The ICO exists to empower you through information.

  • Company sent 79 million spam emails and 1 million spam texts in seven months
  • Customers were not fully aware of what they were opting into, marking a “clear breach of trust”
  • “We will take clear and decisive action where we find the law has not been followed.” - ICO

The Information Commissioner’s Office (ICO) has fined food delivery company HelloFresh £140,000 for a campaign of 79 million spam emails and 1 million spam texts over a seven-month period.

The marketing messages were sent based on an opt-in statement which did not make any reference to the sending of marketing via text. Whilst there was a reference to marketing via email, this was included in an age confirmation statement which was likely to unfairly incentivise customers to agree.

Customers were also not given sufficient information that their data would continue to be used for marketing purposes for up to 24 months after cancelling their subscriptions.

An investigation by the ICO began in March 2022 following complaints made directly to the regulator, as well as to the 7726 spam message reporting service. As part of this investigation, it was also discovered that the company continued to contact some individuals even after they had requested this to stop.

Following the investigation, we found that the company (Grocery Delivery E-Services UK Limited) contravened regulation 22 of the Privacy and Electronic Communications Regulations 2003 and it has now been served with a fine of £140,000.

Andy Curry, Head of Investigations at the Information Commissioner's Office, said:

“This marked a clear breach of trust of the public by HelloFresh. Customers weren’t told exactly what they’d be opting into, nor was it clear how to opt out. From there, they were hit with a barrage of marketing texts they didn't want or expect, and in some cases, even when they told HelloFresh to stop, the deluge continued.

“In issuing this fine, we are showing that we will take clear and decisive action where we find the law has not been followed. We will always protect the right of customers to choose how their data is used.

“The investigation that led to this fine began following complaints filed by the public, both to the ICO and to the 7726 service. This shows just how important it is that if you are being contacted with nuisance calls, texts or emails, that you report it straight away.”

Further details of contraventions

  • Between 23 August 2021 and 23 February 2022 there were 80,893,013 direct marketing messages comprised of 79,779,279 emails and 1,113,734 SMS messages received by subscribers. The Commissioner found that HelloFresh transmitted those messages contrary to Regulation 22 of PECR.
  • The consent statement for these messages did not meet the requirement that it be “specific” and “informed”, as it did not mention SMS, was unclear and bundled with other aspects, and did not highlight that customers would receive messages for 24 months after they cancelled their HelloFresh subscription.
  • This therefore meant that 80,893,013 direct marketing messages were sent by HelloFresh that lacked proper consent.
  • 8,729 complaints were logged with the 7726 service in relation to messages from HelloFresh. Additionally, the ICO received 14 complaints about unauthorised SMS messages from HelloFresh and three complaints about marketing emails.

ICO’s work to tackle nuisance communications

The ICO enforces the Privacy and Electronic Communications Regulations 2003 (PECR), which cover the rules for organisations wishing to make direct marketing calls, texts or emails.

We have issued more than £2,440,000 million in fines against companies responsible for nuisance calls, texts and emails since April 2023. Some of these investigations began with a single complaint from a member of the public.

For more information about the ICO’s work to tackle nuisance calls, emails and texts visit ico.org.uk/nuisancecalls.

Advice for the public

To help you, your friends and relatives stop unlawful marketing calls, texts or emails you can:

  • Register landlines and mobile numbers with the Telephone Preference Service (TPS) and the Corporate Telephone Preference Service (CTPS) free of charge. The TPS and CTPS is a register used by legitimate marketing companies to identify people and businesses that have said they don’t want to receive marketing calls. Alternatively, you can tell the company directly that you do not wish to be contacted.
  • Mobile phone users can report the receipt of unsolicited marketing text messages to the Mobile UK's Spam Reporting Service by forwarding the message to 7726.
  • Refer concerns that you or someone you know has been the victim of fraud to Action Fraud (in England, Northern Ireland and Wales) and Police Scotland (in Scotland); wider concerns about a business’ practices can be referred to Trading Standards; any abandoned calls that you receive to Ofcom.
  • Complaints about nuisance calls, texts or emails can be made to the ICO via our website.
Notes for editors
  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations. 
  3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. 
  4. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.