Fine for online pharmacy selling customer details

Author: Ben Milloy

If carried out properly, the sale of customer or user information offers a potentially lucrative revenue source for any data-rich company. However, get it wrong and – as NHS-approved online chemist “Pharmacy 2U” can now testify – it can be quite the reverse.

Pharmacy 2U’s rude awakening took the form of a £130,000 fine from the UK’s data protection regulator – the Information Commissioner’s Office (ICO). The pharmacy’s error: failing to obtain proper consent for the sale of more than 20,000 customer details to third party companies.

The pharmacy had initially offered more than 100,000 customer details for sale via an online marketing company. This led to the sale of the customer details to three purchasers, which included an online medical supplement supplier and a lottery company. Although the information did not disclose the customers’ ailments, the ICO found that the affected individuals were likely to have suffered from a range of conditions, from heart disease and diabetes to erectile dysfunction and hair loss.

The ICO found that the pharmacy had “processed” personal data “unfairly” in contravention of the first data protection principle of the Data Protection Act 1998 (DPA). While there is no strict ban on selling customer details, the issue for the pharmacy was that it had failed to make sufficiently clear to its customers that it intended sell their details on in this way, and therefore did not have appropriate consent for its actions.

A number of factors contributed to the ICO’s finding that Pharmacy 2U had committed a “serious” contravention of the DPA, not least the number of individuals’ data involved. The hefty penalty, however, resulted from a finding that the breach was of a type “likely to cause substantial damage or substantial distress”. In coming to its view, the ICO had particular regard to the fact that:

  • the data purchased by all three companies concerned individuals aged over 70 who had used the pharmacy in the previous six months (i.e. customers who, the ICO concluded, were likely to suffer from chronic illnesses and were therefore vulnerable);
  • the medical supplement and lottery provider clients had questionable records from an advertising and trading standards perspective;
  • Pharmacy 2U had advertised a “discreet and confidential” service to its customers; and
  • some customers might have felt a heightened concern at the thought that highly personal and potentially embarrassing information about them had been inferred by third party organisations.

The ICO did not find that the breach had been deliberate, but considered the pharmacy to have been negligent in its actions. Despite acknowledging the significant remedial action Pharmacy 2U had since taken, its cooperation with the ICO as part of the investigation and the likely reputational impact of the ICO’s adverse ruling, it went on to impose what is one of its largest fines to date.

Given the context and particular circumstances of this case, the ICO would have been quick to punish what was a particularly bad contravention of the DPA. It nevertheless serves to emphasise the pressing need for all companies dealing with personal data to make sure that they have obtained appropriate consent for their specific use of the data. Compliance doesn’t need to be difficult, and in most cases this will come down to specific, clearly-worded and accessible online privacy policies and terms and conditions. Not obtaining proper consent can render the data obtained by a company useless. As is shown in this case, the consequences of then taking inappropriate action with such data can be dramatic.

Ben Milloy, Associate, Fladgate LLP (

View by date:

View by author:

Would you like to hear more?