The Genesis of the Dispute: The ICO's Enforcement

The dispute began in October 2020 when the ICO issued an Enforcement Notice against Experian. The regulator argued that Experian's processing of personal data for its marketing services - which involved creating profiles on approximately 51 million UK adults - was unlawful, unfair, and not transparent. The ICO’s case rested on three main pillars: a lack of transparency it termed "invisible processing"; an assertion that Legitimate Interests was not an appropriate lawful basis for such large-scale profiling, and that using data from its core credit referencing business for marketing was fundamentally unfair. The ICO demanded sweeping changes that would have made Experian's marketing business effectively untenable, prompting the company to appeal.

The Tribunal's Rebuke: A "Fundamental Misunderstanding"

The First-tier Tribunal's (FTT) decision in February 2023 was a comprehensive rebuke of the ICO's position. The tribunal found that the ICO had "fundamentally misunderstood the actual outcomes of Experian's processing." Where the ICO saw intrusive and harmful activity, the FTT found a lack of concrete evidence of harm. It recalibrated the debate away from theoretical privacy intrusion towards the tangible, real-world impact on consumers. The tribunal found this impact to be minimal, noting that the "worst outcome" for an individual was likely receiving a marketing leaflet that might align with their interests. Furthermore, the FTT criticised the ICO for a lack of a balanced assessment, ignoring the documented benefits of the processing for consumers (receiving relevant communications) or businesses and charities (more efficient marketing).

Legitimate Interest Vindicated

For marketers, the most significant outcome is the definitive validation of Legitimate Interest as a lawful basis for large-scale offline direct marketing and profiling. The tribunal rejected the ICO’s view that such activities should require consent, providing legal certainty for businesses that rely on LI for analytics and audience segmentation. 

Andy Smith, Managing Director at business data specialist Corpdata is positive about the outcome “Case law was inevitably going to refine the interpretation of the written legislation, and these cases and subsequent appeals provide the clarity that marketers need.”

However, the ruling also strengthens the requirements for Legitimate Interests Assessments (LIAs). A compliant LIA must now be a holistic, evidence-based exercise that actively documents and weighs the benefits for all parties involved - the controller, its clients, and the data subjects themselves.

Fair Processing Notices

Article 13 and 14 of The GDPR (and the UK GDPR) require that a data subject be notified of processing - and their rights - within a reasonable time frame. During proceedings, it was demonstrated that Experian had not sent what has since become known as “Fair Processing Notices”, arguing that it was disproportionately difficult and expensive, and thus not required. The court disagreed with this assessment, which highlights the need for a robust data gathering and notification process.

Critical Boundaries: The "No Switching" Rule and Transparency

While the ruling was a major victory for Legitimate Interests, it also established a critical boundary now known as the "no switching" rule. The tribunal found it unlawful to process personal data under LI when that data had been acquired by third-party suppliers on the basis of Informed Consent. This creates a profound operational requirement for marketers to conduct rigorous due diligence with their data suppliers, requiring warranties about the original lawful basis of collection and implementing internal systems to track this provenance.

On the issue of transparency, the tribunals endorsed a pragmatic, layered approach to privacy notices. They accepted that a controller can meet its obligations by having third parties, who have the direct consumer relationship, include a hyperlink in their own privacy notices that directs individuals to the controller's central, comprehensive information portal. This validates a common industry practice.

[Box Out] Interestingly, the one key area where the ICO’s enforcement was upheld concerned data sourced directly from public records. The tribunals ruled that there is an unambiguous duty to provide a privacy notice to individuals whose data is obtained from sources like the Open Electoral Register.

Conclusion: A Real Opportunity for Marketers

The Upper Tribunal dismissed the ICO's final appeal in April 2024, cementing these findings as legal precedent. For the marketing industry, the message is clear. Legitimate Interest is a robust and defensible basis for marketing, but it must be supported by a balanced, evidence-based LIA. Transparency can be achieved through a layered, user-centric model, but specific obligations for publicly sourced data must be met. Above all, the case demonstrates that a well-prepared, evidence-based challenge can prevail against regulatory overreach, underscoring the power of documenting not just risks, but the tangible benefits of data processing.

For marketing organisations, these outcomes provide a direct route to simplifying operations and reducing costs. The validation of Legitimate Interest removes the immense operational and financial burden of seeking consent for every marketing activity, streamlining campaign time-to-market, and opening up new sources of data. This clarity allows teams to focus resources on delivering value rather than navigating complex compliance hurdles. Furthermore, the endorsement of layered, hyperlinked privacy notices simplifies the challenge of providing comprehensive information without overwhelming consumers, saving time and legal costs. Ultimately, this precedent empowers businesses to pursue more efficient data marketing strategies with greater confidence. This not only improves marketing ROI by reducing wasted spend but also fosters a better customer experience by delivering more relevant communications, enhancing long-term brand reputation and trust.