The Information Commissioner’s Office (ICO) announced its intent to fine Bounty (UK) Limited (Bounty) £400,000 for breaching the Data Protection Act 1998 (the Act). Due to the timing of this breach, it was governed by the Act rather than by the General Data Protection Regulation 2016/679 (GDPR). The maximum penalty permitted under the pre-GDPR regime in the United Kingdom was £500,000.
Bounty was a pregnancy and parenting support club. It provided information packs and goody bags to mothers in exchange for personal data. It also provided a mobile app for users to track their pregnancies, as well as offering a new-born portrait service. Its portrait service was the largest in-hospital service of its kind in the United Kingdom.
Bounty had a data protection policy on its website. The data protection policy stated that Bounty: (i) collected personal data for marketing purposes; and (ii) might share personal data with selected third parties. The data protection policy stated that users might receive communications from Bounty or a third party. However, the policy did not specifically identify third parties or the types of third parties that personal data would be shared with.
Bounty also collected personal data using hard copy cards completed in maternity wards. These cards stated that recipients consented to Bounty processing their personal data if the cards were filled in. The cards also briefly outlined the possibility that personal data could be shared by Bounty. However, again, no detail about third party recipients was included. Recipients were obligated to provide their names and postal addresses when filling the cards in. To avail of Bounty’s services, recipients had no choice but to provide some personal data.
In the 11 months to May 2018, Bounty shared just over 35 million personal data records with third parties. These included a credit reference agency, a marketing firm, and a telecommunications company. This represented the personal data of around 14.3 million individuals, including birth dates and genders of new-born children and their parents’ details. This personal data was subsequently shared to additional third parties up to 17 times following Bounty’s initial sharing.
The ICO’s decision
The lack of information on the sharing of personal data with third parties meant that consent, where it was given, was not specific and informed. People could not foresee that their data would be shared with the types of organizations that received personal data from Bounty.
Bounty breached fairness requirement of the Act. For people who provided their personal data using hard copy cards, consent was not freely given. These individuals had no choice but to agree to the sharing of their personal data.
In reaching its decision, the ICO took into account the extraordinarily high number of affected people. Over 14 million people were affected. Many of these were particularly vulnerable and included new mothers, mothers-to-be, and very young children.
Bounty now has the chance to appeal the ICO’s Monetary Penalty Notice. In its decision, the ICO explained that a data protection impact assessment would have indicated Bounty’s non-compliance with the Act. Bounty has now ceased trading and sharing personal data with third parties.
This fine as well as other recent fines demonstrate how data protection authorities are increasingly proactive and assertive in handing down significant penalties. Had this investigation taken place under the GDPR, the potential fine could have been far bigger.
This case is an important reminder for companies to be as transparent as possible when gathering personal data. People must be able to quickly, clearly, and easily understand how their personal data is processed. Any ambiguity or lack of candour will increasingly result in harsh regulatory punishment.