- The ICO served credit agency Experian with an enforcement notice, ordering it to change the way it handles its data broking business.
- Data broking is the process of companies acquiring people’s data, assigning it to a profiled dataset, and then selling it on to marketers.
- The ICO’s decision has the potential to significantly disrupt the way data brokers are able to acquire and share people’s data en masse.
- Visit Business Insider’s homepage for more stories.
Credit agency Experian got slapped on Tuesday with an enforcement notice from the UK’s data watchdog, the Information Commissioner’s Office (ICO). The notice informed Experian that it will have to “make fundamental changes to how it handles people’s personal data” because of its business as a data broker.
The enforcement notice is the culmination of a two-year investigation, which was sparked by a 2018 complaint from digital rights nonprofit Privacy International.
Although it doesn’t come with an immediate fine – Experian has nine months to comply or face a penalty of up to £20 million ($25.7 million) – it has the potential to significantly shape the future how companies hoover up, package, and sell on your personal data in future.
What are data brokers?
Due to Facebook, Google, and Amazon taking up headline space on stories about hoovering up your digital footprints, data brokers such as Experian tend to fly under the radar.
They are, however, an integral part of the adtech economy, as they do a huge amount of the legwork that lets companies microtarget you with ads.
It works like this: data brokers assimilate vast amounts of people’s personal data. They they then place you in distinct profile “sets”, which can be sold on and used to target digital marketing at you. These profile sets are then sold on to the marketing companies that deploy them.
Caroline Wilson Palow, legal director and general counsel at Privacy International, told Business Insider: “That data then becomes the basis of how those businesses choose to advertise to you on a platform like Facebook, when they’re bringing that data into Facebook, as opposed to using Facebook’s [own] data,” Caroline Wilson Palow, Legal Director and General Counsel at Privacy International, told Business Insider.”
The names of some of these profile sets, which were unearthed in Privacy International’s original 2018 complaint (page 56), offers some insight into the assumptions Experian makes about people using categories such as their age, income bracket, and internet usage.
Examples include: “Uptown Elite,” “Bank of Mum and Dad,” “Classic Grandparents,” “Childcare Squeeze,” and “Asian Heritage” (which Experian describes as “Large extended families in neighborhoods with a strong South Asian tradition”).
A “serious breach” of people’s rights
Although the ICO’s enforcement notice was focused on Experian, it highlighted what the watchdog views as serious problems with the data broking industry. This is namely that it acquires and passes on people’s data without enough checks and balances, nor without obtaining proper consent.
The information commissioner, Elizabeth Denham, said in a statement: “The data broking sector is a complex ecosystem where information appears to be traded widely, without consideration for transparency, giving millions of adults in the UK little or no choice or control over their personal data. The lack of transparency and lack of lawful bases combined with the intrusive nature of the profiling has resulted in a serious breach of individuals’ information rights.”
Palow added that from a privacy perspective, data brokers pose a particularly large threat because they are generally opaque organisations that people aren’t aware of in their daily lives.
“It’s [a] lack of transparency and the fact that they’re not household names that make them such a big problem,” she said. “People just don’t understand that they’re collecting their data and that that data collection can have such major impacts on their lives.”
Facebook and Google are more transparent in the sense that most people know about them, she added. “They expect that they do have their data.”
Another cause for concern is that data brokers are no longer just selling people’s data on to advertisers. As Palow notes: “We know that data brokers’ data has fed into how political campaigns decide who to target and even how to craft their messages […] even more troubling now it’s started to be used in some cases by law enforcement.” Police can glean facial recognition data from data brokers, she adds.
What will the new ruling change?
The first part of the ICO’s ruling orders Experian to inform people that it has their data, and to tell them exactly how it plans to use it or sell it on for marketing purposes.
The ruling could also set a precedent by stopping companies from taking data from a different part of their business and quietly selling it on as data brokers.
Another significant part of the ICO order means that from January 2021, Experian won’t be allowed to take data from the credit referencing side of its business and fold that into its data broking business.
Palow said this is significant, because people who give their data over to Experian to get a mortgage or a credit card don’t realise it could then be repurposed for data brokerage.
The ICO also found Experian was buying up data from other sources, for example other data brokers, without obtaining sufficient consent from people – i.e. they had no say in whether that data could be sold on to Experian.
Experian is appealing against the ICO’s decision so there’s a chance it could weaken the enforcement notice, but it’s still got huge potential to set the tone for how governments rein in data brokers.
Palow is encouraged by the ICO’s decision. She said: “I think that the enforcement notice is pretty powerful.” She believes it could set a good international precedent, which is essential given that data brokerage is rapidly expanding in many countries.
“They [data brokers] are based all around the world because I think a lot of companies are seeing that this is quite big business now, to collect the data in all its forms,” she added.
The ICO’s findings were an interpretation of GDPR, Europe’s strict overarching data protection laws, which came into force in 2018. This means they have the potential to quickly set an international precedent within Europe.
If similar rulings start to snowball elsewhere in the world, it might not be long before smaller, little-known data brokers face the same intense scrutiny reserved for the likes of the big tech platforms.