On 27 October 2020 the Information Commissioner’s Office (ICO) [United Kingdom] has issued an enforcement notice in relation to the marketing services we provide in the UK (1% of Experian’s Group revenue).
Brian Cassin, Chief Executive Officer, said “We disagree with the ICO’s decision today and we intend to appeal. At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis.”
We share the ICO’s goals on the need to provide transparency, maintain privacy and ensure consumers are in control of their data. The Experian Consumer Information Portal makes it very easy for consumers to fully understand the ways we work with data and to opt out of having their data processed if they wish.
For more than 30 years, our UK marketing services business has been helping a variety of organisations from both the public and private sector, including many charities. We use long standing publicly and commercially available sources to build our marketing products, such as the edited Electoral Roll, the UK Census and market research data. We develop statistical models from data to infer insights useful to businesses and public bodies in order that they can function more efficiently. We do not track internet activity nor do we collect actual consumer purchases, behavioural data or actual preferences, nor is there any location tracking of individuals.
The COVID-19 crisis has clearly demonstrated that data that is managed in a way that properly protects individual privacy can be used as a force for good. Our data has helped local authorities, NHS Trusts, fire services, food banks, councils and other major charities to get help and support to the most vulnerable during the crisis. Our business data has also been used by the UK government to plan and forecast support measures for businesses.
We are also deeply concerned about the impact this could have on thousands of small businesses and charities that use our data, particularly as they try to recover from the impact of the COVID-19 crisis.
Around two thirds of the firms that use our marketing services employ fewer than 200 people each. Many of these small businesses are in sectors that have been hit hardest by the COVID-19 crisis: over 30% of the income in our marketing services business comes from sectors such as retail, leisure, automotive and travel.
- The Enforcement Notice only applies to our UK Marketing Services business (1% of Experian’s Group revenues). Our credit related businesses are unaffected by this outcome.
- The Enforcement Notice is not a fine. It is a list of actions that reflect the ICO’s interpretation of GDPR as it relates to our UK marketing services business.
- All enforcement actions will be stayed pending the appeal, and we do not anticipate any impact on our marketing products or services.
- We do not expect actions from the enforcement notice to lead to a materially adverse financial outcome for the Experian Group.
Background: On October 27, 2020, the UK Information Commissioner’s Office (“ICO”) published its enforcement notice against credit reference agency Experian Limited (“Experian”) under Section 149 of the Data Protection Act 2018 (“DPA”) (the “notice”). The notice requires Experian to make fundamental changes to its offline direct marketing practices, and was issued after the ICO undertook a two-year investigation into the use of personal data by data broking businesses Experian, Equifax and TransUnion.
Source: Experian Press Release