HelloFresh Fined by ICO for Spam Emails

Together we are Forbes


22 January, 2024

Bethany Paliga
Senior Associate

The Information Commissioner's Office (ICO) have announced this month that it has fined HelloFresh £140,000 for breaches of privacy regulations by sending direct marketing emails and texts without valid consent.

HelloFresh, an online meal delivery service, received a number of complaints to the ICO from subscribers regarding unsolicited emails and texts being sent to individuals after they had unsubscribed from receiving e-marketing.

In order to send direct marketing messages to customers via email and/or text messages, organisations must comply with the Privacy and Electronic Communications Regulations 2003 (PECR). PECR means that:

  • Organisations are prevented from sending direct marketing messages electronically to individuals without their consent.
  • 'Consent' is defined by the UK GDPR and must be specific, informed, unambiguous and provided by "clear affirmative action" (i.e. opt in consent rather than opt-out).
  • Organisations can rely on the 'soft opt-in' to market similar products and services to existing customers/subscribers provided they have been given the opportunity to opt-out of marketing communications at the time their details have been collected.

As part of the investigation, HelloFresh provided the ICO with the wording of its consent statement which said:

"Yes, I'd like to receive sample gifts (including alcohol) and other offers, competitions, and news via email. By ticking this box, I confirm I am over 18 years old."

The ICO decided that this consent wording does not amount to valid consent, as defined by the UK GDPR. In particular, the statement was not specific or informed because:

  • It did not mention that the company would contact them via text message;
  • It bundled an age confirmation statement and consent to receive free samples together with consent for direct marketing; and
  • It did not make clear that individuals would continue to be contacted for a period of up to 24 months after they had cancelled their subscription.

The ICO concluded that it was satisfied that HelloFresh did not have valid consent for over 80 million direct marketing messages it sent to individuals. As a result, HelloFresh have been fined for the breaches of PECR.

This fine demonstrates the importance of ensuring your consent statements are clear and do not bundle different consent wording together. Organisations must be clear and explicit when they want to send direct marketing by email and text messages and individuals should not be surprised by the way in which an organisation is using their personal information.

A copy of the monetary penalty notice is available to view at Grocery Delivery E-Services UK Ltd t/a HelloFresh | ICO

Further information on the PECR rules and direct marketing can be found in the ICO's Direct Marketing Guidance which is available to view at Direct marketing guidance (ico.org.uk)

For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Governance, Procurement & Information department here

JCT's highly anticipated standard form building contracts planned…

ICO Fines Government Department for Data Security Breach

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday: