Bounty UK has been forced to scrap all its contracts with data brokers following a £400,000 fine from the Information Commissioner’s Office for illegally sharing personal information belonging to more than 14 million people.
An ICO investigation found that the pregnancy and parenting club collected personal information for the purpose of membership registration through its website and mobile app, merchandise pack claim cards and directly from new mothers at hospital bedsides.
The company also operated as a data broking service, sharing about 34.4 million records between June 2017 and April 2018 with 39 organisations – including Acxiom, Equifax, Indicia and Sky – for electronic direct marketing.
However, the ICO ruled that Bounty had breached the Data Protection Act 1998 because it had not been transparent about who it was sharing the data with.
The personal information shared was not only of potentially vulnerable, new mothers or mothers-to-be but also of very young children, including the birth date and sex of a child.
ICO director of investigations Steve Eckersley said that the number of personal records and people affected in this case is “unprecedented” in the history of the ICO’s investigations into data broking industry and organisations linked to this.
He added: “Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time.
“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children”
The investigation found that for online registrations, Bounty’s privacy notices had a reasonably clear description of the organisations they might share information with, but none of the four largest recipients were listed.
Additionally, none of the merchandise pack claim cards and offline registration methods had an opt-in for marketing purposes.
Bounty UK managing director Jim Kelleher said: “In the past, we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough.”
He insisted the ICO had recognised that Bounty had now changed its data-handling policies and that it kept fewer records for less time. It had also ended relationships with all data brokers. In addition, Bounty planned to appoint an independent data expert to carry out an annual survey to ensure it did not breach data protection laws.
As far back as 2013, online forum Mumsnet launched a campaign calling for a ban on reps targeting new mothers on NHS maternity wards. The news of the fine has been greeted with numerous comments on the Mumsnet, including one who wrote: “So glad they’re finally getting done for it, the lying duplicitous mercenary bastards. I hope they get put out of business and bosses are prosecuted.” Another member added: “Good, bastards that they are. It’s long past time that they were banned from post natal wards too!”
Bounty’s main UK rival, Emma’s Diary, was fined £140,000 last year as part of the ICO probe into the use of data analytics for political purposes. The regulator found that it had sold information to Experian specifically for use by the Labour Party.
Experian in ICO sights as Emma’s Diary gets walloped
Major UK data firms under scrutiny as watchdog bites
Emma’s Diary first broker to be fingered in ICO probe
Mumsnet calls for ban on Bounty
Bounty baby club hit by fresh attack