How a company illegally exploited the data of 14 million mothers and babies

If you’re in the UK you may know Bounty by the packs of samples they distribute to pregnant women at midwife apps. You might not know that they were also found to have illegally shared data of +14 million mums and babies with 39 companies. Bounty collected personal data from a variety of channels both online and offline: its website, mobile app.

By Privacy International (guest author) · October 6, 2021

If you’re in the UK you may know Bounty by the packs of samples they distribute to pregnant women at midwife apps. You might not know that they were also found to have illegally shared data of +14 million mums and babies with 39 companies. Bounty collected personal data from a variety of channels both online and offline: its website, mobile app.

In maternity wards, new mothers were asked to complete paperwork about themselves and their baby. From the new born they asked for the name, date of birth, and  gender. From the mother they asked for her the name, date of birth, address, email address, place of birth, if the mum speaks English, and if the birth was their first.

Over the years there have been high profile complaints about Bounty’s access to the UK’s maternity wards. Invasions of privacy and hard selling tactics at the bedside have been reported repeatedly by distressed new mums.

In April 2019, Bounty were fined £400,000 by the UK’s data protection authority for illegally sharing the personal information of mums and babies as part of its services as a “data broker” between 1 June 2017 and 30 April 2018. The UK data protection authority said that “The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this.”

It remains unknown whether and how the data that Bounty collected and shared is continued to be used to profile and target those 14 million mothers and their babies today.

In March 2020 the UK was heading into lockdown due to the spread of coronavirus. Bounty representatives appear to have stopped entering maternity wards and in November 2020 the company reportedly went into administration. However, the company maintains its online presence and still operates certain parts of its business under a new legal entity. Their website indicates the intention for Bounty representatives to return to maternity wards once Covid restrictions lift.

The ICO’s decision named only the four largest recipients of the data collected and shared by Bounty (out of 39). One of these companies was Sky – Bounty provided Sky over 30 million records. In 2021 PI wrote to Sky to ask what actions they had taken to locate the data received from Bounty and whether they deleted it, if they had attempted to notify any affected people, or if they had changed their internal policy or practice with regards to receiving third-party data. Sky refused to answer PI’s questions, saying “due to both passage of time and the confidential nature of the information being requested, we are not able to respond to your questions”.

The article was first published by Privacy International here.

Image credit: Luise and Nic/ Unsplash

(Contribution by: EDRi member, Privacy International)