ICO publishes direct advertising and marketing knowledge broking compliance report

On October 27, 2020, the Office of the UK Information Commissioner (“ICO”) released a report following its investigation into data protection compliance in the area of ​​direct marketing data brokerage and its enforcement action against Experian. During the investigation, the ICO audited the direct marketing data brokerage businesses of the UK’s three largest credit reporting agencies (“CRAs”) – Experian, Equifax and TransUnion – and found that “each of them were significant data privacy flaws” “deeply embedded” within the companies.

Data brokerage is the process of collecting and combining personal data from various sources and selling or granting other organizations access to this aggregated data. The data may be in the form of lists of people’s names and contact details, or more detailed profiles of people, including information such as their preferences and habits. The ICO’s investigation focused specifically on “offline” marketing services such as post, telephone and SMS marketing.

As part of the work of the ICO prior to the implementation of the EU General Data Protection Regulation (“GDPR”), a map of the trade in personal data within the UK was created, identifying several “hubs” through which large amounts of personal data flowed. The three rating agencies examined as part of this study were three such hubs.

The ICO found that the data of almost all adults in the UK was processed by at least one of the rating agencies for direct marketing services, including data provided for credit referencing purposes required by law. In addition, this data has at times been used to generate new information about individuals that the ICO says may compromise privacy. This data has been used by commercial organizations, political parties and charities and, in general, the data subjects were not aware of this processing.

The ICO commented: “The data brokerage sector provides a valuable service in supporting organizations across the UK. Products designed for marketing purposes can have benefits beyond just sending out promotional materials. Sometimes they are used to help organizations such as charities, health officials, and law enforcement agencies target resources to a specific area. However, the sector does this by processing large amounts of data from people, often in order to profile them, and usually without any direct relationship with the people on whose information it relies. “

The ICO report specifically focused on the transparency of the processing, the appropriate legal basis for the processing and the use of credit reference data for direct marketing. The main results of the ICO were:

  • The rating agencies’ privacy information did not explain the processing clearly, resulting in a lack of transparency. The information was not well known and did not clearly explain how the data was collected, where it was obtained from, how it was processed, or how it was sold.
  • With regard to their direct marketing services, the credit rating agencies did not provide data subjects with the information required under Article 14 of the GDPR and incorrectly relied on the Article 14 exemption when the person concerned already has the relevant information or when the provision of that information would mean disproportionate effort. The rating agencies relied on the data protection notices of the third parties who provided them with personal data which did not clearly draw attention to the processing carried out by the rating agencies for direct marketing purposes. This resulted in “invisible processing” that the ICO deemed unlikely to be fair and not within the reasonable expectations of an individual. The lack of information on Article 14 also made it difficult for individuals to exercise their rights under the GDPR. The ICO noted that this lack of awareness also prevented it from relying on its usual indicators of public opinion such as the number of complaints submitted. In response to the rating agencies’ claim that providing a privacy policy would be a disproportionate effort (given the large volume of personal data and the costs involved), the ICO noted that “a very large number of people are not the determining factor may, however, say that it is proportionate to inform people about the processing ”as this would create a“ perverse incentive ”for organizations to collect as much data as possible.
  • Personal data collected for credit referencing purposes has been used without consent from individuals for limited direct marketing purposes. The ICO stated: “The central role of credit rating agencies in the financial sector puts them in a position of trust and this brings responsibility.” This means that credit rating agencies are subject to a high standard of accountability, transparency and fairness. The use of personal information collected for legal credit referencing purposes for secondary direct marketing purposes was deemed not to be fair or appropriate.
  • The consents cited by Equifax, which were generally obtained from third parties on Equifax’s behalf, were not valid under the GDPR. These approvals were neither informed nor specified.
  • With regard to direct marketing services, the legitimate interest assessments carried out were not correctly weighted. They gave little weight to the fact that large amounts of personal data were processed in a very targeted manner, that people were profiled and that the processing was not transparent.
  • In some cases, personal data obtained on the basis of consent has been processed with reference to the legal basis of legitimate interest. The ICO confirmed that when data is collected or passed on for direct marketing purposes on the basis of consent, consent is also the appropriate legal basis for subsequent processing for direct marketing purposes. It was also pointed out that if there was a change in the legal basis, it would misrepresent the level of control and the nature of the relationship with the individual and undermine the right to withdraw consent. This in turn would inevitably affect the compensation of the legitimate interest rate equalization test against the rating agency. The ICO asked Experian to delete all data provided to it based on consent, which it later processed based on legitimate interests.

Equifax and TransUnion have since changed their practices at the request of the ICO, including withdrawing certain products and services from the market despite not accepting that their practices violate data protection laws. Experian was rated better, but the ICO considered the processing of personal data as part of marketing services to be non-compliant. The ICO issued an enforcement notice to ensure Experian is aligning its remaining practices. Experian has announced that it will appeal the enforcement notice.

Separately, the ICO is investigating the data processing activities of participants in the online advertising industry (Adtech) and is continuing its investigations at three other large data brokers. Additionally, the ICO is conducting a criminal investigation into the trafficking of personal data illegally sourced from the auto accident repair field that has been sold to claims management companies and is investigating possible violations under the Data Protection Act 1998, the Computer Misuse Act 1990, and the Conspiracy against commit both crimes. The ICO is also busy updating two codes of conduct relevant to data brokering under the Data Protection Act 2018: the code for data exchange and the code for direct marketing. These codes have not yet been presented to the Foreign Minister.

Comments are closed.