Under the enforcement notice, Experian will be forced to make wholesale changes to the way it handles personal data.
Experian has been told to stop using any credit-derived data for direct marketing and to stop processing any personal data that cannot be shown to have come from GDPR compliant sources.
Within three months it will also have to set up an ‘at a glance’ illustration of how it uses people’s information and make it clearer how this is used to build a profile of a person.
The Information Commissioner’s Office (ICO) originally began its investigation in 2019, but said the complexity of the issues involved meant it had taken up until now to make a decision.
Experian reacted angrily to the notice, which it said affected only 1% of its revenue.
Brian Cassin, chief executive, said: “We disagree with the ICO’s decision today and we intend to appeal.
“At heart, this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements.
“This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis.”
Experian uses long-standing publicly and commercially available sources to build its marketing products, such as the edited Electoral Roll, the UK Census and market research data, Cassin added.
“We develop statistical models from data to infer insights useful to businesses and public bodies in order that they can function more efficiently.
“We do not track internet activity nor do we collect actual consumer purchases, behavioural data or actual preferences, nor is there any location tracking of individuals.”
Cassin added that businesses hardest hit by the COVID-19 outbreak would be the worst affected by the ICO ruling as 30% of marketing services income comes from the retail, leisure, automotive and travel sectors.
Experian’s turnover in the year to March 2020 was US$5.2bn.