Pregnancy and parenting club Bounty fined £400,000 for shady data sharing practices
ICO says case involving 34.4 million records ‘unprecedented’
Updated The Information Commissioner’s Office has fined commercial pregnancy and parenting club Bounty some £400,000 for illegally sharing personal details of more than 14 million people.
The organisation, which dishes out advice to expectant and inexperienced parents, has faced criticism over the tactics it uses to sign up new members and was the subject of a campaign to boot its reps from maternity wards.
Now Bounty’s data protection practices have fallen under the gaze of the ICO: a probe found it collated personal information to generate membership registration, via its website, mobile app, merchandise pack claim cards and from new mums at hospital bedsides. Nothing new there.
But the business had also worked as a data brokering service until April last year, distributing data to third parties to then pester unsuspecting folk with electronic direct marketing. By sharing this information and not being transparent about its uses while it was extracting the stuff, Bounty broke the Data Protection Act 1998.
Bounty shared roughly 34.4 million records from June 2017 to April 2018 with credit reference and marketing agencies. Acxiom, Equifax, Indicia and Sky were the four biggest of the 39 companies that Bounty told the ICO it sold stuff to.
This data included details of new mother and mothers-to-be but also of very young children’s birth dates and their gender.
“The number of personal records and people affected in this case in unprecedented in the history of the ICO’s investigations into data brokering industry and organisations linked to this,” said the ICO’s director of investigations, Steve Eckersley.
He claimed Bounty was “not transparent” to the millions of people whose data it sold, saying the consent given by people was “clearly not informed”, and Bounty’s action were “motivated by financial gain given that data sharing was an integral part of their business model at the time”.
“Such careless data sharing is likely to have caused distress to many people since they did not know that their personal information was being shared. multiple times with so many organisations, including information about their pregnancy status and their children,” Eckersley added.
Updated 12 April at 14.37BST.
Bounty managing director Jim Kelleher, has sent us a statement:
“In the past we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough. This was not of the standard expected of us. However, the ICO has recognised that these are historical issues.”
He said the business overhauled internal processes a year ago “reducing the number of personal records we retain and for how long we keep them, ending relationships with the small number of data brokerage companies with whom we previously worked and implementing robust GDPR training for our staff.”
Of course, if the data sharing had been done since 25 May 2018, Bounty would be facing a far greater fine, up to 4 per cent of annual turnover or €20m, whichever is greater. ®
Sponsored: Becoming a Pragmatic Security Leader