Food box delivery service HelloFresh has been fined £140,000 by the Information Commissioner’s Office (ICO) following an investigation that discovered 79 million emails and just over 1 million SMS messages sent by the company failed to meet regulatory requirements and violated the Privacy and Electronic Communication Regulations 2003.
According to the monetary penalty notice filed by the ICO, HelloFresh failed to provide customers with sufficient information regarding the length of time their data would be used for marketing purposes, specific channels to be used, and misleading information including a tick box with the consent statement attached:
“Yes, I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email. By ticking this box I confirm I am over 18 years old”.
The ICO determined that HelloFresh’s direct marketing consent statement failed to meet the requirement that it be “specific” and “informed”, did not mention SMS messaging, was unclear and tied to other aspects of the subscription services, and that customer’s data would continue to be used for marketing purposes for two years after they’d cancelled their subscription.
Andy Curry, Head of Investigations at the Information Commissioner’s Office, commented:
“This marked a clear breach of trust of the public by HelloFresh. Customers weren’t told exactly what they’d be opting into, nor was it clear how to opt-out. From there, they were hit with a barrage of marketing texts they didn’t want or expect, and in some cases, even when they told HelloFresh to stop, the deluge continued.
“In issuing this fine, we are showing that we will take clear and decisive action where we find the law has not been followed. We will always protect the right of customers to choose how their data is used.”
HelloFresh has the right to appeal the Commission’s penalty, with payment in full falling due on 13 February 2024.
Lead image: Photo by Or Hakim