The UK’s Information Commissioner’s Office (ICO) found Experian guilty of sharing the personal data of millions of users without their knowledge or consent and ordered it to stop. The credit reporting company, which is based in Dublin, Ireland, sold the information to businesses, political parties, and charities. Commercial organizations used it to identify individuals who can afford goods and services, while other entities could build profiles about people and find new customers. And although Experian slightly improved its practices, the ICO said that they weren’t enough. The watchdog gave Experian nine months to make “fundamental changes” to how it handles sensitive data. Otherwise, it could face hefty fines up to £20 million (around $26m), or 4% of the company’s global turnover, whichever is higher.
ICO carried out the investigation two years ago following a complaint from campaign group Privacy International. It discovered that Experian, Equifax, and TransUnion, two other firms that offered similar services, were processing data without the consumers’ knowledge. These agencies allow people to check their credit scores for loans, credit cards, and other financial services. However, they also act as data brokers, meaning they harvest and sell the data they collect from various sources. According to the report, Experian, Equifax, and TransUnion had data access to almost every adult in the UK. This information was then “screened, traded, profiled, enriched, or enhanced to provide direct marketing services.”
The investigation covered offline data brokerage and did not include any information about online behavior, which is being probed separately by the ICO. Equifax and TransUnion did not face further action because both made significant improvements, including removing some products and services. But all three companies did not clarify how they handled people’s data, even though it is a General Data Protection Regulation (GDPR) requirement.
“The data broking sector is a complex eco-system where information appears to be traded widely without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data,” said Information Commissioner Elizabeth Denham. According to the ICO, Experian still needs to inform people that it collects personal data and explain how it uses it. The agency must also respect GDPR rules and stop eliminating potential clients from marketing lists based on of financial status.
Data monitoring and collection is a growing concern. VPNs are cybersecurity tools that encrypt your traffic and delete sensitive information from their servers. TheVPN.Guru is home to unbiased and detailed VPN reviews, as well as how-to guides and online privacy tips.