How credit reference agencies make you the product

If you've voted, had a credit card or just a bank account, data about you is being bought and sold
Megan ThomasResearcher & writer
Someone checking a credit score on their phone

From every purchase you make to every social media update you post, there's a constantly growing portrait of you, made up of data.

Credit reference agencies (CRAs) have been working behind the scenes of every significant financial milestone of your life – from when you opened your first bank account to when you last moved house – and collecting records of data.

These firms receive and share information with banks and other financial institutions, so lenders can assess how risky it would be to lend to you. They also produce your credit scores and reports – each slightly different – which tell you what information they hold about your credit history and how lenders might see you.

But your credit score is just the tip of the iceberg. CRAs also run marketing services that use your data, so there might be more details than you expect in your personal data file.

We've examined privacy policies and made subject access requests to uncover how your personal data is sold and used.

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

What credit reference agencies know about you

All three of the major CRAs – Experian, Equifax and TransUnion – have some form of marketing services, but their scope is very different.

The most limited, TransUnion, only validates information and matches identities, while Equifax models a few additional characteristics from the credit data, such as gender and marital status. 

Experian has the broadest range of modelled data and additional ‘propensities’, which are measures of how likely they estimate you are to do or be certain things. 

There are as many as 370 modelled data points about an individual, covering everything from how much energy you use to how likely you are to pay for financial advice.

Which type of person are you?

As well as modelling specific characteristics, Experian Marketing Services places you into different ‘segments’ with people it thinks are similar to you.

Experian has two different segmentation databases: Mosaic (which has standard, ‘digital’, and ‘shopper’ variations) and the Financial Strategy Segments (FSS 4).

Here are four examples, with wording from Experian and illustrations by Which?:

Two examples of Experian's Mosaic segments: 'Midlife renters' and 'Families on a budget'
Two examples of Experian's Mosaic segments: 'Empty-nest adventures' and 'Local focus'

The data could show, for example, that you're in the FSS 4 ‘dual-pension freedom’ segment, described as ‘content retired couples owning average-value homes whose double pension income gives them a comfortable standard of living’.

But companies will receive much more detail on the segments. People in the ‘dual-pension freedom’ category were noted as having 'the highest uptake of boiler insurance', while 'the NS&I website is the financial site most likely to be visited'.

The Mosaic segments focus more on shopping habits and responsiveness to different forms of advertising. Each category features aspects such as online activity, education levels and likely modes of transport.

How businesses use the data they buy

The data received by a customer of the CRAs will depend on the extent of their contract.

It could be a list of names and addresses of potential customers who fit certain requested criteria, extracts of the full database or matching the attributes and ‘propensities’ with an existing customer list. 

Experian has more than 1,600 marketing clients across a range of sectors, the largest of which is retail. 

Experian data is also used by charities and local authorities, for example StepChange Debt Charity used segmentation to find the UK constituencies and wards where people struggle most with debt problems.

EXAMPLE - How your data could be used

Say you bought an alarm clock from a company called Hull Homewares. It would then have a record of your name and address from a transaction.

As a client of Experian’s, Hull Homewares might provide it with a list of customers – now including you – and ask for greater detail on how to target these customers with future offers. Experian could add on the segment data and other modelled characteristics. 

This data tells Hull Homewares you're likely to live in a three-bed house with a garden, have a high disposable income and engage with branded email - so it now considers you the ideal candidate to receive an email advertising its range of garden furniture.

How do credit reference agencies get your data?

With all three CRAs, your credit information or transactions are not directly passed on to marketing clients. 

However, clients of both Equifax and Experian use information such as a negative credit payment or a county court judgment to remove people from certain financial advertising campaigns, a practice that aims to prevent harm to the recipient.

This data is only shared with members of the Credit Account Information Sharing service (CAIS) – the financial services that give and receive the credit information.

Equifax and Experian take your name and address from their credit reference data and use it to derive further information. So, name, address and date of birth lead them to information about the household, for example length of residence, and other factors such as marital status and gender. 

Equifax doesn’t use this credit-derived data for direct marketing, nor does it sell email or telephone marketing lists. 

Experian data that comes from its CRA business is ‘non-prospectable’, meaning your name and address wouldn’t be passed on to Experian clients that don’t already have it.

The regulator gets involved

CRAs’ marketing businesses haven’t gone unnoticed by the regulator. In 2020, the Information Commissioner’s Office (ICO) published an enforcement notice ordering a change to CRAs’ direct marketing practices but Experian fought this in court, partially winning its appeal. 

The First-tier Tribunal ruled that Experian gave adequate notice to the approximately 51 million consumers whose data was collected for credit report services and was being processed through its Consumer Information Portal. 

But it said Experian had failed to give adequate notice to the approximately five million people whose data had exclusively been gathered from other sources such as the open electoral register and ordered it to do so within three months. 

The ICO appealed this in the Upper-tier Tribunal, but they agreed with the original ruling.

‘We welcome the Upper-tier Tribunal’s decision. As we have stated throughout these proceedings, we remain deeply committed to transparency, safeguarding privacy and helping consumers to better understand and control the use of their data.’

Experian spokesperson

Why a subject access request isn't a magic bullet

You might recall politician Nigel Farage using a subject access request (SAR) to reveal internal NatWest communications about him last year.

In theory, a SAR should reveal what a company knows about you. But in reality we encountered endless barriers.

We found some of the details of what's included in personal data files by submitting SARs to credit reference agencies. But when we submitted 11 SARs to Equifax as part of our research, we found the process confusing and difficult. 

After filling in the initial form with details and address history, nine of our volunteers were told their identity couldn’t be verified and were asked to submit ID documents.

Our volunteers were then asked to make a help account and then raise a case to upload their verification documents. Several volunteers were confused at this point and didn’t know how to provide the information. 

Once we'd provided the verification documents and Equifax had approved them, we were given no information on how to follow up on the SAR. Many volunteers gave up here.

When trying to follow up to make the SAR request, we found that we couldn't log in because we couldn't set login details, nor could we submit a new registration because our details were already registered. 

Caught in a Catch-22, the rest of the volunteers stopped here.

I continued and made repeated requests over the phone and online to Equifax's customer service. I told them I was having issues with the subject access request specifically, but any attempts to help referred to the online help account or MyEquifax – completely different and unconnected services.

My fifth online help case was successful, at which point my request was submitted and I received my SAR information three weeks later.

To protect customers, a robust and secure authentication process is needed to handle these requests. Our system is designed to streamline the user journey without the need to manually upload ID, although in a small minority of cases additional verification is needed to safely authenticate a customer.

Equifax UK spokesperson

How to limit the use of your data

You can't opt out of the core functions of the credit reference agencies – using your data to assess how risky it would be to lend to you, or to confirm your identity – but you can stop your data being used for marketing purposes. 

  1. Make a subject access request - You should be able to contact a company through any means and request to see your data, at which point you'll need to give basic details and your address history, as well as potentially verifying your identity with a passport copy or bill.
  2. Opt out of marketing services - The credit reference agencies make it easy for you to opt out of marketing services; they’ll mark your personal file as ‘non-prospectable’. For Experian visit experian.co.uk/cip, for Equifax visit equifax.co.uk/ein, and for TransUnion email [email protected].
  3. Take your name off the open electoral register - This is available for anyone to buy, and provides a key source of names and addresses for marketing firms. You can opt out of it by going to gov.uk/register-to-vote or contact your local electoral registration office. Opting out from the open register won’t affect your right to vote.
  4. Change your online settings - You can turn off personalised ad profiles on Google and social media websites. These are used extensively by companies to collect data about your interests.
  5. Avoid data broking websites - Online competitions, offer websites or ‘lifestyle clubs’ are common sources of information for data brokers who gather IP and email addresses.

More on this

Related articles