Recipe kit delivery service HelloFresh has been fined £140,000 by the Information Commissioner's Office (ICO) for pestering customers with tens of millions of spam messages.
According to the data protection regulator, the company sent 79 million spam emails and a million texts in just seven months. The messages were sent on the basis of an opt-in statement which the ICO said didn't make any reference to the sending of marketing via text.
Although there was a reference to marketing via email, this came as part of an age confirmation statement which the regulator said was likely to incentivize customers to agree.
The message read: "Yes, I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email. By ticking this box I confirm I am over 18 years old".
Customers also weren't properly warned that their data would continue to be used for marketing purposes for up to 24 months after they had cancelled their subscriptions.
"This marked a clear breach of trust of the public by HelloFresh," said Andy Curry, head of investigations at the ICO.
"Customers weren’t told exactly what they’d be opting into, nor was it clear how to opt out. From there, they were hit with a barrage of marketing texts they didn't want or expect, and in some cases, even when they told HelloFresh to stop, the deluge continued."
HelloFresh complaints began in 2022
The ICO investigation began in March 2022 following complaints made to both the ICO and to the 7726 spam message reporting service. In some cases, the company carried on contacting people even after they had asked for this to stop.
"I had previously bought from this company and ensured that I did not consent to marketing material. I was not happy with their service so cancelled my subscription," one complainant said.
“Recently (last 1-2 months) I have started regularly receiving unsolicited advertising emails from the company, and now they are sending unsolicited text messages."
The emails and texts were sent in contravention of Regulation 22 of the Privacy and Electronic Communications Regulations (PECR), the investigation found.
RELATED RESOURCE
Discover how combining the content supply chain, CX orchestration, and intelligent commerce creates the ideal customer experience
DOWNLOAD NOW
The opt-out consent statement wasn't, as it should have been, 'specific' and 'informed', as it didn't mention SMS, was unclear and bundled with other aspects, and didn't highlight the fact that customers would carry on receiving messages after they cancelled their HelloFresh subscription.
"In issuing this fine, we are showing that we will take clear and decisive action where we find the law has not been followed," Curry said. "We will always protect the right of customers to choose how their data is used."
The ICO said it's issued more than £2.44 million in fines against companies responsible for nuisance calls, texts and emails since April 2023, with another £2.8 million in 2021/22.
In December, it took action against Daniel George Bentley and his firm Taipan Trading for sending 2.5 million unsolicited direct marketing text messages, issuing an enforcement notice.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO fines topped $14 million in 2023 amid crackdown by regulator on data protection standardsNews ICO fines across 2023 exceeded £14 million, with TikTok among the worst-hit for data protection violations
