I'm happy to see Experian fined. Last year, Experian kept sending me spam with the footer "This is not a marketing email" and I kept trying to unsubscribe. Eventually, I filed a complaint with the Consumer Financial Protection Bureau that this violated CAN-SPAM.

I'd like to think that my report contributed to this fine (although that's probably optimistic). In any event, Experian had to take the time to respond. They also canceled my unwanted "complimentary membership with Experian CreditWorks Basic", which ended the spam. So I recommend filing complaints if appropriate.

Your story sounded vaguely familiar to me, so I just looked in my email archive, and it appears I did the same thing around the beginning of 2021, when Experian also automatically signed me up for "CreditWorks" after I disputed fraud with them[0]. They were sending almost-daily spam. ("Your Dark Web scan is complete!" "Congrats, your membership's been upgraded!" "Important Information about your credit score!")

I wrote to the FTC instead of the CFPB, and got a form letter back for my efforts. Mail from *@*.experian.com is still blackholed, so I guess this is a good reminder that rule is there, if I'm ever required to deal with those assholes again.

[0] Supposed past-due electric utility account in a state in which I've never set foot, let alone owned or rented property. Interestingly, this only showed on my Experian report, but not TransUnion or Equifax, so I'm pretty sure it was a reporting mistake as opposed to intentional identity theft.

Ha! I recall the exact same thing happening to me. I guess they decided that if they sign people up for some nonsense service then there is a "business relationship" and they're free to spam all they want.

glad to see it getting slapped down.

I’ve also had good results from reporting CAN-SPAM violations, or just threatening to. When I get marketing emails without a working unsubscribe link I send a message to customer support saying that I’ll report each subsequent email I get as a violation. In one case the violator didn’t offer email or chat based support so I just reported each email, and they quickly taped off before stopping entirely.

650k is not even a slap on the wrist for a company the size of experian.

Under this sort of intense regulatory pressure, the CEO will really struggle to explain the 3 minutes' worth of lost income.

The fine is small contrasted to the bonuses required for the executive team since they had to work extra hard dealing with the fine thing.

Does 650k even cover the cost of labor the government incurred to investigate this and issue the fine?

How do they even come up with such puny fines! 650k is not even a drop in the bucket for them to change their practices :-(

No

not only this but experian lets users sign up without confirming their email address.

someone registered on MY email address and I had to spend about 7 hours on multiple phone calls over a period of 5 weeks in order to get control of an account with my email address, all to turn off their incessant spam.

if you read their TOS technically you have to send a notarized letter with copy of photo ID social security number etc. etc. but thankfully i finally reached a human with a hint of reasonability.

This seems to have happened to me somehow. I was forced to sign up to unfreeze my credit report (after freezing it years ago without an account) and now it has 2FA configured with a phone number that isn't mine. I have no idea how that happened and now I'm concerned that a stranger has control over my account. Hooray!

I tried calling to reset my password, which pointed me back to the website. The only other option is to reset it by mail. Amazing.

Edit: and to top it off, the reset password page references a security question & PIN, without ever asking for those. >If you do not know your security question or PIN, you will need to contact customer care to reset your password.

Edit 2: I just created a new account with a different email without a hitch. I got an email to the original address saying that there was a change to my account settings, leading me to believe that creating a new account simply changed the email address. Still no email confirmation though.

> if you read their TOS technically you have to send a notarized letter with copy of photo ID social security number etc. etc. but thankfully i finally reached a human with a hint of reasonability.

Does that mean if someone signs you up under a false name, it's impossible to unsubscribe under the rules-as-written?

In some dark future, you will need to sign up for all websites just to prevent someone for doing this very thing. "It's not our fault you didn't sign up and allowed a fraudster to do it."

A TOS doesn't apply if you didn't sign up.

Now picture a Kafkaesque nightmare where you have to prove to the company spamming you that you didn't sign up for their spams...

I hope that wasn't me! To avoid their spam I changed my email address in their system to a bunch of random letters/numbers a year or 2 ago. I made it pretty long. If that was your email, I apologize.

I believe you can express your displeasure with this settlement at Civil.Feedback@usdoj.gov, as well as to your elected congresspeople: https://www.congress.gov/members/find-your-member

Maybe sign them up for Experian.

They're dumb enough to think that would be a serious hacking crime and come after you

Google take note. Those spammy "Update to your YouTube Account" advertising "new features" are going to get you in trouble and I will not shed a tear.

The new spam method is updating some random policy every 2 months and informing about the new wording

Sign up to Experian to freeze/unfreeze credit report? 5-10 “upsell” emails per day.

I’m still bitter that a credit reporting agency let my information get stolen, then offered free credit monitoring through Experian, and Experian just seems to be using this free monitoring for upselling.

Hopefully this fine exceeds the revenue they generated from all this…

Experian once stole our credit card number, and wouldn’t stop making unauthorized charges to it.

Our bank was able to just block Experian, since Experian was a large percentage (“most”) of their fraud cases, and they didn’t want to pay to re-issue cards with new numbers.

That’s the sort of thing that should blow up on cnn for days on end…in a saner world.

Yes. This happened to me as well. I once paid them for something and realized they have been charging the card monthly silently.

A just punishment for Experian and other credit agencies is dissolution - these companies gain value purely through rent seeking and are publicly unaccountable while operating in an extremely important field. Either the costs of background checks should just be shifted directly onto banks or we should have a government run public ledger of defaulted debts.

They can wave off fines all day. Forbid them from sending marketing emails for 24 months. See if anyone keeps their job after that.

Now I think about it, this is a much better approach than a fine. Is there a downside to this?

The downside is that there's hardly any political will in the US to regulate businesses

Getting sued for "infringing upon their right to free speech," I'm sure.

No one is stopping them from mailing letters.

> Hopefully this fine exceeds the revenue they generated from all this…

Maybe if it were $650k per victim.

650k is a joke.

not a good one either. that's not even a knock knock level joke

So, that's like, a fraction of a percent of revenue of this particular online product? They may as well attribute it to marketing and keep doing it.

Why even bother? 1mil is nothing to them. It probably cost more to process the check though legal and all the relevant departments

They should fine them for credit triggers too, as the phone spam is atrocious. They legally sell your info and the fact you are looking for a loan to sketchy mortgage lenders who will spam you for weeks.

I know people who have experienced this firsthand, and it is terrifying. You can opt out of it, but nobody knows that until it's too late.

Some ICs make more than that, what a joke

And now for context, see this other front page story:

Hackers can use credit bureaus to dox nearly anyone in America (404media.co) https://news.ycombinator.com/item?id=37222672

The two magic words that would have made this an excellent headline: "per person".

at least it is some accountability. i've recently gotten marketing emails from box.com that require a auth code to opt out. i'm not sure how that is legal

Seriously, it's ridiculous. There should be a one-click unsubscribe link at the bottom of every marketing email. You get click it, the email is immediately removed. None of this "please confirm your email" or "please wait ten days for processing" bullshit. Nobody is forwarding your marketing emails. It's not unreasonable to expect ESPs to generate the list at send time and not two weeks in advance.

No. There should be a some way to opt in, and not having done that, any "marketing email" should be illegal. Like it is here in EU.

Of course you have to opt in, that's how it is in the US as well. I'm talking about opting out after the fact.

Opt-in is often required for account creation in the US, however.

They shouldnt be fined financially - they should be fined by adding 100 points to every single persons "credit score"

And we need to kill the BBB

No one has to engage with the BBB.

They did $1.447B in pretax income last year. This fine is ~4.5 basis points.

In this case I think it would be more like a $10 fine.

That's a couple salaries. Wow what a big deal.

A second's income shot to hell.

Seriously, $650K? That's not going to stop this kind of behavior.

Maybe 2 orders of magnitude more might make them sit up and take notice.

It's not just a monetary fine. There are various other requirements put on them, for example they are on the hook for additional record-keeping and compliance monitoring for 10 years, which probably means they need to be incredibly conservative about sending emails for at least that long.

Or they just won't do any of that, assuming that it will take years for the government to give them another manageable fine.

CANSPAM has a limit to the size of the time

> Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to $50,120, so non-compliance can be costly.

They only sent about 10 emails then? Sounds dubious.

$650K is like salary of a medium manager there. This should have beem $65M or so.

YES… my god those were annoying.

Pocket change for them. Not even.

A lot of marketing emails will have opt-out links on their HTML version, but the text version they send alongside it (if it's not just auto-generated from the HTML one) doesn't. I've sent fussy emails threatening GDPR and CAN-SPAM violation only to get confused replies telling me the link is right there, in [LOCATION]. Your opt-out needs to be accessible!

not anywhere near high enough for a company like that.

These fines are pathetic. Experian revenues reached $6.2B last year.

This is nothing more than the cost of doing business. Probably profited off the entire ordeal.

I find it difficult to frame it so I had to get the calculator out... that's 0.01048% of the $6.2 billion in revenues.

Or framed a different way, if you earn a US average salary of $60,000, it's a fine of $630...

That fine is a fart in the wind.

I think you missed a few zeros (or a decimal). It would be $6.29

You're right! It's been a long day.