The Information Commissioner’s Office (“ICO”), the UK’s privacy regulator, recently warned Experian that it has nine (9) months to comply with an enforcement notice or face a potentially huge General Data Protection Regulation (“GDPR”) fine for illegally using customer data for marketing purposes. Experian was found to be “trading, enriching and enhancing”, and then selling, consumers’ data. They were also using the data to make credit worthiness and direct marketing decisions. Millions of UK residents’ data was collected without those residents being informed, and thus far Experian has refused to modify is data collection practices.
The ICO set out specific deadlines for Experian to inform customers that it holds their data and how it intends to use it for marketing purposes (July 2021) as well as when it must stop using data derived from its credit checks for direct marketing (January 2021). The ICO is also requiring that Experian:
- Stop processing unlawfully collected data;
- Delete any data collected with consent but which is now being used under a lawful basis of “legitimate interests” and;
- Clarifying to customers what data it holds, where it’s come from and what it’s being used for.
Under the terms of the GDPR, Experian faces a fine of up to £20m or 4% of total annual worldwide turnover if it refuses to comply.