HelloFresh Fined £140,000 by ICO for Breaching Privacy Regulations: A Lesson for Marketers


On January 12th 2024, the Information Commissioner’s Office (ICO) slapped a hefty £140,000 fine on popular food delivery company HelloFresh for violating the Privacy and Electronic Communications Regulations 2003 (PECR). The breach involved the company sending marketing messages, including emails and texts, without meeting the necessary consent requirements. This blog post explores the details of the fine and sheds light on the importance of adhering to privacy regulations in marketing practices.

The Investigation
The ICO’s investigation into HelloFresh was initiated following a review of data from the UK’s Spam Reporting Service, 7726. Users reported receiving unsolicited marketing messages, prompting the ICO to examine HelloFresh’s practices. Complaints highlighted issues such as messages sent without clear consent, disturbing sleep with untimely notifications, and ongoing communication despite previous attempts to opt out.

HelloFresh’s Marketing Missteps
HelloFresh’s marketing strategy featured a consent statement bundled with an age confirmation, allowing users to receive sample gifts and offers via email. However, the ICO found this statement lacking in specificity and informativeness. The consent statement failed to mention the use of SMS for direct marketing, and the bundling of statements created confusion for users. Additionally, customers were not adequately informed that their data could be used for marketing purposes for up to 24 months post-cancellation.

ICO’s Conclusions
The ICO concluded that HelloFresh demonstrated a lack of understanding of the PECR and the UK GDPR relationship. The company failed to exercise due care to avoid unsolicited marketing and should have foreseen the risk of such contraventions. The fine reflects the ICO’s commitment to enforcing privacy regulations and holding organisations accountable for their marketing practices.

Key Takeaways for Organisations

  1. Review Consent Statements: Ensure that consent statements for direct marketing meet the requirements of the UK GDPR and align with ICO guidance.
  2. Channel-specific Preferences: Provide mechanisms allowing users to easily select the channels through which they consent to receiving direct marketing.
  3. Transparent Privacy Notices: Clearly explain in privacy notices how long individuals may continue to receive direct marketing after cancelling their subscriptions. Include transparent information about personal data usage for direct marketing and instructions on how individuals can exercise their rights.
  4. Document Internal Policies: Develop and document internal policies, procedures, and training programs to demonstrate organisational understanding of PECR requirements and their alignment with the UK GDPR.

Final Thoughts
HelloFresh’s £140,000 fine serves as a stark reminder for organisations to prioritise compliance with privacy regulations in their marketing efforts. As the landscape evolves, marketers must stay informed and adapt practices to protect consumer privacy. The PECR’s definition of individuals encompasses consumers and sole traders, making it crucial for all organisations to take heed and implement necessary changes before facing potential legal consequences. If you have concerns about your organisation’s marketing practices contact info@normcyber.com and benefit from a complimentary 30-minute consultation.

Robert wassall

Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.