ICO investigates UK's major credit reference agencies' data broking practices

The Information Commissioner's Office’s investigation into the direct marketing data broking sector has found systemic data protection failings in the practices of large credit reference agencies – highlighting the importance of appropriate due diligence when purchasing personal data for direct marketing purposes. The investigation has already prompted changes to the products, services and practices of the agencies that were subject to the investigation.

Having previously looked into adtech and real-time bidding as well as use of data in political campaigns, the ICO recently published its findings in connection with its investigation into the use of personal data by credit reference agencies (CRAs) Experian, Equifax and TransUnion in the offline direct marketing context.

The ICO’s key findings, which will be of interest to organisations purchasing direct marketing data from the CRAs in question or from other data broking services, included the following:

  • Shortcomings were identified in the way individuals were told about direct marketing in privacy notices and policies.
  • In certain cases, failure to provide privacy information to individuals resulted in invisible data processing (i.e. the trading, enrichment and enhancement of people’s data without their knowledge) contrary to the right to be informed set out in the GDPR.
  • Data collected for credit referencing was used for a small number of direct marketing purposes (e.g. to gain insight on affordability and financial standing). Nevertheless, data should not have been used in this way without sufficient information provided to individuals and appropriate legal basis in place.
  • The ICO found issues in connection with the legal bases used for certain direct marketing activities. For example, it was found that where data had been shared with a CRA for direct marketing on the basis of consent, then it was not correct for the CRA to rely on another legal basis (such as legitimate interests) for its direct marketing services when it should have relied on consent.

The investigation prompted the CRAs in question to change their practices and remove some of their direct marketing related products and services. As a result of the improvements implemented, the ICO considered it was not necessary to take further action against two of the three CRAs audited. Concerns remained in connection with Experian, to whom an enforcement notice has been issued.

The use of data broking services for direct marketing is very common and used by various commercial organisations, political parties and charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people. Data broking services have many benefits when it comes to direct marketing activities – however it is important to ensure that the use of data for this purpose complies with the law.

The ICO’s findings highlight key issues which organisations should consider when engaging a data broker for direct marketing purposes:

  • Check the terms. What are the contractual limitations regarding use of the data? Are there warranties or other obligations on the data broker to ensure the data can lawfully be used for the customer’s intended direct marketing purposes? What are the data broker’s data protection obligations and liabilities under the contract? If the data broker’s standard terms are used, these may offer little assurance – in that case consider whether negotiation on the terms is possible / appropriate.
  • Due diligence regarding data sources and privacy information. Ask about the sources of the data and the data broker’s practices when it comes to providing privacy information. You may even wish to have a look at the specific wording of the data broker’s privacy notice/policy.
  • Legal basis. Ask about the data broker’s legal basis. If data is shared for direct marketing on the basis of consent by the data broker, this may have an impact of the legal bases available to the customer.
  • If the data broker carries out many activities (in the present ICO investigation the audited organisations were both credit reference agencies and direct marketing data brokers), ask how the data broker ensures that data collected for one activity is not used for another.

For further information on data protection and direct marketing, please get in touch with a member of our specialist GDPR & Cyber Security team.

This article was co-written by Calum Lavery, Trainee Solicitor.

Latest updates from @MacRoberts