Pregnancy and parenting club Bounty has been fined by the ICO after it was found to have shared 14 million people’s personal information.
The Information Commissioner’s Office found that the company had collected the information for the purpose of membership registration through its website and app, as well as directly from new mothers at hospital bedsides.
According to the ICO, it then shared this personal information with a number of organisations without being fully clear with its registrants that it might do so, which is in breach of the Data Protection Act 1998.
The company shared 34 million records between June 2017 and April 2018 with 39 organisations including Acxiom, Equifax, Indicia and Sky.
The ICO reports that the personal information included that of new mothers or mothers-to-be and also of very young children, including the birth date and gender of a child.
The ICO investigation reports that the company’s privacy notices on its website had a “reasonably clear description of the organisations they might share information with”, but that none of the four largest recipients were listed.
It reports that none of the ‘merchandise pack claim cards’ and offline registration methods Bounty used had an ‘opt-in’ option for marketing purposes.
Steve Eckersley, ICO’s Director of Investigations called the number of personal records affected ‘unprecendented’.
“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations,” said Eckersley.
“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children.”