Norton Rose Fulbright - Data Protection Report blog

On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 (DPA).

Bounty collected personal information both ‘online’, through its website and mobile app, and ‘offline’, directly from new mothers at hospital bedsides, for the purpose of membership registration. However, the company also operated as a data broker and the ICO found that, from June 2017 to April 2018, Bounty illegally brokered the personal information of parents and their children to third parties, including credit referencing and marketing agencies, the four largest of which were Equifax, Indicia, Acxiom and Sky (the Third Parties).

The ICO launched an investigation into Bounty’s practices during the course of a general investigation into non-compliant practices of the data brokerage industry. It found that in total, the club sold approximately 34.4 million records to 39 Third Parties over the 10 month period, which, according to the ICO’s Director of Investigations, are “unprecedented” figures in the history of their investigations.

The breach

The ICO found that the data sharing was unlawful as Bounty failed to process the registrants’ personal information fairly. In particular, the ICO called out the following areas of non-compliance.

  • Inadequate consent

None of the offline registration methods (which accounted for 69% of all registrations) had an opt-in for marketing purposes, and instead individuals had no choice but to agree to their personal data being shared with Third Parties. Further, the ‘offline’ registrants were not given access to Bounty’s Privacy Policy (the Policy) at the point of registration.

Whilst Bounty submitted that an email containing an ‘unsubscribe’ link and a link to the Policy was sent to data subjects shortly after registration, the ICO found that since the Policy was not provided specifically at the point of data collection and as the data sharing was unforeseeable, the consent received was neither specific nor informed. For these reasons, Bounty could not rely on consent as a legal basis under Schedule 2 of the DPA.

  • Transparency

For online registrations, Bounty did not specifically disclose to data subjects that information might be made available to the four largest Third Parties. Instead, the Policy stated that Bounty collected personal data for the purposes of ‘marketing’ and ‘tailoring the service’, and that users may receive communications from a ‘third party’. The Policy categorised general types of ‘selected third parties’ but did not name specific organisations with whom data was shared until January 2018 when Bounty supplemented the Policy’s terms with a ‘named list’ of Third Parties. The ICO felt that Bounty failed to comply with its transparency duty in not providing clear information about the sharing of information with these Third Parties and also noted that the failure to provide this information meant that neither consent nor legitimate interest could be relied on for the transfer of data. Even after January 2018, ‘offline’ registrants still did not have access to the Policy at the point of data collection, as discussed above.

  • Fair treatment of individuals

The ICO found that data subjects registering with a pregnancy and parenting club would not reasonably have expected that personal data would be disclosed to the Third Parties, and that discovery of such would have left them feeling misled, which risked causing distress or damage. It was said that any such distress would be enhanced by the uncertainty of how the Third Parties obtained the data and a consequential perceived loss of control, especially considering the vulnerabilities of the data subjects. As Bounty had “no adequate justification” for its actions, which were primarily “motivated by financial gain”, it failed to use the personal data of the data subjects fairly.

The penalty

The £400,000 penalty is considerable given that fines under the DPA were capped at £500,000. The severity of the penalty is in part due to the “extraordinarily high” number of affected data subjects and the “sustained and prolonged” contravention. The ICO also criticised Bounty for sharing each data set “on multiple occasions and with multiple organisations”, in some cases up to 17 times in a 12 month period.

The breach was exacerbated by the fact that data subjects were vulnerable new mothers and very young children. The data collected was sensitive in nature, and as well as locational data included information such as the pregnancy status of the mother, and the name, gender and date of birth of the child. Particularly concerning to the ICO was the scope for children’s data to be stored without consent and later used to create a fuller profile of the child for directed marketing campaigns.

As a result, the ICO found that disclosure of this type of information in such a manner created a real risk of substantial damage or distress to the data subjects. It found that even if such feeling suffered by each individual was less than substantial, the cumulative impact would clearly pass the threshold of “substantial”, and that a lack of evidence of such distress only served to emphasise the ‘invisible’ nature of the unlawful processing. The ICO found that Bounty’s actions were plainly deliberate, but in any event the club should have been aware of the risk of contravention, in view of the nature of its customer base and the terms of its Policy.

Our take

This breach is yet another example of fallout from the ICO’s investigation into the data brokerage industry. In fact, it is particularly reminiscent of last year’s enforcement action against pregnancy support club ‘Emma’s Diary’, who were fined last year for illegally collecting data on new mothers, and selling it to the Labour party for election campaigning.

The ICO’s findings are not especially surprising. However, once again, this decision flags the importance of making data subjects aware of precisely how their data will be used and shared, in order that any consent sought is ‘informed’ or, where applicable, the legitimate interest ground can be relied upon. Careless sharing of data will no longer be tolerated and companies looking at how they can monetize their data must carefully work through the data protection implications of doing so in order to ensure that they comply with the law.

Special thanks to Sally Hughes, a Trainee Solicitor in our London office, for her assistance in preparing this content.