PECR fine for invalid marketing consent

January 2024

What lessons can we learn from the HelloFresh case?

HelloFresh used a marketing consent statement with a clear opt-in box for customers to tick, but the ICO has ruled the wording of the statement did not meet the requirements for consent to be specific and informed. The regulator has issued a £140k fine.

Sometimes, the ICO issues fines under PECR based on only a handful of complaints, however in this case thousands of complaints were raised via the ICO spam reporting tool.

The online meal order business was found to have sent over 80 million marketing email and text messages between September 2021 to February 2022 without first collecting valid consent.

When relying on consent for direct marketing under PECR, consent must meet the UK GDPR requirements; a freely given, specific, informed and unambiguous indication for an individual’s wishes, given by a clear affirmative action.

What ‘consent’ statement was used?

The consent statement HelloFresh used at the time was as follows:

“Yes, I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email. By ticking this box I confirm I am over 18 years old”.

This was relied on to send marketing emails and texts to customers with an active or paused subscription, and to former customers who’d cancelled their subscription within the last 24 months, but had given their ‘consent’ for marketing.

Users were able to update their communications preferences via an app, but the settings did not allow users to set preferences individually by channel e.g. phone, text and/or email.

☛ Consent: Getting it Right

Key ICO findings

Two points were highlighted as being particularly relevant in this case:

  • for consent to be valid it is required to be “specific” as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it.
  • ‘consent will not be “informed” if individuals do not understand what they are consenting to. Organisations should therefore always ensure that the language used is clear, easy to understand, and not hidden away in a privacy policy or small print.

The ICO found HelloFresh’s statement did not satisfy the requirement for consent to be “specific” and “informed” because:

  • Consent for marketing was not clear, as it was bundled in with other aspects. It combined an age confirmation statement and consent to receive free samples with consent for marketing by email.
  • It failed to tell people about text messages and thereby failed to collect valid consent for marketing by text message.
  • Customers were not told they could receive direct marketing messages for up to 24 months after they’d cancelled their subscription.

Key takeaways (no fresh veg included I’m afraid)

✓ Collect consent separately for different aspects /activities – don’t bundle everything into the same tick box

In my opinion using; I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email would have been okay for email marketing.

The big problem was adding; By ticking this box I confirm I am over 18 years old. This clearly should have been separate, and the ICO found this was likely to ‘unfairly incentivise’ customers to agree.

✓ Collect consent separately for each marketing media channel you want to use for communications e.g. telephone, text and email

In my opinion, HelloFresh may have avoided regulatory scrutiny if the statement had at least mentioned ‘via email and text’. The safest approach (from a regulatory perspective) is to collect consent by channel. Also in our experience, people may want email, but not texts, so separating them can optimise email opt-in.

✓ Don’t assume you can continue sending marketing to people after they have cancelled a subscription with you

The last point is interesting and a little surprising. The ICO is indicating that even if a customer has consented to marketing when they take out a subscription, this may not be valid once the customer ends that subscription – unless people are made aware of this when they give their consent. I doubt this point would ever have been picked up if HelloFresh had clearly collected consent for marketing by text in the first place.

Picking through the detail of ICO fines under PECR is always worth doing. The findings can give a nudge to check you aren’t doing anything similar. The full details can be found in the ICO’s enforcement notice.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.