Experian has been collecting and using people's personal data without their knowledge, the Information Commissioner's Office (ICO) has revealed.
The ICO's two-year investigation into Experian, Equifax and TransUnion found 'significant data protection failures' at each of the firms.
While Equifax and TransUnion made adequate improvements, the ICO doesn't believe Experian has gone far enough.
The firm now has nine months to make changes or it risks facing further action.
Here, Which? explains five things you need to know about the investigation and how to protect your data.
Experian, Equifax and TransUnion are credit checking agencies that collect, rate and store financial information about you.
This data is then used by lenders to inform their decision-making process as to which loans, credit cards or mortgages they will offer you.
The ICO's investigation found that the three firms were 'trading, enriching and enhancing people's personal data' without their knowledge - also known as 'invisible' processing.
'This processing resulted in products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people,' the ICO explained.
Millions of adults are thought to have been affected.
The ICO also found each of the credit reference agencies were not clear enough about how they used people's data.
All three of the companies used personal data for marketing, and some of them used 'profiling' to generatenew or previously unknown information about people.
The watchdog expressed concerns that people have no choice about whether their data is shared with Experian for credit referencing purposes, and that Experian's process of this data for marketing purposes is unexpected.
Though all three agencies made improvements in response to the ICO's investigation, Experian didn't go far enough.
Experian didn't accept it was required to make the changes set out by the ICO, and wasn't prepared to issue privacy information directly to individuals. It also didn't agree to stop using credit reference data for direct marketing purposes.
As a result, the ICO served Experian an 'enforcement' notice.
Experian must inform people that it holds their personal data and how it's using it or intends to use it for marketing purposes within nine months or it will risk further action.
Experian must also stop using personal data it collects from the credit referencing side of its business for direct marketing purposes by January 2021.
The ICO can issue fines of up to £20m or 4% of the organisation's total annual worldwide turnover for data protection breaches.
Your data may have been passed on to other organisations by the credit checking agencies.
The ICO said the shared data was used by organisations to find new customers and identify the people most likely to be able to afford goods and services.
Though Equifax and TransUnion have removed some of their products, Experian has not agreed to stop using credit referencing data for direct marketing purposes, which means your data might still be being misused.
It's worth noting that the ICO's investigation looked at offline data marketing only, such as postal, telephone and SMS communications.
The ICO has a separate investigation into the online advertising industry.
The ICO said some of the credit agencies used 'profiling' to generate new information about people.
Profiling is when companies use algorithms to get information on you.
The analysis reveals links between your different behaviours and characteristics to create a personalised profile of your preferences.
It's used to put you into a certain category or group, in order to make assessments about things like your health, economic situation, interests or location, for example.
These groups can then be targeted with direct marketing.
The ICO warns that profiling is often privacy-invasive and you should be made aware if profiling is being carried out.
It has to respond to you without delay and at the latest within one month, starting from the day it receives the SAR. You can then ask Experian to erase the data it holds on you.
You also have the right to object to profiling, including profiling used for direct marketing purposes.
Companies that carry out this type of data processing must have a procedure in place which explains how you can challenge, edit or withdraw consent.
Ask Experian for a copy or link to its procedures to appeal profiling and automated decision making.
If Experian receives an objection to processing personal data for marketing purposes, it must ensure that your personal data is no longer processed for such purposes.
Brian Cassin, Experian's Chief Executive Officer, says: 'We disagree with the ICO's decision today and we intend to appeal. At heart, this is about the interpretation of GDPR and we believe the ICO's view goes beyond the legal requirements.
'This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis.'
Information Commissioner, Elizabeth Denham said: 'Our investigation has changed the way credit reference agencies operate their offline direct marketing services.
'It has found invisible processing, allowing people to better understand how their data is being used, meaning people can exercise their privacy and data protection rights.