The Information Commissioner’s Office (ICO) has issued a fine of £400,000.00 having concluded their investigations into the significant Bounty data breach.
We’ve already been contacted for help and taken claims for data breach compensation forward on a No Win, No Fee basis since news of the fine broke in the media. As many as 14 million individuals may have had their personal data shared, including new mothers and infants by extension.
The ICO has established that Bounty failed to properly inform users that their data would be shared for marketing purposes. The findings also confirmed that no one was able to give proper and informed consent as well.
About the Bounty data breach
The Bounty data breach has seen some 34 million personal records shared for around 14 million individuals to 39 third-parties. The third-parties included marketing agencies Acxiom and Indicia, as well as credit-referencing agency Equifax, and telecoms provider Sky.
Personal records were shared between 1st June 2017 and 30th April 2018, with some shared until 9th January 2018 depending on how the user signed-up to the service.
The breaches took place prior to the introduction of GDPR which is why the fine isn’t in the millions.
Information shared in the Bounty data breach
The ICO investigated Bounty having tagged them as one of the largest suppliers in the data broking industry they were looking at. Information that has been collected and possibly shared with third-parties in the Bounty data breach case includes:
- Names;
- Baby due dates;
- Postal addresses;
- Email addresses;
- The pregnancy status of expecting mothers;
- Birth dates;
- Gender information.
In some cases, personal data was shared multiple times with the third-parties.
How has Bounty breached data protection laws?
Bounty has breached data protection laws because they failed to acquire informed consent from users for their information to be shared. They also failed to list the names of all of the companies they were sharing data with, and some of the privacy notices were reportedly issues after a user had already signed up (which is past the point of data collection when it ought to be relayed).
The finding by the ICO was that Bounty had processed data unfairly. The ICO labelled their actions as “plainly deliberate” and called this a “serious contravention”.
What can you do as a victim of the Bounty data breach?
If you were a victim of the Bounty data breach, you may be able to make a claim for data breach compensation. We can represent you on a No Win, No Fee basis, and we have already taken cases forward.
The Data Leak Lawyers are fighting for justice in over 25 different data breach actions. We’ve been helping people for years, and thousands have come to us for help.
Our initial advice is free and on a no-obligation basis.
We believe that there may be a case to answer. The ICO were highly critical of the incident, saying that this breach represented an “unprecedented number of affected data subjects in the history of the Commissioner’s investigations into data broking”.