The Information Commissioner's Office (ICO) said on Tuesday its enforcement notice came after a two-year investigation into how Experian, Equifax and TransUnion used personal data within their data broking businesses for direct marketing purposes.

This resulted in products used by commercial organisations, political parties or charities to find new customers and build profiles about people, the ICO said.

Experian shares pared earlier gains to trade slightly lower following the news.

"We believe the ICO's view goes beyond the legal requirements. This interpretation (of General Data Protection Regulation) also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis," Experian said.

The regulator said it was not taking action against Equifax and TransUnion as they made improvements and withdrew some products and services, while Experian did not make enough progress in improving compliance.

The ICO said Experian has to make changes within nine months or risk further action, which could include a fine of up to 20 million pounds ($26.07 million) or 4% of its total annual turnover.

(Reporting by Tanishaa Nadkar in Bengaluru; Editing by Ramakrishnan M.)