The food delivery company HelloFresh (trading as Grocery Delivery E-Services UK Limited) has been fined £140,000 ($178,645) by the UK Information Commissioner’s Office (ICO) for sending 79 million spam emails and one million spam texts to customers in seven months.
Following an investigation, the ICO discovered that customers were not fully aware of what they were opting into, marking a “clear breach of trust”.
It was found that HelloFresh continued to contact some individuals even though they had requested all communication be stopped.
“This marked a clear breach of trust. Customers weren’t told exactly what they’d be opting into, nor was it clear how to opt out. From there, they were hit with a barrage of marketing texts they didn’t want or expect, and in some cases, even when they told HelloFresh to stop, the deluge continued,” said Andy Curry, Head of Investigations at the ICO.
8,746 complaints
The ICO started its investigation into HelloFresh in March 2022, after thousands of complaints connected to the company. In total, 8,729 complaints were logged with scam message service 7726, and the ICO received an additional 14 complaints about unauthorized SMS messages and three about marketing emails.
According to the findings, HelloFresh’s marketing messages were sent based on an opt-in statement “which did not make any reference to the sending of marketing via text”. Even though there was a reference to marketing included in an age-confirmation statement via email, the ICO says it was an attempt to “unfairly incentivise” customers to give permission.
Customers were also not properly informed that their data would be used for marketing purposes for up to 24 months after cancelling their subscriptions.
“Customers weren’t told exactly what they’d be opting into, nor was it clear how to opt out.”
Andy Curry, Head of Investigations, ICO
In total, between August 23, 2021 and February 23, 2022, the ICO found that 80,893,013 direct marketing messages – 79,779,279 emails and 1,113,734 SMS messages – were composed and contravened regulation 22 of the UK Privacy and Electronic Communications Regulations 2003.
“The investigation that led to this fine began following complaints filed by the public, both to the ICO and to the 7726 service. This shows just how important it is that if you are being contacted with nuisance calls, texts or emails, that you report it straight away,” Curry added.
Privacy and Electronic Communications Regulations 2003
The ICO enforces the Privacy and Electronic Communications Regulations 2003, which cover the rules for organizations wishing to make direct marketing calls, texts or emails.
Since April 2023, the ICO has issued more than £2.44m ($3.11m) in fines against companies responsible for nuisance calls, texts and emails.