Bounty fined by ICO for unlawfully sharing member data

The company shared the data of 14 million people without gaining full permission to do so

Pregnancy and parenting club Bounty has been fined 400,000 for misusing customer data and sharing it with third parties without consent.

The company, which encourages new parents to sign up to exclusive offers shortly after giving birth apparently unlawfully shared the details of 14 million people.

According to the Information Commissioner's Office (ICO), Bounty collected member data using sign-up forms on its website, in-person as it circulated around UK maternity departments, and in merchandise pack claim cards.

However, the company also acted as a data broking service up until GDPR was introduced and shared the data supplied to it with other third parties. This is where the company failed to comply with the law and, as a result, has been fined for breaching the Data Protection Act 1998.

Advertisement - Article continues below

It was found to have shared information with credit reference and marketing agencies, including Acxiom, Equifax, Indicia and Sky without telling many of its users it planned to do so.

"The number of personal records and people affected in this case is unprecedented in the history of the ICO's investigations into data broking industry and organisations linked to this," said Steve Eckersley, ICO's Director of Investigations.

"Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty's actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time."

Advertisement
Advertisement - Article continues below

He added that sharing the data in such a way - and because of the nature of its business - Bounty has likely caused distress to many of its members. The data was revealed to include personal information, including details of their pregnancy status and children.

Advertisement - Article continues below

Bounty acknowledges the ICO's findings and said it didn't take a broad enough view of its responsibilities previously, according to Jim Kelleher, the company's managing director who posted a statement on its website.

"This was not of the standard expected of us. However, the ICO has recognised that these are historical issues. Our priority is to continue to provide a valuable service for new parents that is both helpful and trusted," he said. 

"As the ICO has highlighted, we made significant changes to our processes in Spring 2018, reducing the number of personal records we retain and for how long we keep them, ending relationships with the small number of data brokerage companies with whom we previously worked and implementing robust GDPR training for our staff."

The company has now launched the Bounty Promise, which explains how the firm will respect the data it holds, only collect what's necessary, won't share data and that an independent data expert will check on its practices every year.

"Before Spring 2018, our data handling processes did not meet the standards that could be expected of us. We made a mistake for which we are sorry. As well as improving our processes in Spring 2018, we have now launched the Bounty Promise," the company said on Twitter.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement

Recommended

Visit/policy-legislation/data-protection/355250/health-sites-sharing-users-medical-data-with-major-tech
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Visit/policy-legislation/data-protection/355184/supreme-court-finds-morrisons-was-not-liable-for-2014
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020
Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354842/irish-data-regulator-racks-up
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020
Visit/security/cyber-security/355271/microsoft-gobbles-up-corpcom-domain-to-keep-it-from-hackers
cyber security

Microsoft gobbles up corp.com domain to keep it from hackers

8 Apr 2020