The Information Commissioner’s Office has fined an online pharmacy £130,000 for selling details of 21,500 customers (without their informed consent) to third parties. The penalty is the first of its type to be issued for a breach of the first data protection principle, regarding fair and lawful processing of personal data.
The company collected personal details through its customer registration process and, when registering, customers could untick a pre-ticked box to indicate they did not wish to receive marketing emails. However, extra optional click-throughs were required to access the company’s privacy policy, which explained that to opt out of personal data being shared with third parties, customers had to log into their account and change their settings.
This decision sounds a warning to businesses that collect personal data to ensure that they provide clear information, in a prominent position, to customers as to how their data will be used and who it will be shared with. They must also provide customers with a simple way in which to easily express their preferences in relation to the use of their personal data.
