SPAM! HelloFresh fined by the ICO

On 12 January, the ICO fined HelloFresh £140,000 for breaching the marketing rules in PECR. The fine was issued in relation to “a campaign of 79 million spam emails and 1 million spam texts over a seven-month period”.

This is is yet another fine in a longer list, which includes the likes of Cover Appliance Ltd, Maxen Power Supply Limited, and Join The Triboo Limited, and it clearly shows the ICO’s continued focus on electronic marketing violations.

For a more detailed analysis of this ICO enforcement trend, check out our article on this topic first published in PL&B. 

 Interestingly, in the HelloFresh decision, the ICO appears to have started its investigation on the basis of complaints received through Mobile UK’s “Spam Reporting Service”, which provides a very easy  way to report the receipt of spam messages (particularly as compared to the ICO’s complaints process). A total of 15,221 complaints concerning HelloFresh were logged this way.

There are a few learnings from the points set out in the ICO’s decision:

• Do not ignore withdrawals of marketing consents. A lot of the complaints that led to the investigation resulted from people’s frustrations with their consent withdrawals not being implemented. Whilst the ICO did not conclude that HelloFresh were in violation in this regard, if their withdrawal process had operated better, this would likely have minimised the number of complaints and the likelihood of ICO involvement.
• Make sure your opt-in consent is “specific” and you do not bundle various consents or confirmations. In this case, the marketing consent was bundled with an age confirmation statement which the ICO held unfairly incentivised customers to agree.
• Consents should be “informed”, which means you should provide sufficient information about the use of customers’ personal data for marketing purposes, particularly if you intend to engage in “reactivation” marketing campaigns where you seek to target former customers. In this instance, the ICO held HelloFresh should have, but failed to, inform the reader that their data would continue to be used for marketing up to 24 months after termination of their subscription with HelloFresh.
• In addition, in order for the consent to be specific and informed, you need to set out how you will be contacting the recipient; the ICO held that HelloFresh should have mentioned expressly that people could be contacted by text as well as email.

Although none of the recent fines, including the HelloFresh one, are particularly high (they rarely exceed £200,000 of the permitted £500,000 limit in PECR), the wider reputational damage can greatly exceed any ICO penalty. Therefore, businesses should ensure their marketing practices are compliant, particularly if they are looking to start a large-scale direct marketing campaign.