Experian Limited – Violation Found (United Kingdom, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The UK Information Commissioner's Office found that Experian was not clear about how it collected and used personal data for marketing. They processed data from millions of UK residents without making this clear to them. This case shows the importance of transparency in data practices, especially for companies handling large amounts of personal information.
What happened
Experian processed personal data for marketing purposes without clearly informing individuals.
Who was affected
Approximately 50 million UK residents whose data was used for targeted marketing without adequate transparency.
What the authority found
The ICO found that Experian failed to provide clear information about their data processing activities, violating GDPR's transparency requirements.
Why this matters
This case highlights the need for businesses to be transparent about how they collect and use personal data. Companies should ensure their privacy notices are clear and comprehensive to avoid regulatory scrutiny.
GDPR Articles Cited
The ICO autonomously started an investigation into the three major Credit Reference Agencies ('CRAs') in 2018 under the Data Protection Act 1998. The investigation was paused and then resumed after the new GDPR entered into force in order to ensure the violations were addressed under the modern data protection regime, rather than a historical legal position, given the importance and relevance of such processing activities. The processing in question is on a very large scale (roughly 50 million people resident in the UK, with more than 500 attributes for each person). Experian acquired this information from a variety of sources and it also include credit reference data, which could lead to unexpected and 'invisible' processing activities. Experian uses them to propose a variety of marketing-led products (eg. Mosaic and Channelview), which are sold to third parties to enable them more targeted and effective direct marketing to data subjects. Having found several violations of the new Regulation, the Commissioner issued a Preliminary Enforcement notice on 17 April 2019 to Experian. Afterwards, Experian collaborated with the Authority and provided further details and documents in order to make the improvements requested. On 20 April 2020, a revised Enforcement Notice was proposed. The ICO had to determine whether all the information requested by art. 13 and 14 of the GDPR are clearly communicated to the data subjects involved in the processing activity carried out by Experian. Then, the Authority needs to establish if the lawful grounds used by Experian and its suppliers are correct and understood by the data subjects involved. The ICO found three main categories of failures on Experian's approach to data protection compliance: 1. Transparency and fairness The privacy notice and the Consumer information portal ('CIP') drafted by Experian were insufficiently clear in explaining how data is collected, processed and sold, in particular in relation to the credit data us
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Experian Limited in UK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Experian Limited - United Kingdom (2020). Retrieved from cookiefines.eu
Last updated: