Pregnancy club Bounty UK fined £400,000 by data protection regulator
The UK’s data protection regulator has fined pregnancy and parenting support club Bounty UK £400,000 after an investigation found it unlawfully shared the personal information of over 14 million people with a number of organisations, including credit reference and marketing companies.
Bounty collected the data for membership purposes, but the Information Commissioner's Office (ICO) said it also acted as a "data broking service" until the end of April 2018, breaching the Data Protection Act 1998 by not making it clear to people that their personal information might be shared with third parties.
Before the General Data Protection Regulation came into force, Bounty shared over 34 million personal data records with 39 organisations for “the purposes of direct electronic marketing” from June 2017 until April 2018, the watchdog said on Friday (12 April).
The information was of new mothers, mothers-to-be and young children, including their full name, date of birth, postal address, and postcode. Each record could be shared several times, in some cases "up to 17" over a year-long period, according to the ICO's enforcement report.
Out of these 39 organisations, marketing agencies Acxiom and Indicia, credit reference company Equifax and telecommunications company Sky were the four largest recipients.
“The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this,” said Steve Eckersley, ICO director of investigations.
“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time.
“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children,” Eckersley added.
The maximum penalty for a breach under the previous legislation in civil cases is £500,000; under GDPR, however, it is £17m (€20m) or four percent of the global turnover in the previous financial year.
Bounty managing director Jim Kelleher said in a statement on Friday that the company acknowledged the regulator’s findings.
“(…) In the past we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough. This was not of the standard expected of us. However, the ICO has recognised that these are historical issues. Our priority is to continue to provide a valuable service for new parents that is both helpful and trusted," Kelleher added.
The company has since reduced the number and period of time records are being held for, Kelleher said, implemented GDPR training for its employees, stopped working with data broker companies, and planned to appoint an independent data expert.