A bitter pill: Hard lessons learnt by online pharmacy fined for selling customer data

The Information Commissioner has issued a monetary penalty notice (MPN) of £130,000 to Pharmacy2U, the UK's largest NHS approved online pharmacy, after it sold the details of 21,500 customers to third-parties through an online marketing company.  The Commissioner’s enforcement activity to date has focussed predominantly upon data security breaches. This is the first MPN for a breach of the first data protection principle under the Data Protection Act 1998 (DPA) which concerns the fair and lawful processing of data. It provides both a reminder of the importance of the first principle and a lesson to all organisations about clear customer communication and consent. 

Initially uncovered by a Daily Mail investigation, the Commissioner found that Pharmacy2U had advertised more than 100,000 customers' details – at £130 per 1000 customers – for rental through a marketing company, Alchemy Direct Media (UK) Ltd.  In late 2014, Alchemy supplied a total of 21,500 Pharmacy2U customer names and addresses for use by a health supplement company, an Australian lottery company and a charity.

The first data protection principle, as outlined in paragraph 1, Schedule 1 of the DPA, requires  personal data to be processed fairly and lawfully and in accordance with at least one of the conditions set out in Schedule 2 of the DPA, one of which is the provision of informed consent by the customer. The Commissioner found that Pharmacy2u had breached this principle, and given the severity and negligent nature of the breach, as well as the distress caused, issued a substantial fine. The decision notice can be read in full here. 

Lessons to be learnt?

Whilst Pharmacy2U’s breaches were serious, there are important lessons to be learnt from the Commissioner’s decision for all organisations which process customer data:

1. Privacy notices must be user-friendly
   
   Pharmacy 2U’s privacy notice was found by the Commissioner to be unclear. It was difficult to access and critically, did not inform customers that the Pharmacy2U intended to sell their details to third-party organisations. 
   
   Privacy notices should therefore be clear and explain in plain English how an organisation will use customers’ personal data. There is a duty to actively communicate a privacy notice where the intended use of the information is unexpected, objectionable or controversial, or where the information is confidential or particularly sensitive.
    
2. Poorly worded and hidden “opt out” boxes do not enable informed consent
   
   Pharmacy 2U made it difficult for its customers to opt-out of data sharing. Customers had to log into their online accounts to change the default “selected company data sharing” option. This simply stated that “We make details available to companies whose products or services we think may interest our customers.” It did not mention the sale of customer data, or inclusion of sensitive information concerning their health conditions. Pharmacy 2U therefore lacked the necessary informed consent to process personal data. 
   
   Organisations should be wary about the use of default “opt-out” provisions regarding the use of personal data. Instead, clearly accessible and explained “opt-ins” provide the organisation with a way of attempting to show that the customer has positively consented to data processing. 
    
3. Breaches of the first principle have real consequences for your customers
   
   Whilst not necessarily known by Pharmacy2U, the health supplement company had breached advertising codes with respect to misleading advertising and unauthorised health claims. There was the potential for individuals to have stopped taking prescribed medicine in favour of products from this company. Meanwhile, the lottery company which had deliberately targeting elderly people was subject to an ongoing international investigation into fraud and money laundering.
   
   Data protection breaches should not be regarded as merely technical breaches of the law - they have real and serious human consequences. Specific care should be taken when dealing with sensitive personal data or vulnerable customers.
    
4. Data protection breaches have real consequences for your business

Alongside the significant MPN, this issue will have taken a considerable toll upon Pharmacy2U’s reputation following the publication of the MPN and associated press attention. In this case, it is clear that the cost of not treating personal data of customers with proper care far outweighs the benefits of the sales.  This is perhaps the most important lesson of all.

Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.