UK ICO Issues Enforcement Notice To Experian: Ten Lessons For Data Brokers

Fox Rothschild LLP

Fox Rothschild LLP

The UK Information Commissioner's Office recently issued an enforcement notice against Experian under the General Data Protection Regulation (GDPR) in connection with its actions as a data broker related to direct marketing.

Here are 10 key takeaways for data brokers and businesses in general:


  • If you have particularly complex processing, your Article 13 notice should have explanatory examples.
  • Placing a big advertisement or undertaking a mass postal mailing does not necessarily meet the Article 14 notification requirement.
  • Just because there are lots of people and mass processing doesn't mean it is a disproportionate effort to notify for the purpose of the Article 14 exception. This is especially the case if it is lots of people you haven't notified in a number of years.
  • Conducting a survey with the target audience regarding how easily understood your privacy disclosures are can be very helpful. However, this is only effective if you position the privacy notice text against an explanation and check whether what people thought they understood from the text actually matches what you do.
  • All important and surprising Article 13-14 information needs to be on the suppliers' first layer of disclosure; a link to the data broker's privacy notice is not enough.

Legitimate Interest / Legal Basis

  • It is generally not possible to rely on legitimate interest as the GDPR legal basis when you are profiling individuals for the purpose of marketing.
  • Even if you are using the right legitimate interest analysis template, in order for the analysis to work, the balancing must correctly weigh the interests of controller vs. the individual.
  • Even just screening someone out of receiving certain marketing materials based on certain criteria still constitutes marketing purposes.
  • If your suppliers collected information based on consent, you can't then further process this information under legitimate interest as your legal basis.

Data Broker Sources

  • Data brokers need to vet their suppliers re: compliance with data protection laws when procuring the information.
  • Data brokers must audit compliance by their suppliers regularly.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.