Who: The Information Commissioner’s Office (ICO) and Bounty (UK) Limited (Bounty)
Where: United Kingdom
When: 12 April 2019
Law stated as at: 1 May 2019
What happened:
Bounty, a pregnancy and parenting club, shared the personal data of more than 14 million people in breach of the Data Protection Act 1998, and has been fined £400,000 by the ICO as a result.
Bounty shared over 34 million records from June 2017 to April 2018 with third parties for them to use for marketing purposes. However, Bounty had not adequately informed people about what it was doing with their data, and so breached the Data Protection Act 1998 (DPA 1998) by not being “open and transparent“.
Bounty collected data in four main ways: its website, mobile App, “mother to be pack” claim cards and directly from new mothers in hospital. The data collected included pregnancy status and children’s gender and date of birth. The ICO found that disclosure of such data created a “real risk of distress“.
None of the organisations with which Bounty shared data were listed in Bounty’s privacy policy until the policy was updated in January 2018. At no time was Bounty’s privacy policy notified to individuals who registered for Bounty’s services offline, nor were such individuals given the option of consenting to their personal data being shared with third parties for marketing purposes (since name and postal address were mandatory fields for registering for Bounty’s services).
Bounty voluntarily stopped trading and sharing personal data with third party organisations on 30 April 2018. Bounty was fined under the DPA 1998 due to the timing of the ICO’s investigation, which was before the GDPR and the Data Protection Act 2018 came into force.
The maximum financial penalty in civil cases under the DPA 1998 is £500,000, whereas the ICO now (under the GDPR and the DPA 2018) has the power to impose a civil monetary penalty on a data controller of up to £17 million (20m Euro) or 4% of global turnover.
Why this matters:
Data breaches are increasingly in the public eye and businesses must ensure their privacy policies and marketing practices are compliant with new Data Protection laws. The GDPR replaced the regime established by the DPA 1998 on 25 May 2018, and the GDPR is supplemented by the Data Protection Act 2018.