The UK’s privacy watchdog has fined pregnancy club Bounty £400,000 after finding it guilty of sharing tens of millions of personal records with third parties including marketing agencies.
The parenting support company collects a range of sensitive information from its customers via its website, apps and offline forms: including names, dates of birth, email and home addresses, and gender and birth date of children.
However, it also operated up until the end of April 2018 as a data broker, providing that same information to companies like Sky, Equifax, Indicia and Acxiom without clearly informed consent from the data subjects.
Between June 2017 and April 2018, Bounty is said to have shared over 34 million personal records with 39 third-party organizations, including the details of new mothers and new born children.
Steve Eckersley, director of investigations at the Information Commissioner’s Office (ICO), described the number of those affected as “unprecedented.”
“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organizations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time,” he said.
“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organizations, including information about their pregnancy status and their children.”
Given the timing of the data sharing, the firm was prosecuted under the old data protection regime, the Data Protection Act 1998, rather than the GDPR.
A much larger fine would likely have been in the offing otherwise, given the large volume of data involved and the vulnerable nature of the victims.