HelloFresh has been fined by the Information Commissioner’s Office (ICO) for a “seven-month spamming campaign of 79 million emails and one million texts.” The food delivery service has been told to pay £140,000 “for a clear breach of trust” following the conclusion of an investigation by the ICO which began in March 2022. Whilst the ICO received complaints directly, thousands of complaints were also made separately to the Mobile UK’s Spam Reporting Service.
HelloFresh sent marketing messages to customers based on a consent statement, but according to the penalty notice, the statement did not specify the use of SMS. Additionally, customers were not provided with sufficient information that their data would continue to be utilised for marketing purposes for up to 24 months after cancelling their subscriptions.
Finally, the ICO discovered HelloFresh continued to contact some customers even after they had requested for communications to cease.
As a result, the ICO concluded HelloFresh had failed to demonstrate that consumers had given the requisite consent to receive messages, a requirement under Regulation 22 of the Privacy and Electronic Communications Regulations 2003. When carrying out direct marketing calls, texts or emails, companies are expected to ensure customers fully understand what they are consenting to.
This article was written by Sam Effiong and Liz Smith.
If you have any questions or would otherwise like to discuss any of the issues raised in this article, please contact David Varney or another member of our Technology Team.
The ICO commented that HelloFresh’s actions amounted to a “clear breach of trust” and confirmed it would “take clear and decisive action where [it] find[s] the law has not been followed”.