The Information Commission’s Office (ICO) has fined Bounty UK £400,000 after they were found to have shared the personal information of over 14 million people.
Bounty is a pregnancy and parenting club, who collects information from its users when they sign up for membership through a registration form on their website and mobile application.
After an investigation of the data practices at Bounty the ICO discovered that they also operated as a data broker service and were supplying data to third parties, which was then subsequently used in electronic direct marketing campaigns.
Between June 2017 and April 2018 Bounty shared over 34 million records with marketing agencies and organisations such as Equifax, Indicia, Acxiom and Sky.
The personal information that was passed on from Bounty was not only of potentially vulnerable, new mothers or mothers-to-be, it also held information on young children, including their birth date and gender.
Bounty Fined by ICO
Bounty was found to be in breach of Data Protection Act 1998, as the ICO notes they were sharing this personal data with third parties without having made it clear to their users that their data would be used in this manner.
Steve Eckersley, ICO’s Director of Investigations, commented in a release that: “The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this.”
“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time. “
“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children”
The civil monetary penalty was issued under the GDPR’s predecessor, the Data Protection Act 1998, owing to the timing of the case. The maximum financial penalty in civil cases under former laws is £500,000.
Jim Kelleher, Managing Director of Bounty informed Computer Business Review that: “We acknowledge the ICO’s findings – in the past we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough.”
“This was not of the standard expected of us. However, the ICO has recognised that these are historical issues. Our priority is to continue to provide a valuable service for new parents that is both helpful and trusted.”
“As the ICO has highlighted, we made significant changes to our processes in Spring 2018, reducing the number of personal records we retain and for how long we keep them, ending relationships with the small number of data brokerage companies with whom we previously worked and implementing robust GDPR training for our staff. Our ‘Bounty Promise’ sets out our continued commitment to carefully look after our members’ personal information. And to ensure our promise is never broken, we will appoint an independent data expert to check how we are doing every year and we will publish their findings annually on the Bounty website.”