Back to Cases
technologyRetail · 2022
Easylife Group Limited
Easylife Group unlawfully profiled over 145,000 customers using purchase history to infer health conditions and then sold them related health products without their knowledge or consent — for example, inferring diabetes from purchases of compression socks and targeting those customers with diabetes medication products. The ICO found this constituted processing of inferred special category health data without explicit consent, as required by UK GDPR Art. 9. Easylife was simultaneously fined £130,000 by the ICO under PECR for related unlawful direct marketing calls.
Fine Imposed€1.6M
Authority
ICO-UK
Regulation
UK General Data Protection Regulation + Data Protection Act 2018
Max fineHigher tier: £17.5M or 4% of global annual turnover; standard tier: £8.75M or 2%
Statusactive
Key Takeaways
- Inferring special category health characteristics from purchase or behavioural data is equivalent to collecting it directly — organisations must obtain explicit consent before using commercially inferred health data for any marketing or targeting purpose.