Bounty UK thought they could skate by. Sell off 34.4 million user records—like newborns’ birth dates and sexes—to outfits including Equifax, that notorious breach magnet. All without a whisper to the parents. ICO drops a £400K hammer. Not GDPR, mind you—the old Data Protection Act 1998. But oh, the irony: they quit just before GDPR’s May 2018 kickoff, dodging a potential £17 million gut punch.
What a dodge. Or was it?
Why Did Everyone Think GDPR Would Fix This Overnight?
Tech world buzzed with GDPR hype. Compliance checklists flew off digital shelves. Companies scrambled for consent pop-ups. Expectation? Data brokers like Bounty would clean up or shut down. Instead, Bounty cashed in pre-deadline, leaving millions in the dark. Changes everything—proves regulators aren’t asleep, just biding time with bigger sticks.
And here’s the ICO’s director, not mincing words:
The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this. Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed.
Scathing. Spot on. Bounty’s model? Pure profit-chasing. Moms sign up for freebies—parenting tips, maternity pics—and boom, their data’s auctioned to 39 firms. Distress? You bet. Imagine learning your kid’s details fueled marketing spam.
Short version: Epic fail.
How Bounty Pulled This Off (And Why It Backfired)
Picture it. Bounty reps in hospital rooms, snapping photos, pushing packages. Creepy enough. Then, behind the scenes, data dumps to Equifax and pals. No heads-up. Consent? A joke—buried in fine print no one reads. ICO investigation uncovers the mess: sales halted April 30, 2018. Lucky timing, or calculated exit? Smells like they knew the hammer was coming.
My unique take: This echoes Equifax’s 2017 bloodbath, where breached data (ironically, some from Bounty?) exposed 147 million. History rhymes—companies treat personal info like casino chips. Bold prediction: Post-GDPR, we’ll see £20M+ fines routinely. Bounty’s just the appetizer.
They ended it. Sure. But damage lingers. Trust? Shattered. Parents worldwide now side-eye any ‘free’ baby app.
Critique their spin? Bounty stayed mum—no press release groveling. PR silence screams guilt. Smart? Nah. Own the screw-up publicly, or look shadier.
Can You Share Data Without ICO’s Wrath?
Nothing wrong with third-party shares. If done right. GDPR demands clarity—Article 12: concise, plain language. Tell folks upfront, per Article 13. Lawful basis? Consent’s your bet for sales, but granular: one checkbox per partner? No. Explicit for each activity.
Bounty flunked. Members clueless about 39 recipients. Rights gutted—no clue where data lived, how used.
International? Chapter 5 nightmare. Adequacy decisions, SCCs, the works. Skip it, face transfers bans.
But—here’s the thing—compliance ain’t rocket science. Ditch the greed. Ask nicely. Document everything. Tools exist: checklists, consent managers. Don’t be Bounty.
Look, data’s not yours to hawk. It’s theirs. GDPR flips the script: profit from privacy? Prove it’s kosher.
One-paragraph rant: Bounty’s not alone. Too many ‘free’ services monetize shadows. Wake up, boards—fines escalate, lawsuits swarm. Equifax paid billions. Your turn?
What Bounty Teaches Data Brokers Today
Lesson one: Timing stinks as defense. ICO saw through it. Lesson two: Scale matters—34M records? Unprecedented, per ICO. Lesson three: Motive kills—financial gain over transparency? Dead giveaway.
Skeptical eye: ICO’s £400K feels light. Pre-GDPR cap. Now? Crippling. Companies, test your consents. Audit partners. Or join Bounty’s hall of shame.
Dry humor aside, this shifts the game. Data sharing? Viable, but handcuffed. Expect consent fatigue—users click ‘no’ more. Brokers pivot or perish.
And the PR spin? Bounty’s quiet. Cowardly. Shout compliance wins instead.
🧬 Related Insights
- Read more: Experts and Stars Demand Superintelligence Ban as Polls Scream No
- Read more: 79% of Americans Demand Congress Probe Government Data Screw-Ups
Frequently Asked Questions
What happened with Bounty UK and the ICO fine?
Bounty sold 34.4M user records without proper consent, earning a £400K fine under the old Data Protection Act.
How do you comply with GDPR for data sharing?
Get explicit, informed consent upfront; list all third parties; ensure lawful basis and transparency in plain language.
Can companies still profit from user data under GDPR?
Yes, but only with rock-solid consent or other bases—no more sneaky sales without telling users exactly what’s up.
