ICO continues to clamp down on bad direct marketing practices

Last month, the UK ICO fined Bounty (UK) Limited £400,000 for the unlawful sharing of the personal data of more than 14 million people. The large fine highlights the necessity of strict compliance with data protection laws.

A fundamental principle of data protection law is the right to know what an organisation is doing with the personal data it collects of its employees, customers, consumers etc.

What happened with Bounty?

During an investigation, the ICO discovered that Bounty, a pregnancy and parenting club, was collecting personal data from various sources including its website, mobile app and from new parents in maternity wards. Whilst Bounty’s primary purpose was a parenting support service, most of its members were unaware that Bounty also acted as a data broking service, supplying data to third parties for electronic marketing without their members’ permission. In under a year, Bounty sold around 34.4 million records to 39 marketing and credit reference companies. The four largest companies to benefit from the individuals data were Sky, Equifax, Acxiom and Indicia.

What was the problem?

At the time, the ICO was carrying out a general investigation into non-compliant practices of the data brokerage industry, during which they identified Bounty as a “significant supplier of personal data to third parties for direct marketing.” The ICO began an investigation, discovering that during the period of 1 June 2017 to 30 April 2018, Bounty had, on the basis of consent received during the member registration process, shared a total of 35,027,373 personal data records with Acxiom, Equifax, Indicia and Sky for the purposes of direct marketing. This figure represented the personal data of over 14 million unique individuals. In some cases the personal data record had been shared on multiple occasions.

When collecting the data, Bounty did not provide full and clear notice to its members about the purposes for which their data would be used, including that their data would be used by third parties for direct marketing. In particular, Bounty did not obtain informed consent from the individuals to share their data and it was the ICO’s view that data subjects could not have foreseen that their details would have been shared with these organisations.

Steve Eckersley, ICO’s Director of Investigation, emphasised the unprecedented amount of personal information that was shared by Bounty without the necessary informed consent. Whilst the ICO’s investigation noted that Bounty’s privacy notices had a relatively clear description of the type of organisations that may receive the data obtained from online registrations, it is likely that this only represented 31% of the data records! The ICO noted that whilst Bounty, “as a matter of course”, sent an email to those offline registrants shortly after registration, which included in the footer a direct link to its privacy policy and an “unsubscribe” link, the ICO’s position is that fair processing information should be provided at the start of data collection - and not within a “very short” period thereafter.

In addition, the four largest companies were not identified within the notices. Further, Bounty’s merchandise pack claim cards available to parents and all other offline registrations did not have an opt-in for marketing, meaning there was no opportunity for individuals to consent to their data being shared with third parties. If the parents wanted to receive Bounty’s services, they had to accept direct marketing and had no opportunity to refuse.

Bounty’s response

Bounty released a statement explaining that the company has now changed how members’ data is processed. Bounty’s managing director, Jim Kelleher, has stated that Bounty no longer shares data with any of the 39 companies and has ensured that processes are data protection compliant. Bounty now has the ‘Bounty Promise’, which explains that the company will not share data and an independent expert will review their data protection annually.

Key take aways

There are two key take aways from this case:

  • Businesses need to be open and transparent about what data it collects and what it will do with the data. A compliant privacy notice is therefore an essential requirement.
  • As the data sharing occurred before the introduction of GDPR, the maximum fine that could be imposed on Bounty was £500,000. Now, under GDPR, the potential maximum fine is up to 4% of the annual turnover of the company or £17 million, whichever is greater.

The ICO is continuing to take action against companies who breach data protection laws. It is fundamental that companies who use personal data continue to follow GDPR, and treat customer data appropriately, or they will face the same consequences as companies such as Bounty. 

Direct marketing and inadequate consent are continuing themes in the ICO’s long list of enforcement entries. If you have any concerns about your lawful basis for processing, your privacy notices or your direct marketing practice, please contact Val Surgenor.

GDPR & Cyber Security

Cyber security and key changes under the GDPR affect almost all businesses. Visit our hub to gain knowledge, insights and updates as the legislations are updated and take hold.

Latest updates from @MacRoberts