We've seen the likes of Google and Facebook hit with stupendous fines several times over the years for breaking various tech and data rules. For example the EU recently fined Google €2.42 billion for abusing it's dominance of search engines, and last year Facebook's owner Meta was fined £1 billion for breaching rules when they transfered user data from the EU to the US - the most recent of many. We don't see that many fines for GDPR breaches by smaller companies which seems to have resulted in many pretty much ignoring the rules - how many unsolicited emails are in your inbox right now?
This might change however with this week's fine of Hello Fresh by the ICO, the Information Commissioner's Office which is the UK's regulator. Hello Fresh is an online business which proivdes meal kits and recipees which you can then prepare at home, and they're pretty good. Given that they are an ecommerce business, their marketing is inevitably focused on digital channels and they make heavy use of email marketing to promote the service, to gain subscribers and to get lapsed subscribers to come back. Which is all fine, but there is a difference between marketing and pestering the life out of people. According to the ICO they sent 79 million 'spam' emails and a million texts in just seven months leading to the fine of £140,000 for breaking the rules.
The messages were sent on the basis of an inadequate opt-in statement which the ICO said didn't mention that the company would also send texts. The regulator also said the confirmation statement was likely to get customers to agree to accepting: "Yes, I’d like to receive sample gifts (including alcohol) and other offers, competitions and news via email. By ticking this box I confirm I am over 18 years old".
Additionally, customers weren't properly warned that their data would continue to be used for marketing purposes for up to two years after they'd cancelled their subscriptions, which the ICO deemed a breach of trust:
"Customers weren’t told exactly what they’d be opting into, nor was it clear how to opt out. From there, they were hit with a barrage of marketing texts they didn't want or expect, and in some cases, even when they told HelloFresh to stop, the deluge continued." Andy Curry, Head of Investigations, ICO.
Following complaints from the public, made to both the ICO and the spam message reporting service, the ICO investigated and found that in some cases the company carried on contacting people even after they had asked for this to stop, breaching Regulation 22 of the Privacy and Electronic Communications Regulations (PECR). They also determined that the opt-out statement wasn't as specific and informed it should have been. It didn't mention texts, the wording was unclear and didn't highlight the fact that customers would carry on receiving messages even after they cancelled their subscription.
GDPR isn't always taken that seriously, probably because many businesses think that the ICO is only going to investigate larger businesses making significant breaches, such as the Googles and Facebooks of this world, or the banks who manage to let their customer data get compromised. The marketing activities employed by Hello Fresh are widely used - sending mass emails is common practice - but the mistakes they've made are also widespread. Failing to update databases to remove people who have opted out and using acceptance policies that aren't clear happens all the time. If recipients report this kind of bad practice to the ICO, and plenty of people do, there's a chance that they'll investigate. Hello Fresh aren't exactly a small company, but they're no global bohemoth either, but they've been hit with a £140,000 fine which is just some of the £2.44 million in fines the ICO issued since April last year.