In March 2022, the Information Commissioner’s Office (ICO) began an investigation into HelloFresh’s use of unsolicited marketing messages.
The ICO sent an initial investigation letter to HelloFresh requesting information about their marketing activities and details of how they obtained consent from individuals to send direct marketing communications.
In their response, HelloFresh explained that it sends SMS direct marketing to two groups of data subjects:
- Customers who have an active or a paused subscription; and
- Customers who have cancelled their subscription within the last 24 months but have consented to receive marketing messages.
HelloFresh confirmed that between 23 August 2021 and 23 February 2022, it sent 1,939,487 messages to the two groups of customers mentioned above. It also sent 79,940,241 marketing emails over the same period of time. HelloFresh confirmed that it obtained customer’s consent to direct marketing by including a tick box next to the following statement:
“Yes, I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email. By ticking this box I confirm I am over 18 years old.”
HelloFresh also supplied a screenshot showing that users could update their communication preferences in the app, although there was no option to set preferences in relation to direct marketing. There was also no information within the app to inform a customer about the length of time they could expect to receive direct marketing communications from HelloFresh after cancelling their subscription.
Direct marketing is contrary to Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PERC). Regulation 22 confirms that unsolicited communications can only be sent in the following limited circumstances:
1. Where the contact details for the recipient are obtained during the course of the sale or negotiations for the sale of a product or service to the recipient;
2. Where the direct marketing is in relation to similar products and services; and
3. Where the recipient has been given a simple means of refusing the use of his details for direct marketing purposes.
ICO’s findings
The ICO found that HelloFresh had contravened Regulation 22 of the PERC. It confirmed that HelloFresh as the sender of the direct marketing is required to ensure that they are complying with the regulation and that the consent they have is valid.
The ICO confirmed that for consent to be valid, it is required to be “specific” as to the type of marketing communication to be received. They also confirmed that consent needs to be “informed”, individuals cannot consent to something if they do not understand what they are consenting to.
In HelloFresh’s case the consent statement that they relied on (see above) was not specific nor was it informed. The statement did not mention that SMS would be used for direct marketing purposes. The statement was also not clear as it tried to combine an age confirmation statement, consent to receive free samples and direct marketing via email.
HelloFresh had also failed to give sufficient information in relation to how long customers could expect to receive direct marketing messages after they had cancelled their subscription.
Based on the above, the ICO concluded that HelloFresh did not have the necessary valid consent for the direct messages received by subscribers. The ICO went one step further and found that the contravention had been one of a serious nature and therefore they had the power under Section 55A of the Data Protection Act 2018 to issue a monetary penalty.
The ICO ordered HelloFresh to pay £140,000 by 13 February 2024.
Comment
This Enforcement Notice shows the importance of ensuring that you have valid consent before sending direct marketing communications. The ICO has helpfully clarified that for consent to be valid, it needs to be specific and informed.
How can we help?
Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.
If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us