Legal opinion: Why Bounty was smacked with a £400,000 fine

Wedlake Bell's James Castro-Edwards explains why Bounty received such a big fine under the old Data Protection Act - which would almost certainly have been much larger under GDPR

When the Information Commissioner fined pregnancy club Bounty (UK) Limited £400,000 for breaches of the Data Protection Act 1998 (DPA), the size of the fine raised a few eyebrows.

Bounty's non-compliance resulted in more than 14 million club members' personal data being shared with third parties for direct marketing purposes unfairly, the Information Commissioner's Office (ICO) ruled, and in a way that was likely to cause members damage or distress.

While describing itself as a pregnancy and parenting support club, Bounty was in practice acting as a data broker

Members' personal data was shared repeatedly, in some cases up to 17 times in a 12-month period. Club members were not aware that their personal data was being processed, in what the Information Commissioner described as "invisible processing", and for which Bounty had not established a valid lawful basis.

While describing itself as a pregnancy and parenting support club, Bounty was in practice acting as a data broker.

Bounty was fined under the DPA since the breaches took place prior to the General Data Protection Regulation (GDPR) taking effect.

The company's directors should consider themselves fortunate: the maximum fine permissible under the DPA is £500,000, which is significantly lower than the potential maximum under the GDPR. This carries fines of up to four per cent of annual turnover, or £17 million. Had the transgressions taken place when the GDPR was in force, the fine could have been much higher.

Background

Bounty is a pregnancy club which provides information and markets offers and services to parents. It provides 'Bounty Packs' of product samples for different stages of pregnancy and parenthood.

Bounty collected personal data for membership registration through its website, mobile app, paper cards and from new mothers at hospital bedsides. As a result, Bounty held the personal data of more than 17 million individuals on its database.

Individuals that used the paper 'offline' claim form had no choice but to consent to their personal data being used for marketing purposes

The ICO investigation revealed that from 1st June 2017 to 30th April 2018, Bounty shared more than 35 million records with marketing and profiling agency Axciom, credit reference agency Equifax, marketing agency Indicia and telecoms operator Sky, for the purposes of direct electronic marketing.

Bounty's website privacy notice stated that it collected personal data for the purposes of 'marketing' and 'tailoring the service', and that it may share personal data with 'selected third parties'. Some third parties were named, though Axciom, Equifax, Indicia and Sky were not identified until the privacy notice was later updated.

Bounty relied on an 'opt-in' option from website visitors and app users from which it purported to infer consent, that linked to the website privacy notice.

Individuals that used the paper 'offline' claim form had no choice but to consent to their personal data being used for marketing purposes if they wanted to join the club. They did not have access to the website privacy notice, so they were not informed how their personal data would be shared when they provided their information.

Data protection breaches

The ICO found that Bounty failed to comply with its transparency obligations since it had not informed members that it would share their personal data with the four organisations identified above. Members would not have expected their details to be shared in this way, which was unfair and likely to result in damage or distress.

Valid consent must be informed, which was not the case in this instance, since Bounty had not been transparent about its data sharing arrangements

Bounty claimed that it relied on consent as a lawful basis for processing. However, valid consent must be informed, which was not the case in this instance, since Bounty had not been transparent about its data sharing arrangements.

Further, members who had completed the paper 'offline' forms had no choice but to consent to their details being used for direct marketing purposes, which is at odds with the requirement that consent must be freely-given.

ICO approach to enforcement

The ICO enforcement action against Bounty follows a trend towards higher fines. Bounty was fined far less than the potential maximum under the GDPR; however, recent ICO activity still relates to breaches of the DPA, which is likely to continue for some time yet.

To date, ICO enforcement action has generally focussed on two particular areas of non-compliance; security and direct marketing. The action taken against Bounty demonstrates that the Information Commissioner can and will use her enforcement powers against non-compliant marketers.

The ICO enforcement action against Bounty follows a trend towards higher fines

The principle of fairness, lawfulness and transparency is fundamental to data protection law, and businesses that send marketing materials that are neither fair nor transparent face a real risk of increasingly sizeable penalties.

James Castro-Edwards is a partner at Wedlake Bell LLP and leads the firm's outsourced data protection officer service, ProDPO

The IT Leaders' Summit is back - coming to London on 23 April.

This year, it will focus on 'Driving the Digital Roadmap for the Enterprise'. Speakers include Shivvy Jervis, The Trainline's Mark Holt, NatWest's Tom Castle McCann's Matt Groshong and a special keynote from a high-profile tech leader and visionary. For more details - and to reserve your place - check out the dedicated website. Places are FREE to qualifying CIOs, IT leaders and senior IT pros, but are going fast!