Pregnancy club Bounty UK has been given a £400,000 fine for illegally sharing the personal information of more than 14 million people.
The fine was issued by the Information Commissioner’s Office (ICO) in what it said was an “unprecedented” case.
Bounty compiled personal data but did not tell people that it was shared with 39 other organisations, said the ICO.
Bounty said it “acknowledged” the ICO’s findings and had now made changes to how it handled member data.
The Bounty pregnancy and parenting club offers free samples, vouchers and guides to prospective and new parents via packs given out in hospitals or sent to people who use its apps.
Bounty gathered information from apps, its website, cards in merchandise packs and from new mothers in hospital.
The ICO said that while many knew Bounty as a pregnancy club, few knew that it was also a data broker supplying information to third parties that would use it to fine-tune direct marketing.
Bounty breached the 1998 Data Protection Act by not being “open and transparent” with people about what would be done with their personal data.
It shared 34.3 million records from June 2017 to April 2018 with 39 organisations including marketing agencies Acxiom, Equifax and Indicia.
The data shared was of “potentially vulnerable” people including new mothers and very young children, said the ICO.
“The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into the data broking industry and organisations linked to this,” said Steve Eckersley, the watchdog’s director of investigations.
Mr Eckersley said the “careless” data-sharing was likely to have caused distress to many people because they did not know it was being shared so widely.
Jim Kelleher, Bounty’s managing director, said: “In the past, we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough.”
He added that the ICO had recognised that Bounty had changed its data-handling policies and that it now kept fewer records for less time. It had also ended relationships with some data brokers. Staff had also been trained to handle data to comply with the latest legislation.
In addition, said Mr Kelleher, Bounty planned to appoint an independent data expert to carry out an annual survey to ensure it did not breach data protection laws.