Direct marketing compliance: lessons learned from ICO enforcement against HelloFresh

Tuesday 16th January 2024

On 12 January 2024, The Information Commissioner’s Office (ICO) fined recipe box company HelloFresh £140,000 for sending 80 million marketing messages without appropriate consents over a seven-month period.

Between August 2021 and February 2022, HelloFresh sent over 79 million marketing emails and almost two million SMS messages to recipients on its marketing list. As a result of this campaign, over 15,000 complaints were logged with “7726” (a service to which mobile users can report the receipt of unsolicited marketing text messages), and 17 complaints were logged with the ICO.

HelloFresh provided evidence which it claimed demonstrated that it had only sent messages to recipients who had opted into marketing. So, where did they go wrong?


Under the Privacy and Electronic Communications Regulations 2003 (PECR), marketing messages can only be sent if an individual has consented to receiving marketing messages, or if the soft opt-in exemption applies (which allows organisations to market without an express opt-in where specific conditions are met).

Consent is only valid if it is freely given, specific, informed and unambiguous. If these requirements are not met, any such consent collected and relied upon is invalidated and the marketing in question is consequently unlawful. Where an organisation wishes to market in different ways, for example by text and by email, it will need to gather separate consents.

HelloFresh relied on the following tick box consent statement to send marketing messages:

“Yes, I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email. By ticking this box I can confirm I am over 18 years old.”

The ICO found that this consent mechanism did not satisfy the requirement for consent to be specific and informed and was therefore invalidated because:

  • there was no mention in the consent statement that SMS messages would be sent;
  • it bundled consents together as it combined an age confirmation statement and consent to receive samples with consent for direct marketing via email; and
  • sufficient information was not provided to the recipient that they could receive marketing messages for up to 24 months after they had cancelled their subscription.
A recipe for compliant marketing campaigns

The ICO continues to take enforcement action against organisations for breaches of PECR and this remains one of the most common areas we are seeing monetary penalties issued.

The enforcement against HelloFresh highlights that simply relying on an individual ticking a box stating they consent to marketing is not enough to comply with PECR. Organisations should take the opportunity to review their consent mechanisms to ensure that the consent they are requesting is freely given, specific, informed, and unambiguous and consider whether additional and more specific opt-ins are required where marketing is undertaken by different channels.

If you would like to discuss your organisation’s marketing practices, please contact our data experts here.