Bounty UK, which offers advice to new parents, unlawfully shared its members’ data with marketing agencies, the Information Commissioner’s Office (ICO) said.
It included information on “potentially vulnerable” new mothers and children and appears “to have been motivated by financial gain”, the regulator added.
“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations,” Steve Eckersley, ICO director of investigations, said.
Bounty collected information through its website and mobile apps, merchandise packs, and even from the hospital bedsides of new mothers.
The company was found to have breached the Data Protection Act 1998 by sharing around 34.4 million records with agencies including Acxiom, Equifax, Indicia and Sky, the ICO said.
They are the four largest organisations out of a total of 39 which Bounty passed its information on to.
Mr Eckersley said: “Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children.
“The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this.”
Jim Kelleher, managing director of Bounty, said: “We acknowledge the ICO’s findings. In the past we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough.
“This was not of the standard expected of us. However, the ICO has recognised that these are historical issues.
“Our priority is to continue to provide a valuable service for new parents that is both helpful and trusted.
“As the ICO has highlighted, we made significant changes to our processes in spring 2018, reducing the number of personal records we retain and for how long we keep them, ending relationships with the small number of data brokerage companies with whom we previously worked and implementing robust GDPR training for our staff.
“Our ‘Bounty Promise’ sets out our continued commitment to carefully look after our members’ personal information.
“And to ensure our promise is never broken, we will appoint an independent data expert to check how we are doing every year and we will publish their findings annually on the Bounty website.”