The ICO first began its examination of Bounty UK Ltd. (a support club for parents) when the ICO was investigating the data brokerage industry generally, of which it viewed Bounty as taking part (given that it shared member information with third parties like Acxiom and Equifax). Here, in reaching its conclusion that the company had violated UK privacy laws, the ICO found the volume of sharing in which Bounty engaged “unprecedented,” and accused the company of both “careless data-sharing” as well as violations of the UK law that pre-dated GDPR (the violation having occurred prior to the law’s May 2018 implementation date). Interestingly, the violation has been described by commentators as a “data breach,” although it did not involve the typical “hacker” scenario that one thinks of when contemplating a breach. Instead, the company collected information and shared it with third parties without appropriate notice and consent.

Information Bounty collected was gathered in three ways: in person (in hospitals), on its app, and on its website. Although not currently gathering information in-person, Bounty indicated to the ICO that information previously gathered in that way is still in the database and constitutes almost 70% of the information Bounty holds. When obtained, there was no “check box,” instead individuals were told that by providing their information they were (a) consenting to get information from Bounty, (b) have information shared, and (c) that Bounty would “take great care of the information you provided.” On the other hand, when a member used the Bounty app, the user was directed to a yes/no marketing opt-in that asked “would you like to receive free samples, offers and promotions by post and email from carefully selected third parties (see privacy policy for full details.”  The website had a similar process. In turn, the privacy policy said, according to the ICO, that (a) Bounty collected information for “marketing” and “tailoring;” (b) that Bounty would share with “selected third parties;” and (c) that users might get information not only from Bounty, but “third part[ies]” and listed specific third parties. None of those listed parties, though, were among the advertisers to whom Bounty shared information. Instead, the company shared 34.4 million records to other advertisers during a roughly one year period, consisting of information of records of 14.3 million unique individuals.

According to the ICO, Bounty’s privacy policy language did not provide sufficient notice of the company’s sharing practices, nor was it sufficient to constitute consent to share parents’ information with advertisers. Of concern for the ICO was that the consents were not sufficient specific or informed “given that the data subjects were not told that their data may be shared for the purposes of marketing with Acxiom, Equifax, Indicia or Sky.” And, for the majority of the information collected (offline), the consents were not freely given insofar as people either had to agree to the sharing of their information by filling out the card. Also of concern for the ICO was that Bounty shared information about the children of the members (birth date and gender), which the ICO feared would “create the potential [that] this data [be] appended to create a fuller profile of the child, which may then be used for future targeted marketing.” Meaning that the child has “lost control” of his or her information before being able to give consent.

Putting it Into Practice: While the facts in this case may be unique, this decision shows the ICO’s concern with obtaining fully informed consent, especially in the area of sharing for marketing purposes.