The Information Commissioner’s Office has fined Bounty, a parenting and pregnancy club £400,000 for illegally sharing the personal information of 14 million members.
An investigation by the Information Commissioners Office found that Bounty had been collecting the personal information through its website and mobile app and from new mothers in hospital.
Bounty is a source of information for new and expectant mothers, they provide pregnancy and parenting tips along with freebies and special offers. They collect personal information for the purpose of signing new members to the information service. But the ICO found that the organisation wasn’t being 100% honest with its subscribers.
Until 30 April 2018, the company also operated as a data broking service, and supplied this information to third parties for the purpose of electronic direct marketing. By doing so, Bounty breached the Data Protection Act because they did not tell people signing up to the membership service that they would be sharing their personal information.
Incredibly the ICO investigation found that Bounty shared over 34 million records between June 2017 and April 2018 with credit reference agencies Equifax, Acxiom, Indicia and also with Sky for the purposes of marketing. In fact, Bounty shared the personal information of it’s users with 39 organisations. The personal information they shared included that of potentially vulnerable new mothers and mothers to be but also of very young children, which included the birth date and sex of a child.
ICO’s Director of Investigations, Steve Eckersley said: “The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this. Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time. Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children.”
Additionally, none of the merchandise pack claim cards and offline registration methods had an opt-in for marketing purposes. Meaning users were not given an option to not have their personal information shared. Under new law, the ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. The new law means that company’s are required to be transparent with their members.
New Rules Under GDPR
The new EU GDPR has been designed to harmonise data privacy laws across Europe, to empower all EU citizens and to reshape the way organisations obtain, store, process and share information. Strict rules mean companies will not be allowed to collect and use personal information without the consumer’s consent.
GDPR puts emphasis on clear consent and specifically bans pre-ticked, opt-in boxes, providing greater transparency in giving consent. It also states that consent must be unambiguous and not a pre-condition of signing up to a service. This is why you will most certainly start receiving contact from companies you regularly use or shop with, asking for further consent for re-marketing purposes.
This ensures genuine consent has been freely given and puts consumers in control of how the data is used. It also gives you, the consumer, an option to opt-out and request any personal data a company holds on you.
Why is this so Important?
Up until now, companies have been able to hold your data, store it for as long as they like and share it with other companies. They use this Data to categorise people by class, political allegiance and spending power. This an unfair advantage and GDPR aims to tip the balance between business interests and consumer’s giving the control back to the individual. Good practice is now mandatory and companies face huge fines if they breach the rules.