Bounty, an online pregnancy club, has been fined £400,000 by the UK’s privacy watchdog for sharing tens of millions of personal records with third parties such as marketing agencies. The parenting support company, which gathers private information from its customers through its website, apps and offline forms, operated as a data broker until last April.
Bounty provides new mothers with advice and expert knowledge as well as products and services. The company also offers three Bounty Packs that include free samples, discount couples, and information, as well as free guides with pregnancy and postnatal advice and information.
As part of the Bounty Promise, we promise not to share any of your personal information with third-party organisations or companies without your explicit permission. For full details, see https://t.co/dnF37ChSAA pic.twitter.com/WJ46L4Hx5n— Bounty.com (@BountyUK) April 15, 2019
Personal data, including customer names, dates of birth, email and home addresses, and gender and birth date of children, was shared with companies like Sky, Equifax, Indicia, and Acxiom without informing the data subjects. Between June 2017 and April 2018, Bounty reportedly shared more than 34 million personal records with 39 third-party organizations, including details about new mothers and their children.
According to Steve Eckersley, director of investigations at the Information Commissioner’s Office (ICO), “Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organizations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time.”
As part of the Bounty Promise, we promise that every year an independent data expert will check how we are doing, and we will publish their findings on our website. For full details, see https://t.co/dnF37ChSAA pic.twitter.com/okdIIAFqZQ— Bounty.com (@BountyUK) April 14, 2019
Eckersley added that this type of data sharing can cause distress for consumers who are unaware that their private personal information is being shared multiple times with unknown organizations. Though it is not illegal to be a data broker, it is illegal under both the Data Protection Act 1998 and the EU's General Data Protection Regulation to share personal data without clear, explicit user consent.
In a statement, Bounty stated that it "did not take a broad enough view of our responsibilities" and has vowed to appoint an independent data expert who will publish an annual report on the company’s website. Jim Kelleher, Bounty’s managing director, added the company made "significant changes" to its data collection processes last spring.
In the age of internet and mobile devices, data breaches have become increasingly common. 1.76 billion records were leaked in January 2019 alone. These records included user information and passwords for approximately 772 million people, including sensitive information about 202 million Chinese users, and an Oklahoma government data leak that exposed seven years of FBI investigations.