ICO dishes out fine to HelloFresh for marketing spam campaign

HelloFresh logo displayed on a smartphone with branding and logo on white background
(Image credit: Getty Images)

Recipe kit delivery service HelloFresh has been fined £140,000 by the Information Commissioner's Office (ICO) for pestering customers with tens of millions of spam messages.

According to the data protection regulator, the company sent 79 million spam emails and a million texts in just seven months. The messages were sent on the basis of an opt-in statement which the ICO said didn't make any reference to the sending of marketing via text.

Although there was a reference to marketing via email, this came as part of an age confirmation statement which the regulator said was likely to incentivize customers to agree.

The message read: "Yes, I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email. By ticking this box I confirm I am over 18 years old".

Customers also weren't properly warned that their data would continue to be used for marketing purposes for up to 24 months after they had cancelled their subscriptions.

"This marked a clear breach of trust of the public by HelloFresh," said Andy Curry, head of investigations at the ICO.

"Customers weren’t told exactly what they’d be opting into, nor was it clear how to opt out. From there, they were hit with a barrage of marketing texts they didn't want or expect, and in some cases, even when they told HelloFresh to stop, the deluge continued."

HelloFresh complaints began in 2022

The ICO investigation began in March 2022 following complaints made to both the ICO and to the 7726 spam message reporting service. In some cases, the company carried on contacting people even after they had asked for this to stop.

"I had previously bought from this company and ensured that I did not consent to marketing material. I was not happy with their service so cancelled my subscription," one complainant said. 

“Recently (last 1-2 months) I have started regularly receiving unsolicited advertising emails from the company, and now they are sending unsolicited text messages."

The emails and texts were sent in contravention of Regulation 22 of the Privacy and Electronic Communications Regulations (PECR), the investigation found.


Whitepaper from IBM on how to create the ideal customer experience, with image of colleagues in a meeting

(Image credit: IBM)

Discover how combining the content supply chain, CX orchestration, and intelligent commerce creates the ideal customer experience


The opt-out consent statement wasn't, as it should have been, 'specific' and 'informed', as it didn't mention SMS, was unclear and bundled with other aspects, and didn't highlight the fact that customers would carry on receiving messages after they cancelled their HelloFresh subscription.

"In issuing this fine, we are showing that we will take clear and decisive action where we find the law has not been followed," Curry said. "We will always protect the right of customers to choose how their data is used."

The ICO said it's issued more than £2.44 million in fines against companies responsible for nuisance calls, texts and emails since April 2023, with another £2.8 million in 2021/22.

In December, it took action against Daniel George Bentley and his firm Taipan Trading for sending 2.5 million unsolicited direct marketing text messages, issuing an enforcement notice.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.