Pregnancy club fined £400,000 for sharing personal data of 14 million individuals

Bounty UK, an online club for pregnancy and parenthood advice has been fined £400,000 by the Information Commissioner’s Office (‘ICO’) following the discovery that the personal data of its users had been shared with 39 other companies without informed consent.  A copy of the Monetary Penalty Notice can be found here.

Bounty UK collected personal data for membership registration through its website, apps and through cards in their free merchandise packs given to new and expectant parents.  Whilst personal information was being supplied by those registering for the packs, the ICO noted that very few knew that Bounty UK was acting as a ‘data broker’ and supplying personal details to other companies (including the credit reference agency Equifax and Sky) to assist in fine tuning their direct marketing.

The ICO stated that this practice breached the First Data Protection Principle of the Data Protection Act 1998 (the prevailing legislation at the time of the breach) because Bounty UK were not acting in an ‘open and transparent’ manner with their users.  The ICO noted that a total of 34.3m records of over 14.4m ‘potentially vulnerable’ parents and new born babies were shared between June 2017 and April 2018.  The data included the date of birth and the gender of the children.

A spokesperson for the ICO noted that this data sharing was careless, unprecedented and likely to have caused distress to the users.  They stated that any consent given by users was ‘clearly not informed’ and that Bounty UK’s actions were driven by financial gain.  However, they noted that Bounty UK has since implemented new data-handling policies and ended relationships with data brokers.

Breaches covered by the Data Protection Act 1998 are subject to a maximum fine of £500,000.  Two £500,000 fines were issued in 2018 - Facebook and Equifax.  Under the General Data Protection Regulation ('GDPR'), Bounty could have faced a significantly larger fine of up to €20m or 4% of their global turnover.  Article 5 of the GDPR sets out the ongoing responsibilities for companies including that personal data should be processed lawfully, fairly and transparently and that it should only be collected for specified, explicit and legitimate purposes.

If your personal data has been shared without your permission, click here to see how Brett Wilson LLP’s specialist solicitors can assist you.