News and Events

Hello Fresh and Regulation 22

  • Posted
Hello Fresh and Regulation 22

We’ve all been there.

Our phone chimes from the other side of the room, and our heart skips a beat as we wonder who is messaging us - friends? Beloved family members? Perhaps even the neighbour apologising for blocking your driveway last night?

Alas, no. It’s a spam text. The ever present cold-caller of the digital age. Another organisation seeking your hard-earned cash, or worse, a subscription for something you once signed up to, but now no longer want. Well, in recent news, the Information Commissioner’s Office which regulates data and privacy (ICO) is having something of a crackdown on things like unwanted texts and emails, starting with the Goliath that is HelloFresh.


For those unaware, HelloFresh is a meal delivery service that customers sign up to on a subscription basis. In typical fashion, personal details are given in the sign-up process, including phone numbers, and customers are asked to ‘opt-in’ to HelloFresh’s marketing strategies. However, in this case, the “opt-in” statement did not include customers receiving marketing messages by text.

Between 27 September 2021 and 23 February 2022, 15,221 complaints were made by the public to the UK’s Spam Reporting Service (a service which, as the name would suggest, allows you to report received spam text messages) regarding texts received from HelloFresh. The ICO caught wind of this and set about investigating the company in March 2022.

HelloFresh was asked to provide information confirming its distribution process, customer communication preferences in the user app, analysis of complaints, and its consent process. Importantly, information was not forthcoming on whether customers had been made aware of how long they might continue to receive marketing communications after they had cancelled their subscriptions.

The regulations around privacy and consent to marketing communications

The ICO concluded that HelloFresh had committed a serious breach of Regulation 22 of the Privacy and Electronic Communications Regulations (PECR). Regulation 22 of PECR prohibits the sending of unsolicited direct marketing communications that have not been consented to. In the case of HelloFresh, a staggering 79 million spam emails and 1 million spam texts had been sent – in stark violation of this Regulation!

Consent must be “freely given, specific, informed and indicated so through an affirmative action”, such as a check-box. HelloFresh could not prove this had been complied with. In fact, the issues identified by the ICO included:

  • A lack of specificity and informativeness, as no mention of use of texts as a channel of marketing was made;
  • The combination of consent to marketing with an age confirmation; and
  • Inadequately informing customers about the potential duration that they could expect to receive marketing communications after the cancellation of their subscription.

The ICO also concluded that there had been a breach of section 55A(1) of the Data Protection Act 1998 (since replaced by GDPR), allowing the imposition of a monetary penalty and so served HelloFresh with a hefty £140,000 fine.

The ICO noted that HelloFresh had cooperated with the investigation and did not intentionally mean to flout PECR, and has since taken subsequent steps to improve its electronic marketing strategies. A little too late perhaps?

So what?

Well, the ICO’s decision re-emphasises the importance for businesses to make sure they collect consent validly from their customers before engaging in any direct marketing activities - especially those business who engage in high-volume campaign strategies – not only for the sake of a business’ finances, as it is now clear serious breaches can attract serious fines, but also for their reputations, as the ICO had no problem publicly naming and shaming HelloFresh.

What practical tips can we take away from this, and how can we help?

Importantly, businesses should review their consent and direct marketing distribution processes and systems to ensure they comply with PECR. Customer consents must be specific, informed and not bundled together with other requirements that might influence whether consent has been freely given.

Crucially, the ICO pointed out that its unreasonable for business to continue contacting former customers for long periods of time, and that they must give their customers a reasonable timeframe for continuing to send them marketing communications.

A review of your business’ privacy statements, data policies and the information you hold on your customers might be worthwhile too, as the data protection regime is increasingly being enforced vigorously.

If you would like to discuss this in further detail, including what this could mean for your business, please give Sally, Nick or Lucy a call and see how we can help you today.