Data sharing and GDPR compliance? That’s the phrase that’s kept compliance officers up at night since 2018. But here’s the twist nobody saw coming: Bounty UK, the pregnancy pack pushers who’ve long creeped out new moms with hospital sales pitches, just got hammered by the UK’s ICO for practices that ended before GDPR kicked in.
Shock. Right?
We all expected GDPR to unleash the fines — £17 million caps for big breaches, endless audits, the works. Companies scrambled, rewrote privacy policies, hired lawyers by the dozen. Yet Bounty’s mess unfolded under the creaky Data Protection Act 1998, max fine £500K. They squeaked by with £400K after offloading 34.4 million records — birth dates, baby sexes, pregnancy details — to 39 firms, including Equifax, that infamous breach magnet. All without a whisper to the data subjects.
And the ICO didn’t hold back.
The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this. Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed.
That’s from Steve Eckersley, the ICO investigations director. Financial gain, he says — integral to their model. Distress to millions of unaware parents. Oof.
Why Bounty Pulled the Plug Just in Time — Smells Like Foreknowledge?
Look, they stopped April 30, 2018. GDPR lands May 25. Coincidence? Hardly. This wasn’t some rogue intern; data brokering was their cash cow. New moms sign up for freebies, advice, apps — fine. But then their intimate life details get auctioned off. No heads-up. No granular consent for each of those 39 partners.
Dig deeper: Bounty’s been shady before. Hospital room photo hustles sparked outrage years back. Privacy complaints piled up. Yet they scaled to millions. How? Loose pre-GDPR rules let data brokers run wild, like the 90s telemarketers dialing for dollars before Do Not Call lists.
My unique take? This echoes the early credit bureau scandals — Equifax’s ancestors hoarding data without oversight, until Congress cracked down in the 70s. Bounty? Modern echo. Regulators signaling: the wild west ends. Now.
But what really shifts the architecture here — it’s not just the fine. It’s the precedent. ICO’s calling out ‘unprecedented’ scale. Post-GDPR, that £400K balloons to £17M. Companies rethink core models. Data as profit center? Suddenly radioactive.
How Did Consent Go So Wrong? The Devil in the Details
Consent under GDPR — Article 6, 7 — demands it’s specific, informed, freely given. Bounty? Buried it. Users thought they were opting into parenting tips. Not a data fire sale.
Article 13 mandates crystal-clear notices at collection time. Plain language. For kids? Even simpler. Bounty blasted data to credit firms, marketers — newborns’ sexes included. Imagine the chill: your kid’s info in Equifax hands, pre-that mega-breach.
They claimed consent. ICO laughed. Not informed, not transparent. Users couldn’t exercise rights — right to know where data lives, who sees it, how it’s used. Boom, violation.
Short para for punch: Fixable? Yes. But Bounty’s sloppiness screams motive — cash over care.
Can You Still Share Data Without ICO Knocking?
Nothing bans sharing outright. But do it right, or pay.
First, lawful basis. Consent’s king for sales, but granular — tick boxes per partner, no pre-checked gotchas. Article 12: concise, intelligible info. No legalese walls.
International? Chapter 5 nightmare. Adequacy decisions, SCCs, BCRs — if Equifax ships to the US, prove protection levels match.
Here’s the how: Layered notices. Top-line summary, details linked. Renew consent periodically. Audit partners. Tools like privacy management platforms (yeah, plug for the ecosystem) automate this.
But why bother? Because fines aside — reputational gut-punch. Trust evaporates. Bounty’s brand? Tarnished forever.
Is Bounty’s Fine a GDPR Preview — Or Just Old News?
Everyone braced for GDPR chaos. Fines flew early — British Airways £20M, Marriott £18M. But Bounty’s prequel shows enforcement muscle flexed since day one.
Architectural shift: Data brokers pivot. From sell-everything to value-add services. Or perish. Prediction: We’ll see consolidations, compliance-first startups eating legacy players. Bounty’s wake-up for all — even US firms eyeing EU users.
Corporate spin? Bounty says they ‘evolved.’ Please. They bolted when heat rose.
One-sentence para: Wake up, data hustlers.
Longer riff: Think about the parents. Postpartum haze, signing forms amid beeping monitors. That ‘free pack’ consent? Weaponized against them. ICO nails the distress — psychological toll of unknown surveillance. Not abstract; real lives.
🧬 Related Insights
- Read more: 173,490 Lines of Code for a Brick: Why 3D Print Blocking is Futile
- Read more: Brazil’s LGPD: 10 Legal Bases Trump GDPR’s 6, But DPO Mandate Bites Harder
Frequently Asked Questions
What caused Bounty UK’s £400,000 ICO fine?
Selling 34.4M user records without informed consent, under pre-GDPR Data Protection Act.
How does GDPR change data sharing rules?
Requires specific consent, transparent notices, lawful basis checks — fines up to 4% global revenue.
Can companies legally sell customer data after GDPR?
Yes, with explicit, granular consent and compliance on transfers, bases, transparency.
