UK’s ICO fines HelloFresh following 80 million spam communications

The food delivery company was issued a £140,000 fine by the ICO after it sent 79 million spam emails and 1 million spam texts over a seven-month period. The marketing messages were sent based on an ‘opt-in’ statement which did not refer to future marketing communications by text. The email opt-in option was also bundled with an age confirmation statement which may have unfairly incentivised customers to agree. The ICO also found that customers were not provided with sufficient information that their data would continue to be used for marketing purposes for up to 24 months after cancelling their HelloFresh subscription.

The ICO considered the actions of HelloFresh to be a breach of the Privacy and Electronic Communications Regulations (PECR) (21 pages/421 KB). Breaches of this sort in terms of unsolicited emails and calls “are an area of focus for the ICO and we often see enforcement action off the back of a very small number of texts or emails, as is the case here”, said Carolyn Lang, technology contracts and data protection expert of Pinsent Masons.

The ICO also found that HelloFresh was taking too long to respond, or sometimes not responding, to customer marketing opt-outs. Following the decision, it is important for businesses to ensure their systems can promptly record opt-outs, Lang added, saying: “If there may be a short delay in a request to unsubscribe selections being implemented, firms should ensure customers set their expectations”. For example, the ICO did not think customers would expect to receive digital marketing from HelloFresh up to 24 hours after ending their subscription.

The ICO decision (20 pages/ 464 KB) to issue a fine is a warning to other businesses, who may want to consider the risks of adopting a similar approach, Lang commented, adding: “The ICO has limited sympathy for companies who should have the resource to get the basics right, particularly with the information available in its Direct Marketing Guidance”.

Additionally, the ICO highlighted that firms should be aware of their responsibilities in this area, with fines possible even if there is no deliberate attempt to breach provisions of the PECR. For example, We Buy Any Car was issued an ICO fine under the PECR in September 2021, despite its claims that it did not intend to breach the regulations.

Overall, the decision “highlights the importance of making sure that customer journeys are appropriately reviewed for any new products or platforms, particularly because it can be very challenging to go back and ‘fix’ these issues at a later stage”, Lang added.