Pregnancy club Bounty UK has been fined £400,000 for illegally sharing personal information belonging to more than 14m people.
The fine was imposed by the UK’s data privacy watchdog, the Information Commissioner’s Office (ICO).
The shared data was of “potentially vulnerable” people including new mothers and very young children, and included information such as their birth date and sex, the regulator said.
Information was obtained through the club’s membership registration and mobile apps, merchandise packs, and from the hospital bedsides of new mothers.
The ICO found out that the company was not just harvesting data for the purposes of the club, it was also operating as a data broker service, which supplied this data to third parties that would use it to fine-tune direct marketing.
The ICO said the company breached the Data Protection Act 1998 by sharing around 34.4m records with almost 40 organisations, including marketing agencies like Acxiom, Equifax, Indicia, and Sky, between June 2017 and April 2018.
Steve Eckersley, ICO’s Director of Investigations, described the company’s data handling practices as “careless” and that the club’s actions appeared to have been “motivated by financial gain”.
He added that “such careless data sharing is likely to have caused distress to many people” because they weren’t aware that their data was being shared.
Bounty UK said it accepted the ICO’s findings and that its data-sharing had not been “robust enough” in the past, according to Jim Kelleher, the firm’s managing director.
Mr. Kelleher said Bounty UK has made some changes including reducing the number of personal records retained and that it now keeps fewer records.
It has also ended relationships with all data brokers and has implemented a robust GDPR programme for all of its staff members.
The firm will also appoint an independent data specialist to conduct an annual survey to ensure it does not breach data protection laws in the future.