The UK Information Commissioner’s Office (ICO), the independent regulator for data protection and information rights law, has imposed a £400,000 fine on Bounty (UK) Limited for violations of the Data Protection Act 1998 when it shared 34.4 million records belonging to 14 million people with 39 organizations, including credit reference and marketing agencies. Bounty characterizes itself as a pregnancy and parenting support club that markets services and provides information to parents prior to the birth of their children and through preschool. The company collects personal data from parents, including the name, gender, date of birth, and residential and email address of parents and children. The company held the digital records indefinitely. According to the ICO, Bounty was “not open or transparent” in its representations to registering members, and any consent that may have been given “was clearly not informed.” According to the ICO’s Director of Investigations, the violation was “unprecedented” in terms of the number of records and people affected.
Because the violations took place between 2017 and April 2018, the ICO issued a civil monetary penalty under the Data Protection Act 1998, which only allows a maximum financial penalty of £500,000. Under the General Data Protection Regulation (GDPR), in effect since May 25, 2018, the maximum fine would be £17,000,000 (€20 million) or 4% of global turnover.
ICO Monetary Penalty Notice