ICO continues to clamp down on bad direct marketing practices

Last month, the UK ICO fined Bounty (UK) Limited £400,000 for the unlawful sharing of the personal data of more than 14 million people. The large fine highlights the necessity of strict compliance with data protection laws.

A fundamental principle of data protection law is the right to know what an organisation is doing with the personal data it collects of its employees, customers, consumers etc.

What happened with Bounty?

During an investigation, the ICO discovered that Bounty, a pregnancy and parenting club, was collecting personal data from various sources including its website, mobile app and from new parents in maternity wards. Whilst Bounty’s primary purpose was a parenting support service, most of its members were unaware that Bounty also acted as a data broking service, supplying data to third parties for electronic marketing without their members’ permission. In under a year, Bounty sold around 34.4 million records to 39 marketing and credit reference companies. The four largest companies to benefit from the individuals data were Sky, Equifax, Acxiom and Indicia.

What was the problem?

At the time, the ICO was carrying out a general investigation into non-compliant practices of the data brokerage industry, during which they identified Bounty as a “significant supplier of personal data to third parties for direct marketing.” The ICO began an investigation, discovering that during the period of 1 June 2017 to 30 April 2018, Bounty had, on the basis of consent received during the member registration process, shared a total of 35,027,373 personal data records with Acxiom, Equifax, Indicia and Sky for the purposes of direct marketing. This figure represented the personal data of over 14 million unique individuals. In some cases the personal data record had been shared on multiple occasions.

When collecting the data, Bounty did not provide full and clear notice to its members about the purposes for which their data would be used, including that their data would be used by third parties for direct marketing. In particular, Bounty did not obtain informed consent from the individuals to share their data and it was the ICO’s view that data subjects could not have foreseen that their details would have been shared with these organisations.

Steve Eckersley, ICO’s Director of Investigation, emphasised the unprecedented amount of personal information that was shared by Bounty without the necessary informed consent. Whilst the ICO’s investigation noted that Bounty’s privacy notices had a relatively clear description of the type of organisations that may receive the data obtained from online registrations, it is likely that this only represented 31% of the data records! The ICO noted that whilst Bounty, “as a matter of course”, sent an email to those offline registrants shortly after registration, which included in the footer a direct link to its privacy policy and an “unsubscribe” link, the ICO’s position is that fair processing information should be provided at the start of data collection - and not within a “very short” period thereafter.

In addition, the four largest companies were not identified within the notices. Further, Bounty’s merchandise pack claim cards available to parents and all other offline registrations did not have an opt-in for marketing, meaning there was no opportunity for individuals to consent to their data being shared with third parties. If the parents wanted to receive Bounty’s services, they had to accept direct marketing and had no opportunity to refuse.

Bounty’s response

Bounty released a statement explaining that the company has now changed how members’ data is processed. Bounty’s managing director, Jim Kelleher, has stated that Bounty no longer shares data with any of the 39 companies and has ensured that processes are data protection compliant. Bounty now has the ‘Bounty Promise’, which explains that the company will not share data and an independent expert will review their data protection annually.

Key take aways

There are two key take aways from this case:

  • Businesses need to be open and transparent about what data it collects and what it will do with the data. A compliant privacy notice is therefore an essential requirement.
  • As the data sharing occurred before the introduction of GDPR, the maximum fine that could be imposed on Bounty was £500,000. Now, under GDPR, the potential maximum fine is up to 4% of the annual turnover of the company or £17 million, whichever is greater.

The ICO is continuing to take action against companies who breach data protection laws. It is fundamental that companies who use personal data continue to follow GDPR, and treat customer data appropriately, or they will face the same consequences as companies such as Bounty. 

Direct marketing and inadequate consent are continuing themes in the ICO’s long list of enforcement entries. If you have any concerns about your lawful basis for processing, your privacy notices or your direct marketing practice, please contact Val Surgenor.

GDPR & Cyber Security

Cyber security and key changes under the GDPR and UK Data Protection Act 2018 affect almost all businesses. Our online hub contains a wealth of information and insights on what your businesses should be doing to ensure full compliance with the law.

Latest updates from @MacRoberts

  • Would you like to work at one of Scotland’s leading law firms? We currently have a number of opportunities availabl… https://t.co/atxn5NHzLj 21/06/2021
  • We currently have a vacancy for a Customer Due Diligence Administrator based in Glasgow or Edinburgh. Please shar… https://t.co/IXsvMkBnYa 18/06/2021
  • Maya Forstater received a lot of media attention around her tweets relating to her beliefs about sex, resulting in… https://t.co/VbDAGhzAqX 18/06/2021
  • Applications for our traineeships starting in 2023 are now open! Get your legal career off to the best possible sta… https://t.co/nx3WmygTTM 18/06/2021
  • RT @DundeeAndAngus: Leading Scottish commercial law firm, @MacRoberts has advised BAM on the ‘game-changing’ Atlantic Square development in… 16/06/2021
  • This week on our new IGTV mini-series, giving an insight into what it’s like to begin a legal career during the pan… https://t.co/tqSQy4tRqG 16/06/2021
  • Self-employed status: What does the Uber case really mean? 🚖 Kenny Scott explains what the recent ruling means for… https://t.co/SIt6iBNYPx 16/06/2021
  • What is the Scottish #gin industry doing to improve #sustainability? Following #WorldGinDay celebrations over the w… https://t.co/P4d0oPh54U 15/06/2021
  • The European Commission has adopted & published versions of two new sets of Standard Contractual Clauses. What ch… https://t.co/c8nMQEo6uk 15/06/2021
  • What impact could Ireland High Court's decision to reject an action by Facebook to block an inquiry by the Irish… https://t.co/leiseQnxYe 14/06/2021
  • Wishing all of our followers a happy #WorldGinDay! ICYMI: Earlier this week, we were delighted to catch up with… https://t.co/OJ85qOwAhN 12/06/2021
  • We're #hiring! We have a #vacancy for a Senior #Solicitor or Associate to join our IP, Technology & Commercial team… https://t.co/YWbpcD0eFD 10/06/2021
  • Dealing with an employee's misconduct when that employee contends it is linked to a disability can be tricky - read… https://t.co/Gy1dLbrwPk 09/06/2021
  • MacRoberts' have launched a new IGTV mini-series, giving an insight into what it’s like to begin a legal career dur… https://t.co/yJ5RQRatPn 09/06/2021
  • Scotland's new #landownership transparency register - the Register of Persons Holding a Controlled Interest in Land… https://t.co/PrZ5AwH2Ej 09/06/2021