On 29 January 2021, the Kemp Little team joined Deloitte Legal. Click here to view the press release.

As of 30 January 2021, Kemp Little LLP ceased to operate as a firm of solicitors and practice law and ceased to be regulated and authorised by the Solicitors Regulation Authority.

Kemp Little LLP has been re-named KL Heritage LLP.

If you are looking to contact a specific individual to seek legal advice or in respect of any other business relationship, please contact Deloitte Legal.

If you are seeking to contact the old Kemp Little LLP in relation to a previous business relationship or matter, please get in touch with KL Heritage LLP.

For enquiries relating to Kemp Little technology products and training portal, please email deloittelegal@deloitte.co.uk

 


 

Kemp Little is a trade name used under licence by KL Heritage LLP (formerly Kemp Little LLP, registered number OC300242 and VAT number 182 8854 65).

On 29 January 2021, the Kemp Little team joined Deloitte Legal.  As of 30 January 2021, Kemp Little ceased to operate as a firm of solicitors and practice law. From this date Kemp Little ceased to be authorised and regulated by the Solicitors Regulation Authority and is being re-named KL Heritage LLP.

All references to Kemp Little herein are references to KL Heritage LLP, which used to carry on business in that name.

KL Heritage LLP is not connected to or associated with Deloitte Legal or Deloitte LLP in any capacity.

 

Kemp Little
  • Looking for someone?
  • Email us
  • Search
MENU MENU
Insights overview

Commercial technology · Data protection & privacy · 2 May 2019 · Anita Bapat · Aneka Chapaneri

‘Careless’ data sharing costs Bounty (UK) Ltd £400,000

Bounty (UK) Limited (“Bounty”), a pregnancy and parenting support club, has been subject to a £400,000 fine by the Information Commissioner’s Office (the “ICO”) for… Read more

more content below

Bounty (UK) Limited (“Bounty”), a pregnancy and parenting support club, has been subject to a £400,000 fine by the Information Commissioner’s Office (the “ICO”) for the unlawful sharing of personal data of more than 14 million people. The ICO has considered the volume of personal data and number of individuals affected by Bounty’s actions as “unprecedented in the history of the ICO’s investigations into the data broking industry”.

Bounty’s primary services are providing ‘Bounty Packs’ (sample packs of goods for the various stages of pregnancy) to new and expectant mothers and providing a mobile app allowing expectant mothers to track their pregnancies.

Bounty collected personal data from its members in a number of ways: its website, mobile app, ‘Mother-to-be pack’ hard copy cards and in person directly from new mothers in hospitals.

‘Careless’ data sharing

Unknown to its members, Bounty sold its members personal data to third party organisations in the data brokerage industry. The ICO’s investigation highlighted that Bounty shared the personal data records of 14.3 million new and expectant mothers and their newborn children. This personal data could then be subsequently shared up to 17 times in a year which resulted in the disclosure of an “extraordinarily high” 34 million personal data records. Bounty shared individuals’ personal data with 39 companies.

The ICO’s concluded that the data sharing was unlawful under the Data Protection 1998 (“DPA”) (pre-GDPR data protection regime) due to the following factors:

  • Undisclosed third party recipients – Bounty’s website privacy policy stated that personal data may be shared with “selected third parties” but none of the third-party recipients were specifically named.
  • Exceeding reasonable expectations – Bounty shared individuals’ personal data with credit reference, marketing and profiling agencies including large corporations such as Indicia, Axciom, Equifax and Sky which would be beyond members’ expectations about what was being done with their data.
  • Invalid consent – Bounty relied on consent from its members for the collection and use of personal data, however the ‘consent’ provided by individuals was not specific or informed as individuals were not told that their contact details would be shared to the types of organisations mentioned above for marketing purposes. Due to the nature of the data sharing, the ICO also considered that Bounty could not rely on the ground of legitimate interests as the interests of its members, in this case, outweighed Bounty’s commercial interests.

The ICO concluded that, given this, Bounty was responsible for a serious breach of the fairness and lawfulness principle under the DPA.

The ICO’s reasoning

Under section 55A of the DPA, the ICO has the power to issue a monetary penalty notice if there has been a serious breach of the DPA and the breach has the potential to cause substantial damage or distress.

When assessing the seriousness of the breach, the ICO considered the following aggravating factors in respect of Bounty:

  • Number of affected individuals – at least 34 million personal data records of over 14 million individuals were shared;
  • Excessive processing – personal data records could be shared up to 17 times in a year which the ICO considered was “arguably disproportionate”;
  • Duration of breach – the unlawful data sharing continued for seven months for online member registrations;
  • Vulnerable data subjects – the individuals affected were new and expectant mothers and very young children;
  • Breach of privacy policy – the disclosure of personal data to credit referencing, marketing and profile agencies was not mentioned in the information provided to its members (including Bounty’s privacy policy) and it could not be reasonably expected by the affected individuals as a result;
  • Sensitive nature of personal data – the ICO considered that the particular sensitive nature of the information shared had the potential to cause significant distress to new or expectant mothers. The types of personal data disclosed were the number, age and gender of children and mothers’ pregnancy status;
  • Individual loss of control over personal data – personal data was shared with large marketing agencies without individuals’ knowledge or consent.

The ICO considered the following mitigating factors when considered the level of fine to impose:

  • Cessation of data sharing – Bounty voluntarily stopped sharing personal data with third party organisations in April 2018 (prior to the ICO’s initial investigation); and
  • GDPR compliance – Bounty has improved its data protection compliance to meet the enhanced requirements under the General Data Protection Regulation and the Privacy and Electronic Communications Regulations.

Notwithstanding Bounty’s cessation of data sharing in April 2018 and  improved data protection compliance since the implementation of the GDPR, the ICO considered the breach as serious enough to justify a significant fine nearly reaching the upper limit of £500,000 (by comparison, the ICO recently fined Facebook £500,000 for serious breaches of data protection law). This fine highlights the ICO’s stance on the nature and extent of the unlawful data sharing.

Key takeaways – what can we learn from this decision?

“Invisible data processing” on individuals in the UK is becoming the subject of increased regulatory scrutiny, with the ICO taking tougher action against non-compliant organisations in the data broking industry. The decision against Bounty is a useful reminder for all organisations to (a) be clear with individuals about what they are doing with their personal data – ideally by naming the third-party recipients of personal data in privacy policies (in particular when relying on consent), (b) ensuring there is a valid lawful basis for sharing the personal data and (c) obtaining valid opt-in consent (and satisfying the higher threshold for consent under the GDPR) from individuals for direct marketing purposes.

The fine issued against Bounty was under the DPA where the ICO was limited to issuing a fine up to a maximum amount of £500,000. Now under the GDPR regime, the ICO has the power to issue much more substantial fines (up to 4% of an organisation’s annual global turnover) and it is likely that, had this enforcement occurred under the GDPR, the fine would have been much higher.

  • Share this blog

  • Twitter
  • Facebook
  • Linkedin

Need to talk about this?

Anita BapatAnita Bapat

Aneka ChapaneriAneka Chapaneri

Get in touch

Sign up for our newsletters

  • Share this Blog

  • Twitter
  • Facebook
  • Linkedin

Other stuff you might like

  1. Are your offices ready for a post-lockdown return to work?
  2. Preparing for the New Normal | Webinar
  3. Retail reconsidered | KL Stores: a case study series exploring innovation in retail
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • EBA outsourcing
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • KLick Trade Mark
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
close
The hottest topics in technology
  • Adtech & martech
  • Agile
  • Artificial intelligence
  • EBA outsourcing
  • Brexit
  • Cloud computing
  • Complex & sensitive investigations
  • Connectivity
  • Cryptocurrencies & blockchain
  • Cybersecurity
  • Data analytics & big data
  • Data breaches
  • Data rights
  • Digital commerce
  • Digital content risk
  • Digital health
  • Digital media
  • Digital infrastructure & telecoms
  • Emerging businesses
  • Financial services
  • Fintech
  • Gambling
  • GDPR
  • KLick DPO
  • KLick Trade Mark
  • Open banking
  • Retail
  • SMCR
  • Software & services
  • Sourcing
  • Travel
Kemp Little

Lawyers
and thought leaders who are passionate about technology

Expand footer

Kemp Little

138 Cheapside
City of London
EC2V 6BJ

020 7600 8080

hello@kemplittle.com

Services

  • Commercial technology
  • Consulting
  • Disputes
  • Intellectual property
  • Employment
  • Immigration

 

  • Sourcing
  • Corporate
  • Data protection & privacy
  • Financial regulation
  • Private equity & venture capital
  • Tax

Sitemap

  • Our people
  • Insights
  • Events
  • About us
  • Contact us
  • Cookies
  • Privacy
  • Terms of use
  • Complaints
  • Debt recovery charges

Follow us

  • Twitter
  • LinkedIn
  • FlightDeck
  • Sign up for our newsletters

Kemp Little LLP is a limited liability partnership registered in England and Wales (registered number OC300242) and is authorised and regulated by the Solicitors Regulation Authority. Its registered office is 138 Cheapside, London EC2V 6BJ. The SRA Standards and Regulations can be accessed by clicking here.

  • Cyber Essentials logo
  • LORCA logo
  • ABTA Partner+ logo
  • Make Your Ask logo
  • FT Innovative Lawyers 2019 winners logo
  • Law Society Excellence Awards shortlisted
  • Legal Business Awards = highly commended
  • Home
  • Our people
  • Services
    • Business restructuring and reorganisation
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Digital content & reputation risk
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
    • Travel
  • Resources
  • Insights
  • Covid 19: Your Business Continuity
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn
close
close
close

Send us a message

Fill in your details and we'll be in touch soon

[contact-form-7 id="4941" title="General contact form"]
close

Sign up for our newsletter

I would like to receive updates and related news from Kemp Little *

Please select below any publications that you would like to receive:

Newsletters

close

Register for future event information

[contact-form-7 id="4943" title="Subscribe to future events"]
close
close
Generic filters
Exact matches only

Can't remember their name? View everyone

  • Home
  • Our people
  • Services
    • Business restructuring and reorganisation
    • Commercial technology
    • Consulting
    • Corporate
    • Data protection & privacy
    • Digital content & reputation risk
    • Disputes
    • Employment
    • Financial regulation
    • Immigration
    • Innovation
    • Intellectual property
    • Private equity & venture capital
    • Sourcing
    • Tax
    • Travel
  • Resources
  • Insights
  • Covid 19: Your Business Continuity
  • Events
  • About us
    • Who we are
    • Our social responsibilities
    • Our partnerships
    • Join us
  • Contact us
  • FlightDeck
  • Sign up for our newsletters
  • Follow us
    • Twitter
    • LinkedIn