HelloFresh Fined by ICO for Spam Emails

Bethany Paliga
Bethany Paliga

Published: January 22nd, 2024

7 min read

The Information Commissioner's Office (ICO) have announced this month that it has fined HelloFresh £140,000 for breaches of privacy regulations by sending direct marketing emails and texts without valid consent.

HelloFresh, an online meal delivery service, received a number of complaints to the ICO from subscribers regarding unsolicited emails and texts being sent to individuals after they had unsubscribed from receiving e-marketing.

In order to send direct marketing messages to customers via email and/or text messages, organisations must comply with the Privacy and Electronic Communications Regulations 2003 (PECR). PECR means that:

  • Organisations are prevented from sending direct marketing messages electronically to individuals without their consent.
  • 'Consent' is defined by the UK GDPR and must be specific, informed, unambiguous and provided by "clear affirmative action" (i.e. opt in consent rather than opt-out).
  • Organisations can rely on the 'soft opt-in' to market similar products and services to existing customers/subscribers provided they have been given the opportunity to opt-out of marketing communications at the time their details have been collected.

As part of the investigation, HelloFresh provided the ICO with the wording of its consent statement which said:

"Yes, I'd like to receive sample gifts (including alcohol) and other offers, competitions, and news via email. By ticking this box, I confirm I am over 18 years old."

The ICO decided that this consent wording does not amount to valid consent, as defined by the UK GDPR. In particular, the statement was not specific or informed because:

  • It did not mention that the company would contact them via text message;
  • It bundled an age confirmation statement and consent to receive free samples together with consent for direct marketing; and
  • It did not make clear that individuals would continue to be contacted for a period of up to 24 months after they had cancelled their subscription.

The ICO concluded that it was satisfied that HelloFresh did not have valid consent for over 80 million direct marketing messages it sent to individuals. As a result, HelloFresh have been fined for the breaches of PECR.

This fine demonstrates the importance of ensuring your consent statements are clear and do not bundle different consent wording together. Organisations must be clear and explicit when they want to send direct marketing by email and text messages and individuals should not be surprised by the way in which an organisation is using their personal information.

A copy of the monetary penalty notice is available to view at Grocery Delivery E-Services UK Ltd t/a HelloFresh | ICO

Further information on the PECR rules and direct marketing can be found in the ICO's Direct Marketing Guidance which is available to view at Direct marketing guidance (ico.org.uk)


For further information please contact Bethany Paliga

How can we help?

Complete the form opposite, let us know a few details, and one of our team will get back to you shortly. Or you can call us or request a callback.

0800 689 3206 - Monday - Friday: 09:00 - 17:00

Request a call back

By submitting your enquiry you agree that Forbes can contact you.

© 2024 Forbes Solicitors is the trading name of Forbes Solicitors LLP Offices in Preston, Manchester, Salford, Blackburn, Blackpool, London and Leeds UK Main Office: Rutherford House, 4 Wellington Street (St Johns), Blackburn, Lancashire, BB1 8DD • Vat No: 174 394 344 Forbes Solicitors is authorised and regulated by the Solicitors Regulation Authority (SRA No. 816356). Details of the SRA’s Standards and Regulations can be found here. Authorised and regulated by the Financial Conduct Authority.

This website has implemented reCAPTCHA v3 and your use of reCAPTCHA v3 is subject to the Google Privacy Policy and Terms of Use.