Bounty (UK) Limited have been fined £400,000 by the Information Commissioner’s Office (ICO) for illegally sharing more than 14 million people’s personal information.
Bounty, a pregnancy and parenting club, collected personal information for membership registration through its website and mobile app, merchandise pack claim cards and from new mothers at hospital bedsides.
The company had operated as a data broking service until April 2018, supplying data to third parties for marketing purposes.
Bounty were found to have breached the Data Protection Act 1998 by sharing personal data with a number of organisations without being clear that it may do so. The company confirmed it shared personal information with 39 organisations, including Acxiom, Indicia, Sky, and Equifax.
The personal information shared included that of new mothers, mothers to be and that of young children, which included the sex and date of birth of children.
The investigation found that the merchandise pack claim cards and offline registration methods had no opt-in for marketing purposes.
David Scott, Senior Associate Solicitor at Hethertons, said: “The amount of personal data illegally shared makes this a serious case, as proved by the £400,000 fine. Not being clear on new GDPR rules could see business owners facing significant fines.”
“The fines for breaching GDPR can be up to €20 million, and the rules are far-reaching, so if you need expert legal advice then contact us today.”
If you require help or guidance with data protection, contact Hethertons employment team today on 01904 528200.