Connecting North West business to relevant training, insight, conversation and each other

£140k fine for ‘stale’ spam

The Information Commissioner’s Office (ICO) has fined the food delivery company HelloFresh £140,000 for sending 79 million spam emails and 1 million texts over a seven-month period. 


The investigation began in March 2022 when complaints were made to the ICO and the spam message reporting service. HelloFresh continued to contact some individuals after they had requested the spam emails and texts to stop. 


The ICO found that the company breached the Privacy and Electronic Communications Regulations 2003 (PECR), which governs the transmission of unsolicited communications by email to subscribers. 

The consent statement used by HelloFresh did not satisfy the requirement for the consent to be ‘specific’ and ‘informed’ under the UK’s General Data Protection Regulation (UK GDPR). For consent to be valid, it ”must be freely given, specific, informed, and unambiguous, as well as that it must be made by way of a statement or ‘clear affirmative action’ ”.

HelloFresh’s marketing messages were based on an opt-in statement that did not make any reference to sending any marketing via text. Although there was a reference to marketing via email, this was bundled within an age confirmation statement, which the ICO considered likely to incentivise customers to agree unfairly. 

Customers also needed to be given more information that their data would continue to be used for marketing purposes up to 24 months after cancelling their subscriptions. As a result, all the marketing messages sent by HelloFresh lacked valid consent. 

The ICO highlighted that they did not consider that HelloFresh deliberately set out to contravene the PECR, and the infringement was negligent. HelloFresh did not exercise due care to avoid unsolicited marketing, and it misunderstood the relationship between the PECR and UK GDPR.


This decision highlights that, for consent to be valid, an individual needs to understand precisely what they are consenting to. The language businesses use to gain valid consent should be clear and not hidden in a privacy policy or small print. 

The ICO has published detailed guidance for those carrying out direct marketing, explaining their legal obligations in line with the PECR and guidance on consent under the UK GDPR. A spokesperson said:

In issuing this fine, we are showing that we will take clear and decisive action where we find the law has not been followed. We will always protect the right of customers to choose how their data is used.”

For more information about this article or any other aspect of who we are and what we do, contact your Napthens Solicitors in Preston, Liverpool, Blackburn and across the North West today.



Spam emails