Parenting support club Bounty could face compensation claims following data breach fine

Bounty (UK) Ltd, a pregnancy and parenting support club, has been fined £400,000 by the Information Commissioner’s Office for illegally sharing personal information of over 14 million of its members and their children.

Bounty, which has been trading since 1959, offers support and advice to new parents who now sign up through its website and mobile app, cards or are directly recruited on maternity wards.
 
In a report published yesterday, the ICO found that, from June 2017 to April 2018, Bounty sold the personal information of parents and their children to a variety of credit reference and marketing agencies, including Acxiom (a marketing and profiling agency), Equifax (a credit reference agency), Indicia (a marketing agency) and Sky (a telecommunications agency), without securing the necessary consent from the parents.  In total, 34.4 million records of over 14 million people were shared with a total of 39 organisations.
 
This data included full name, parent’s date of birth, email address, postal address, postcode, pregnancy status, whether first time mother, name, gender and date of birth of children (and by extension the address of the child).
 
The ICO considered that the data breach was all the more serious because it involved sharing the personal information of potentially vulnerable, new mothers or mothers-to-be as well as of very young children, including their birth date and sex.
 
The ICO report found a breach of the Data Protection Act 1998 by Bounty for failing to process the personal information fairly.  In particular, the ICO found that Bounty failed to act with transparency in not telling people what they would be doing with their information.  They found that this was likely to have caused considerable distress to at least some of those affected. The ICO concluded that Bounty’s actions appeared to have been motivated by financial gain, with the data sharing an integral part of its business model, and it had no adequate justification for what it had done.

Sean Humber, a data breach specialist at law firm Leigh Day, stated:
 
“The heavy fine emphasises the seriousness of this breach, both in terms of the enormous number and potential vulnerability of those affected.
 
“Completely distinct from the ICO’s fine, those affected by the data breach may have claims for compensation against Bounty, including for any distress that they have suffered, as a result of the sharing of their personal information, without their knowledge or consent.
 
More information
If you have been affected by the Bounty data breach and wish to receive more information about bringing a claim for compensation then please complete our form.