What the Experian tribunal ruling means for direct marketers
If your marketing team uses third-party data for audience targeting, ABM programs, or direct mail, you operate in the same regulatory environment this ruling addresses. The Experian First-tier Tribunal decision is one of the most consequential rulings on GDPR legitimate interest direct marketing in the UK, and its implications extend well beyond credit reference agencies. Privacy considerations around the Experian appeal touch every organization that builds audiences from data it did not collect directly from data subjects.
This article covers three things: the Tribunal's findings on legitimate interest under GDPR Article 6(1)(f), the Article 14 transparency requirements that tripped Experian up, and what both mean for marketing teams that use data brokers, intent data aggregators, or third-party data providers. The ICO has taken enforcement action against over 100 businesses for violating data protection regulations, and the Experian ruling sets a precedent for how those enforcement actions will be evaluated on appeal.
When the ICO issues an enforcement notice, the receiving party has 28 days to appeal to the First-tier Tribunal for Information Rights, which sits in the general regulatory chamber of the UK's legal system. The Tribunal reviews the ICO's interpretation of the law and can uphold, modify, or overturn the notice. Tribunal appeals matter because they allow the ICO's rulings to be tested against both the interests of industry and the expectations of the data subjects the law is designed to protect. Practitioners who use third-party data for audience targeting, intent data, or direct marketing programs need to understand both the legitimate interest ruling and the transparency obligations it reinforces.
The ICO investigation into credit reference agencies
In 2018, the ICO audited the direct marketing practices of three major Credit Reference Agencies (CRAs) in the UK: Equifax, TransUnion, and Experian. The purpose was to assess compliance with UK data protection law. The initial ICO investigation report found a fundamental lack of transparency across the CRA sector, concluding that consumers were unaware their credit reference data was being used for marketing purposes.
The ICO enforcement notice against Experian was issued on October 27, 2020, under Section 149 of the Data Protection Act 2018, following a two-year investigation covering all three bureaus. The ICO enforcement notice documented what regulators described as "invisible processing" (processing where data subjects have no knowledge their personal data is being used in a particular way). In Experian's case, personal data originally collected for credit referencing purposes was used to build commercial profiles sold to third parties, including commercial organizations, political parties, and charities, without data subjects ever knowing their data was being used this way.
Both Equifax and TransUnion opted to withdraw non-compliant products rather than face formal enforcement action. Experian appealed, which led to a ruling from the First-tier Tribunal for Information Rights. The Tribunal was critical of aspects of the ICO's investigation and ruled in Experian's favor on several points, including the use of legitimate interests for direct marketing purposes. However, the Tribunal also upheld significant transparency failures. The ICO enforcement notice appeal process in this case produced a nuanced outcome that has become a reference point for the entire data-broking industry.
Legitimate interest as a lawful basis for direct marketing
Understanding the legitimate interests test
Under GDPR Article 6(1)(f), legitimate interests is one of six lawful bases for processing personal data. To rely on it, a data controller must satisfy a three-part test:
Purpose test: Is there a legitimate interest being pursued by the controller or a third party?
Necessity test: Is the processing necessary for that purpose, or could the same goal be achieved through less intrusive means?
Balancing test: Do the legitimate interests override the interests, rights, and freedoms of the data subjects?
The balancing test is where most disputes arise. Controllers must weigh the benefits of the processing against its privacy impact on individuals. A context-driven assessment is required: processing that benefits data subjects in concrete ways is more likely to pass the balancing test than processing that serves only the controller's commercial interests.
How the Tribunal applied it to Experian
The ICO's enforcement action against Experian centered on the argument that Experian's Legitimate Interest Assessment (LIA) did not adequately account for data subjects' interests. The Tribunal disagreed. It found the ICO had not fully accounted for the genuine benefits that direct marketing profiling can deliver to consumers. Experian's examples were concrete: the profiling helped ensure individuals were not offered financial products they could not afford, prevented underage individuals from being targeted with gambling offers, and helped identify households in fuel poverty so utility companies could provide support.
These are not abstract benefits. They represent cases where GDPR legitimate interest direct marketing processing produced outcomes that were directly positive for the data subjects being profiled. The Tribunal found that when processing has this kind of positive consumer impact, it can satisfy the requirements of the legitimate interests balancing test.
Why this matters: This decision strengthens the legal foundation for legitimate interest as a lawful basis in direct marketing, with concrete examples of when the balancing test can be met. For the data-broking industry more broadly, as Pinsent Masons has noted, this ruling is precedent-setting on whether commercial profiling can be justified under legitimate interests without explicit consent. Marketing teams using third-party data providers should review whether their data provider has conducted a Legitimate Interest Assessment and whether their own use of that data passes the same three-part test.
Article 14 GDPR and the transparency obligation for indirect data
While the Tribunal ruled in Experian's favor on legitimate interest, it upheld the ICO's findings on transparency. The ruling found, per the Tribunal, that Experian failed to notify 5.3 million data subjects that their personal data was processed from publicly available sources, in clear contravention of Article 14 GDPR indirect data processing requirements.
Article 14 applies whenever personal data is obtained from a source other than the data subject directly, such as the electoral roll, Companies House records, or third-party data providers. It requires that data subjects receive a privacy notice explaining who is processing their data, for what purpose, and on what lawful basis. The Tribunal found Experian's failure to provide these notices to 5.3 million individuals was a material breach, even though the processing itself (under legitimate interests) was lawful.
Why this matters: Transparency is a key principle of data protection law and is the cornerstone of this whole case. The decision by the Tribunal reinforces:
The need for a fair, clear, and transparent notification program
That data subjects must be aware of your company's processing activities
That data subjects must understand the purpose of the processing
For marketing teams, the Article 14 implications are direct. If your programs use data from third-party providers, data brokers, or public sources, Article 14 requires that data subjects have received appropriate privacy notices. The data provider's obligation and the data controller's obligation are distinct: using a compliant data provider does not automatically satisfy your own Article 14 obligations. Your organization, as the data controller, carries independent responsibility for ensuring data subjects have been notified.
The Tribunal also found it would be unlikely for any of the 5.3 million data subjects to successfully claim damages over Experian's Article 14 failure, following the Lloyd v. Google decision by the UK Supreme Court, which set a high bar for individual data protection claims without proof of material damage.
What the ruling means for your data and marketing programs
The Experian ruling has three practical implications for marketing teams that build audiences from third-party data.
The first is about lawful basis. If your marketing team uses third-party data providers for audience targeting, ABM lists, or direct marketing, you should review whether your data provider has conducted a Legitimate Interest Assessment and whether your own use of that data passes the three-part test. The Tribunal's ruling confirms that GDPR legitimate interest direct marketing can be a valid lawful basis, but only when the processing genuinely benefits data subjects and is conducted transparently. A provider's LIA covers their processing; it does not extend to yours.
The second is about transparency as a compliance checkpoint. The Article 14 transparency failure was the most consequential finding in this ruling. Marketing teams that build audiences from public sources, intent data aggregators, or data enrichment providers should audit whether data subjects have received appropriate privacy notices, not just whether the data provider claims compliance. The controller's obligation is independent and cannot be delegated to the supplier.
The third is about choosing a data foundation that takes compliance seriously. ZoomInfo is an all-in-one AI GTM Platform built on a compliance-first infrastructure. Its data foundation spans 500M contacts and 100M companies, verified through multi-source processes including 300+ human researchers. That data foundation is backed by ISO 27001, ISO 27701, SOC 2 Type II, and TRUSTe GDPR/CCPA certifications, a compliance infrastructure directly relevant to the transparency and lawful-basis standards the Experian ruling reinforces. ZoomInfo serves 35,000+ companies, including 1,921 customers spending $100K+ per year, and the compliance certifications are a core part of why enterprise marketing teams trust the data in their programs.
The GTM Context Graph processes 1.5B+ data points daily, fusing B2B data with CRM data, conversation intelligence, and behavioral signals into a unified reasoning layer. That scale of data processing is only sustainable when the underlying data infrastructure meets the transparency and lawful-basis standards this ruling describes. GTM Studio gives marketing and RevOps teams the ability to build audiences and launch programs from compliant data signals without engineering dependencies, and the APIs and MCP access lane extends that same compliant data to custom tools and AI agents.
To see how ZoomInfo's compliance-first data foundation supports your GTM programs, see ZoomInfo in action.
What happens next after the Tribunal ruling
The revised Decision Notice requires that Experian stop processing data of consumers who have not received a privacy notice. No monetary penalty is included in the revised Decision Notice. If the ICO's notice had been upheld in full, the ICO could have imposed a fine of either £20m or 4% of Experian's total annual worldwide turnover. Based on Experian's reported annual revenue, the ICO claimed more than £208m could have been demanded.
It is worth noting that Experian's financials are reported in USD while any ICO fine would be denominated in GBP, so direct currency comparisons in press coverage of this case should be read with that in mind.
At the time of the ruling, the ICO was still considering whether to appeal the Tribunal's decision within the 28-day window available to it. The current decision, as issued by the Tribunal, stands unless and until a further appeal changes it.
Please note that the above is for informational purposes only. ZoomInfo is not qualified to provide legal advice of any kind and is not an authority on the interpretation of US or international laws, rules, or regulations. To understand how the GDPR, EU marketing laws, or any other laws impact you or your business, you should seek independent advice from qualified legal counsel.
Frequently asked questions
Does the Experian Tribunal ruling affect how B2B marketers can use legitimate interest?
Yes. The ruling confirms that legitimate interest under GDPR Article 6(1)(f) can be a valid lawful basis for direct marketing data processing, but only when the processing genuinely benefits data subjects and passes the three-part test (purpose, necessity, balancing). Marketers using third-party data for audience targeting should ensure their data provider has conducted a Legitimate Interest Assessment and that their own use of the data passes the same test. The provider's LIA does not cover the controller's downstream use.
What does Article 14 GDPR require for third-party data used in direct marketing?
Article 14 GDPR indirect data processing requirements apply whenever personal data is obtained from a source other than the data subject directly, such as public records, data brokers, or third-party providers. The Tribunal found Experian failed to notify 5.3 million data subjects whose data was sourced from the electoral roll and other public sources. For marketing teams, this means using a compliant data provider is necessary but not sufficient: the data controller also carries its own Article 14 notification obligations, independent of the supplier's compliance posture.
Can businesses still use legitimate interest as a lawful basis for direct marketing after the ICO Experian case?
Yes. The First-tier Tribunal ruled in Experian's favor on the legitimate interest question, finding the ICO had not fully accounted for the benefits of direct marketing to data subjects. The ruling strengthens the argument that GDPR legitimate interest direct marketing is a valid lawful basis when the processing has a positive impact on consumers and the balancing test is met. However, the Tribunal also held Experian accountable for transparency failures, so legitimate interest and Article 14 compliance are both required: passing one does not excuse failing the other.
What is the ICO enforcement notice process and how can businesses appeal?
When the ICO issues an enforcement notice, the receiving party has 28 days to appeal to the First-tier Tribunal for Information Rights. The Tribunal reviews the ICO's interpretation of the law and can uphold, modify, or overturn the notice. In the Experian case, the Tribunal modified the enforcement notice, ruling in Experian's favor on legitimate interest while upholding the transparency failures. The ICO can also pursue an ICO enforcement notice appeal of the Tribunal's decision within 28 days of the ruling.
Does opting out of Experian's data processing affect your credit score?
No. Experian explicitly states that opting out of the sale of personal information and targeted advertising processing is entirely separate from the credit report dispute process and will not affect a consumer's credit score. The privacy opt-out covers commercial data use, not credit referencing. A privacy appeal under GDPR or UK GDPR is a different mechanism from a credit-accuracy dispute filed through the Dispute Center, and the two processes operate independently of each other.
