Parenting brand Bounty fined £400k in 'unprecedented' data breach

Bounty: formerly operated as data-broking service
Bounty: formerly operated as data-broking service

Bounty shared data with Sky, Acxiom and Equifax collected from new mothers at hospital bedsides.

Bounty, the pregnancy and parenting club, has been fined £400,000 for illegally sharing personal information belonging to more than 14 million people. 

The Information Commissioner’s Office found Bounty had breached the Data Protection Act by sharing 34.4 million records with credit reference and marketing agencies, including Acxiom, Equifax and Sky.

Bounty shared information about "potentially vulnerable new mothers or mothers-to-be", the ICO said, as well as birth dates and sexes of children.

The platform collected the information from membership registrations on its website and mobile app, as well as through merchandise pack claim cards and directly from new mothers at hospital bedsides. 

However, Bounty also operated as a data-broking service until 30 April 2018, meaning that it was also supplying data to third parties for electronic direct marketing.

The ICO said none of the merchandise pack claim cards and offline registration methods had an opt-in for marketing purposes, while the privacy notices for online registrations did not specify the information would be shared with the likes of Sky or Equifax.

The body described the case as unprecedented in the history of its investigations into the data-broking industry, because of the scale of personal records being shared illegally. 

Steve Eckersley, the ICO’s director of investigations, said: "Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data-sharing was an integral part of their business model at the time. 

"Such careless data-sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children." 

In a statement, Bounty admitted that it "did not take a broad enough view of our responsibilities" and has pledged to appoint an independent data expert whose findings will be published annually on the company’s website.

Jim Kelleher, Bounty’s managing director, added the company made "significant changes" to its processes in spring last year. 

Subscribe today for just $89 a year

Get the very latest news and insight from Campaign with unrestricted access to campaignlive.com , plus get exclusive discounts to Campaign events

Become a subscriber

GET YOUR CAMPAIGN DAILY FIX

The latest work, news, advice, comment and analysis, sent to you every day

register free