It's one of the largest ever raised by the ICO, but it was based on the Data Protection Act (DPA) which, as we all know, was replaced last May by the GDPR. The latter brought in far fewer new rights for consumers than campaigners like to make out. It tightened up rules on consent, but more importantly, brought in massive fines of up to 4% of global revenue for serious breaches.
The puzzling thing with Bounty is this. How could they be so stupid? How could they not ensure their working practices at least met the letter of the DPA? It just beggars belief.
For those who have yet to start a family, the Bounty name may not be too familiar. They're basically a bunch of people who, for some reason, are allowed to wander around maternity wards handing out a few samples in return for you joining a club.
Essentially, they are paid to go out and get names on a database with the sweetener of a couple of nappies and wipes whose makers are keen to get you using them before that first trip to the supermarket when you are discharged.
Now, I always thought it sounded a little bit tricky. Certainly with our first, some seventeen years ago, we had no idea we didn't have to take the sample and give over our details. It seemed as if the helpful ladies handing out nappies for personal data were part of the ward. Obviously, I can't remember what details we passed over, but from memory, it was a simple card asking for an address so you could be signed up to a club.
As the story in Campaign detailing the charges against them maintains, they had switched to signing up people via apps and websites in the past 17 years. How times change.
Quite what happened to this "club" after we used a couple of nappies, I really have no idea. I'm not so sure we heard from them again, but of course, our data would have remained in the system.
The trouble is that the guys running the club were sharing this information with third parties, including credit reference and advertising agencies, including Acxiom, Equifax and Sky. They did this, the ICO maintains, without asking for the right to share personal information. The online and app registration process also failed to mention in their privacy notices that information would be shared with marketing agencies and credit reference companies.
The ICO shared with Campaign that it was taken aback by the scale of the case which involved -- wait for it -- more than 34 million records related to 14 million people. It's quite staggering, isn't it?
Bounty has admitted wrongdoing and revealed that it updated its practices in the Spring of last year -- ie, when GDPR became law. It has now appointed an executive to oversee its handling of data.
Which still leaves the question of how crazily ill-informed do you have to be to take personal information and then sell it on to third parties without either seeking permission or pointing it out in a privacy notice? When so many records belonging to so many people are involved, it just beggars belief.
The other question we are still probably wondering is what would have happened if Bounty were found to have broken the GDPR rather than the far more lenient (on fines) DPA?
Brands have been given a warning here. This is one of the biggest fines in the ICO's history, but we all know that some time soon it will be superseded by an eye-watering figure arising from GDPR.
Any brand that doesn't explain what it does with personal information in its privacy notice needs to take a serious look at itself before the ICO gives it a very nasty surprise.
This isn't just a headline. It's a warning.