UK ICO fines Pharmacy2U Ltd for privacy breach

The Information Commissioner’s Office has fined Pharmacy2U Ltd (UK’s largest NHS approved online pharmacy) BGP$130,000 for selling more than 20,000 customers’ personal data to marketing companies without their informed consent.

Pharmacy2U’s online registration form and privacy policy didn’t inform its customers that it intended to sell their details to third party organisations.   If a customer wished to take up Pharmacy2U’s offer to opt out of “Selected company data sharing”, they had to go to the trouble of logging into their account and changing the default setting.

The Commissioner emphasised that Pharmacy2U:

  • ought to have known that its customers had a reasonable expectation of confidentiality when using an online pharmacy, especially when the company’s own website described the service as “discreet and confidential”, and
  • should have displayed a notice in a prominent position on its website which provided its customers with a simple way to opt out of the sale of their personal data to third party organisations.

Link (ICO): ICO’s Decision