UK ICO if it does not make substantial changes prior to next summer.
The CRAs are governed by strict laws regarding allowing third parties to access consumer credit profiles. However, there is some room for these agencies to sell select demographic information to marketers. As part of their data broking practices the CRAs often build separate profiles on consumers constructed from this information that is allowed to be accessed by marketers; these are pursued by various service providers looking to sell their product to target demographics, as well as charities and political organizations seeking likely sources of donations. The trouble is that the use of this information is just as protected as the use of credit profiles is by the GDPR, but CRAs have generally failed to make consumers aware of or provide access to this “invisible” data broking done at the marketing end of their operations. Some of the CRAs also appear to have been acquiring extra information about consumers from outside sources and adding this to these marketing profiles.
The UK ICO found that while Experian did provide some amount of required privacy notification information on its website about how some of this information was being used, it did not make the full scope of activity clear. It also found that certain types of data processing were not being done in a legal way. The central issue here appears to be inappropriate crossover between the consent given for credit processing purposes and the use of that consent as a basis for also adding information to the marketing operations.
The enforcement notice that Experian received from the UK ICO requires it to make changes to these practices within nine months or face a GDPR fine, which can range up to £20m or 4% of total annual worldwide turnover. In this case it seems reasonable to speculate that the fine would be close to the maximum given that Experian is processing the personal data of millions of people. Experian is additionally required to cease the use of personal data in its direct marketing products by January 2021.
Experian appeared to be resistant to the UK ICO ruling and in no hurry to make the required changes, indicating in a response from CEO Brian Cassin that it disagreed with the judgment and intended to appeal the decision.
Data broking industry facing increased scrutiny
In a more general statement about the data broking industry, Information Commissioner Elizabeth Denham said: “The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights … I am encouraged by Equifax and TransUnion’s willingness to change their practices and put people’s legal rights first. Now I expect the data broking sector to make the same commitments.”
EU regulators have been looking into a variety of data brokers since late 2018, not just the CRAs. Data protection authorities have also targeted more general ad tracking and personal profile aggregation companies such as Amobee, Criteo, Quantcast and Tapad. And though Google and Facebook tend to draw the most attention when it comes to ad tracking regulation, other major names in the software industry (such as Oracle and Axciom) have also had their data broking practices investigated. Oracle and Salesforce were hit with class-action suits in August alleging that their real-time bidding personalized ad systems cannot possibly be in compliance with GDPR terms.
These data broking services are regarded by some as a potential massive violation of personal privacy, scooping up people’s personal data from multiple sources to build detailed portfolios that in some cases contain health information and political views among other highly sensitive items. This data is purchased from various online services, including dating and fitness sites in some cases, and is also sometimes scraped from public sources such as social media sites.