Pregnancy club fined £400,000 for illegally sharing data of over 14 million people

The ICO says the information was illegally shared through data broking.
Written by Charlie Osborne, Contributing Writer

Pregnancy club Bounty UK Limited has been fined £400,000 for illegally sharing and selling information belonging to 14 million individuals without their explicit consent.

The fine was imposed by the UK's data protection watchdog, the Information Commissioner's Office (ICO).

Personal data relating to pregnancy, new mothers, mothers-to-be, and the birth dates & sex of children were shared. 

The ICO said the data was collected from those who were "potentially vulnerable."

Information was collected through membership registration in both the club's website and mobile application, as well as by the hospital bedsides of new mothers through merchandise claiming cards, free samples, and vouchers.

CNET: Data breaches can sucker-punch you. Prepare to fight back

The ICO launched an investigation into Bounty and found that the company was not just gathering data for the purposes of the club. Bounty was, in fact, also operating as a data broker service which supplied this information to third-parties for direct electronic marketing purposes.

The ICO says that between June 2017 and April 2018, 34.4 million records were illegally shared with 39 organizations including Acxiom, Equifax, Indicia, and Sky.

It is not illegal to be a data broker in such a manner, but it is illegal under both the Data Protection Act 1998 and the EU's General Data Protection Regulation to improperly share personal data without clear, explicit user consent.

Bounty's online privacy notices had a "reasonably clear description" of groups that information may be shared with, but the UK watchdog noted that none of the four largest participants were mentioned.

TechRepublic: 5 best password managers for Android

Steve Eckersley, ICO's Director of Investigations, branded the firm's data handling as "careless" and "appear[s] to have been motivated by financial gain."

Bounty no longer acts as a data broking service, having stopped the practice in April 2018. The pregnancy club "acknowledged" the ICO's findings and have now made changes to its data collection and handling models.

See also: Heathrow Airport fined £120,000 over USB data breach debacle

In addition, Bounty now keeps fewer records and has ended all relationships with data brokers, the BBC reports. An independent data specialist is due to be hired to perform an annual survey to ensure that Bounty does not cross the line when it comes to user data and privacy again.

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards