Ducks overlooking outside scenery on bridge.

ICO fines HelloFresh £140,000 after 7-month spam marketing campaign

Published on 17 April 2024

The questions

Where did HelloFresh go wrong with their email and text marketing campaign and what lessons can be learned from the ICO’s investigation and subsequent fine? In particular, should companies now be stating in their marketing consents how long they will continue to send marketing messages for, especially after a subscription service ends?

The key takeaway

The UK’s Information Commissioner’s Office (ICO) has issued HelloFresh with a fine of £140,000 for sending more than 79 million spam emails and 1 million spam texts to customers across a seven-month campaign period. The ICO found HelloFresh to be in serious contravention of Regulation 22 of the Privacy and Electronic Communications Regulations (PECR).

The background

HelloFresh is a meal delivery service which operates on a subscription plan basis. The marketing emails and texts which were the subject of this investigation were sent based on an opt-in statement, which customers had (at some point) agreed to. However, this opt-in statement did not make any reference to the sending of marketing via text and it was also bundled with an age confirmation statement.

The ICO’s initial investigation into HelloFresh emanated from a review of data from the UK’s Spam Reporting Service which allows mobile users to report unsolicited marketing texts by forwarding them on. The data collected revealed that, between 27 September 2021 and 23 February 2022, 15,221 complaints were made to the service in relation to texts received from HelloFresh.

The ICO began its investigation in March 2022. HelloFresh provided information to the ICO regarding its consent process, distribution process, communication preferences in the app and analysis of complaints. However, HelloFresh was unable to provide information regarding whether customers had been informed about the length of time that they could receive marketing communications after cancelling their subscription.

The development

The ICO concluded that the company had in fact committed a serious breach of Regulation 22 of PECR, which prohibits sending unsolicited direct marketing messages that have not been consented to. The ICO found that all 79 million spam emails and 1 million spam texts were transmitted in violation of Regulation 22.

The ICO also explained that HelloFresh needed to demonstrate that consent had been freely given, specific, informed and indicated through an affirmative action. The issues with the consent statement used by HelloFresh for email and text message marketing included:

  • a lack of specificity and informativeness, as it failed to mention the use of texts as a marketing channel;
  • combining an age confirmation with marketing consent; and
  • ·not adequately informing customers about the potential duration of receiving marketing messages after cancelling their subscription.

As a result, the ICO found that section 55A(1) of the Data Protection Act 1998 (which allows the ICO to serve a monetary penalty for a serious breach of Regulation 22) was satisfied. HelloFresh was issued with a monetary penalty of £140,000. The ICO did acknowledge, however, HelloFresh’s cooperation with the investigation and that it has now taken steps to improve its electronic marketing practices for future campaigns. It also acknowledged that HelloFresh had not set out to deliberately contravene PECR.

Why is this important?

The decision of the ICO reinforces the importance of businesses ensuring valid consent has been obtained to direct marketing, especially if they intend to carry out a high-volume marketing campaign. Serious breaches of Regulation 22 of PECR may attract a substantial fine, coupled with the ICO publicly naming and shaming the business in question.

Any practical tips?

Businesses should review their consent and direct marketing distribution systems and processes to ensure compliance with PECR. Consents must be specific, informed and not bundled with other requirements that affect whether it has been freely given. It is also particularly noteworthy that the ICO has called out the fact that, after a certain amount of time, former customers would not expect a business to still be contacting them. Customers should therefore be informed as to how long they can expect to receive marketing messages – something which many marketing consents do not currently do. Businesses must also consider what a former customer’s reasonable expectations are ie as to how long they can expect to continue to receive marketing messages.

Spring 2024