HelloFresh, the food box delivery company, was recently fined £140,000 by the Information Commissioner’s Office (ICO)for sending out 79 million emails and one million texts over seven months.
Following complaints from the public, a 2022 investigation by the ICO found that customers:
- weren’t told clearly that their data would be used for marketing for up to 24 months after cancelling their subscriptions;
- weren’t told exactly what they were opting in to (they were hit with a barrage of marketing texts they didn’t want or expect); and
- it wasn’t clear how to opt out.
In some cases, even when customers told HelloFresh to stop, the deluge of marketing texts continued.
The ICO said that, not only was HelloFresh in breach of trust, but that it was also a breach of the Privacy and Electronic Communications Regulations 2003.
A tough market is no excuse
The recipe box market is highly competitive, so it is maybe understandable that HelloFresh felt they had to market themselves very actively. However, it is a useful reminder that you still need to comply with the data protection safeguards which are in place to protect consumers. And that if not, the financial penalties can be high, as well as the damage to reputation – in this case there is such a thing as bad publicity.
What does proper consent look like?
B2C businesses must seek proper consent from those to whom they want to send marketing messages. And the request for consent must be ‘specific’ and ‘informed’. This means it should set out clearly how messages will be sent e.g. texts and/or emails, and how long the marketing will go on for. And it requires affirmative action – e.g. ticking a box (not pre-ticked or an opt-out). And it can’t be bundled with other consents or be a pre-condition of providing products/services. There also needs to be an effective process for actioning opt-out requests in a timely manner.
The ICO now has significant powers to investigate and issue fines for non-compliance and, it seems, will not hesitate to use them.
How can we help?
We can help you navigate data protection compliance, ensuring marketing campaigns don’t fall foul of the law. This includes:
Data Flow Mapping Made Simple
Wondering if your personal data management is as up-to-date as it should be? We’re here to help you develop a Record of Processing Activities (ROPA) that serves as the backbone of your data protection strategy. This isn’t just about ticking boxes for compliance; it’s about enhancing operational efficiency and reducing risk. And the best part? It’s an affordable way to protect your business and gain peace of mind.
Refreshing Your Data Protection Policies
If your data protection policies feel outdated or vague, we can bring them up to date. Regularly reviewing your policies isn’t just a legal requirement; it’s an opportunity to build trust with your customers and streamline your internal processes. Investing in clear, updated policies is cost-effective and can significantly reduce the risk of data breaches and non-compliance penalties.
Closing the Compliance Gap
Identifying gaps in your data protection efforts can be daunting. We can help you make this challenge into an achievable task. By partnering with us, we’ll work together with you and agree a budget to help you bridge any compliance gaps efficiently and affordably. Our focus is not just on meeting the minimum legal requirements but on fortifying your business against future threats and uncertainties in the evolving data protection landscape.
To talk to us about how we can help with any of the above get in touch on info@legaledge.co.uk. Also see our latest blog on dealing with DSARs here.