March 29, 2023
by Ito Onojeghuo | LLM, C-DPO, FIP, CIPM, CIPP/E.
The Information Commissioner’s Office (ICO) has fined Easylife Ltd (EasyLife), for using personal information of 145,400 customers that had made purchases via their Health Catalogue, to predict their medical condition and target them with health-related products without their consent.
The ICO found that EasyLife had profiles 145,400 of their customers for inferred health conditions without their consent, based on certain ‘trigger products that they had purchased. The company would make assumptions about their medical condition and then market health-related products to them without their consent.
“For example, if a person bought a jar opener or a dinner tray, Easylife would use that purchase data to assume that person has arthritis and then call the individual to market glucosamine joint patches.”
Health information is classified as ‘Special category’ data, under the GDPR. EasyLife was fined for the lack of valid consent regarding such personalised and intrusive marketing, due to the products having inferred the health condition of customers. Legitimate Interest cannot be relied on for such marketing, which reveals sensitive data.
The ICO reached an agreement with Easylife to reduce the £1350,000 monetary penalty notice (MPN), originally used issued for breaching the GDPR and PECR, to £250,000.