Experian is the biggest credit reference agency (CRA) in the UK, providing data used to decide whether you get a mortgage, credit card or loan. But it also has a second, less well understood role.
As well as creating credit reports, Experian is one of the UK’s largest data brokers. Data brokers are companies that buy, combine, enrich, and ultimately sell data, typically for marketing purposes.
That data helps advertisers make guesses about everything from your wealth to whether you own a pet.
It was because of this data-broking role that the Information Commissioner’s Office (ICO) recently investigated Experian, alongside two other CRAs, Equifax and TransUnion. The ICO ultimately ruled that all three were processing data about millions of people without their consent.
Read on to find out what data Experian was sharing, where it gets that data from, and how you can take back control of your data.
Why should you care about your data?
Data has become one of the world’s most valuable commodities, as evidenced by near-trillion-dollar valuations of Google and Facebook.
Meanwhile the loss of data, from emails to bank details, has enriched criminals.
Since 2018, you’ve had the right to be informed about the collection and use of your data – and to correct mistakes or object to its use entirely.
In October last year, the ICO published the results of its two-year investigation into the three CRAs, including Experian.
It found all three had been conducting ‘invisible’ processing, meaning they were collecting and using millions of people’s personal data without their consent for the purposes of postal and phone marketing.
Information Commissioner Elizabeth Denham said: ‘The information the CRAs are privileged to hold for statutory credit reference purposes was unlawfully used by them in their capacity as data brokers, with poor regard for what people might want or expect.’
While Equifax and TransUnion made a number of changes as a result, including scrapping some of the data services they offer altogether, Experian has only partly complied and is appealing against the ICO’s decision, risking a huge fine.
- Find out more: your rights if your data has been lost
What does Experian know?
To find out exactly what data was being shared, we asked 12 Which? members to make subject access requests (SAR) to Experian and Equifax.
Each file they received from Experian had 31 pages containing personal data and profiling information, compared with just two from Equifax. Experian therefore became the focus of our investigation.
The largest section of Experian’s report was called ‘propensities’, containing a whopping 373 different characteristics for each of our volunteers, across 14 pages.
They vary widely: from your level of education to the type of car you drive; from how much you donate to charity to how likely you are to go to the opera in your spare time.
Every attribute has a specific score against it, which is essentially an estimate of how likely it is to apply to each person. Experian will use different combinations of facts that it knows about you, to make these estimates as accurate as possible and produce these scores.
The scores don’t mean much individually, but if a business has scores for several million customers, it means it can rank them and start to identify the ones most likely to have certain characteristics.
For example, a travel agent promoting its most luxurious holidays might use the scores to target the most affluent 10% of customers with its marketing.
- Find out more: how to make a subject access request
‘Shocked and surprised’
A survey of 1,126 Which? members in November found that 89% of our members had heard of Experian, and as many as 51% said they were aware Experian has a role sharing marketing data.
But few realised just how extensive Experian’s data was.
When one of our members, Ade A., received his marketing file from Experian, he said he didn’t know exactly how the scores were applied, but he was ‘shocked and surprised’ by the number and range of them.
Another member, said he was also ‘surprised’ to see certain online transactions in his report, but was less shocked by the rest of the report as he felt that companies having your data is a part of modern life.
The reports also contained estimates on various household attributes, such as the level of affluence and income, the number of children and the number of bedrooms.
Although this data is modelled, volunteers said it was largely correct – especially on facts such as children and bedrooms.
Ade said that the data on income made him feel ‘uncomfortable’, while the accuracy of information on the number of bedrooms and children ‘feels intrusive’.
Does Experian need your consent?
The answer is complicated. In the case of an IP address we saw it sharing as a result of the SARs, Experian does have consent and included the source (getyaoffers.co.uk) and supplier (Data Mixx) to prove it.
However, according to the ICO, Experian doesn’t have consent for some of the data in the files that we saw.
In its investigation, the ICO criticised CRAs for using credit data to remove customers with particularly poor credit histories, who wouldn’t be eligible for certain financial products, from lists provided to advertisers, so that they don’t market to them.
When we made our SARs in November, Experian was still doing this.
Even if, as Experian argues, this may be to the benefit of consumers – as it could avoid promoting products that are ‘inappropriate to the circumstances of the individual’ involved – the CRAs did not have consent from the people involved to use their data in this way, so it was, and still is, unlawful.
Not all data processing needs consent though, as organisations can lawfully argue that processing your data is in their ‘legitimate interest’.
The legitimate interest must be clearly defined, the processing must be necessary to meet this interest, and the company must balance its own interests against the interests, rights and freedoms of the individual.
Experian told us that ‘the proper protection of individual privacy is of paramount importance to us’.
It said it did not track users’ internet activity, behaviour or location, adding that ‘we collect very little actual information about an individual and most of the information an individual would see on their marketing file report is based on modelled data, created by us and is not a statement of fact’.
Where does Experian get your data?
Does Experian track you online?
The ICO’s investigation of CRAs related to their use of data for postal and phone marketing. A separate, wider ICO investigation into online advertising is ongoing.
While the SARs didn’t reveal the full extent of the online information Experian has access to, they did reveal several ways in which it uses digital data.
One way is through a product it calls Club Canvasse, which is essentially a data ‘pool’, through which select home shopping retailers can share anonymised insights about purchases their customers are making.
All the retailers we saw named as part of this ‘club’ mention – in one form or another – sharing your data for profiling or pooling purposes in the privacy policies on their website (these are legally required). Some even mention Experian by name. However, we found no mention of data sharing when you make a purchase.
Another product involving digital data that we saw Experian offer was matching your IP address – essentially an online ID that is specific to your household – to your home address.
This could prove to be critical for an advertiser, enabling them to combine all the offline profiling that Experian has about your address – like the household attributes and propensities mentioned above – with any data they have about your online activity attached to your IP address, painting an incredibly rich picture about you in the process.
- Find out more: stolen bank details and fake passports sold on social media
How to opt out
You don’t need to live off the grid or go without a credit report to take back control of your data. You have the right to ask organisations to delete data about you.
Experian, Equifax and TransUnion marketing data
While credit reporting data is exempt, information collected for marketing purposes is not. Experian makes it relatively easy to opt out of this processing on its website. You can also see the marketing segment your postcode falls in, as well as if you’re on its ‘marketing services’ file. Equifax, which now holds far less data, advises opting out of the open register while TransUnion asks you to email it.
Open electoral register
As there are many data brokers, it may be easier to opt out of some of their sources of data. For example, the open electoral register provides a key source of names and addresses for mail marketing. You can go to gov.uk to ensure you are only on the full, private register.
Mailing preference service
You can also opt out of most mail marketing via the Mailing Preference Service (MPS), which is run by the Data & Marketing Association (DMA). Lots of data users like Experian will be members of the DMA, meaning they have to screen out addresses on the MPS.
Competition, comparison and offers websites
If you are concerned about data privacy, you should exercise particular caution on competition, offers or comparison websites. These are common sources of information for data brokers, so pay close attention to their terms and conditions if you don’t want your data to be traded.
First featured in March’s Which? Money magazine
Magazine subscribers also get access to tailored 1:1 guidance from the Which? Money Helpline.