There seems to be a lot of anti-ICO rhetoric in the comments, which I don't think is entirely fair. Reading the enforcement notice, it seems that the ICO were satisfied that the breach was negligent rather than intentional. HelloFresh have fully complied with the investigation and taken steps to remedy the breach.
Bearing in mind that the ICO's remit is to ensure compliance rather than dole out punishment, this seems broadly reasonable. I'm quite confident that HelloFresh understand that a) they're being watched and b) the ICO won't be nearly so lenient if HelloFresh come to their attention again. I know that people get very angry about spam, but a huge fine that would "guarantee deterrence" would rightly be challenged in court as disproportionate.
Maybe if this was an isolated incident then you’d be right, but the ICO has a history of being useless.
Keep in mind that merely building a complaint is a very high bar (which gives plenty of opportunity for the company to rectify the situation), so when a complaint does make it through I’d expect it to lead to appropriate punishment since the company already got a chance to address your concern if they wanted to.
I’ve personally submitted multiple complaints (spending large amounts of time and admin effort and in the process letting the companies involved rectify the situation) and I have yet to get any deterrent outcome from the ICO.
"Useless" seems unfair and inaccurate. In this case it appears they have successfully addressed a problem for example.
Like most UK government services the ICO are currently operating with a fraction of the resources they need to meet the responsibilities they've been given. While I respect your personal effort to get bad actors to change and I share your disappointment that the officials who should be helping have not been effective in your cases, maybe you are aiming your criticism at the wrong target?
> the ICO are currently operating with a fraction of the resources
But the amount of resources shouldn't dictate the penalty amount once resources have already been expended on the investigation?
My problem with the ICO as it stands is that the bar for a complaint is very high, giving the company many chances to selectively rectify the situation but only for the complainant - imagine if the penalty for theft was just to give back the stolen property and only if you got caught.
The very high bar with regards to complaints should mean that for a complaint to be considered valid the company must've ignored the multiple attempts they get to rectify the situation, so the fine should be substantial.
As it stands, not only does the complaints process effectively set the example that it's OK to breach the GDPR as long as you can selectively apply it to the very small minority that complains, but even that when a complaint does make it through it turns out the consequences are not a problem.
But the amount of resources shouldn't dictate the penalty amount once resources have already been expended on the investigation?
I don't know enough about the process to answer that. Maybe it's true but if penalties can be challenged and a higher penalty will in practice cost more to defend then maybe not.
FWIW I agree there is a morality problem in keeping rules that are not then effectively enforced. But I'd rather have a quantitative problem that the principle is being recognised and a penalty applied even though the penalty isn't yet big enough to represent a true deterrent than the qualitative problem that there is no mechanism to penalise bad behaviour at all. One of these is much easier to push towards a good solution over time than the other. And I'd also rather converge on a good solution from this direction than go in very heavy-handed as some were suggesting elsewhere in this discussion and potentially cause catastrophic side effects very quickly.
Again I don't think that's entirely fair. There are plenty of competent and well-intentioned people working within "government" in the broad sense in this country. The public sector here is huge and does a lot of useful things, many of which we take for granted but would certainly miss if they went away. We just notice the big screw-ups because when you're running a national government for tens of millions of people those headline failures are going to have an impact on a lot of people.
When it comes to government I am certainly a sceptic of modern politics but with the rank and file staff in the civil service, QUANGOs, and other government-run services I prefer to assume good faith. Clearly a lot of those people got dealt a bad hand with the recent administrations in particular but no matter which colour of politics is currently running the show there will always be some element of that and yet those useful things still get done.
Agree, not sure it’s helpful for a regulator to bankrupt a business for sending too many emails. Spam email is pretty par for the course nowadays. This seems like a proportionate response to alert them to get a handle on it.
> Spam email is pretty par for the course nowadays.
And it's against the law.
They sent 80 million spams in a year; that's more than the number of humans (including infants) in their target market.
Laws should either be enforced or repealed; laws that aren't enforced are a menace. It's true that the ICO's primary mission is behaviour-change, not punishment; but before issuing a fine, the ICO will write several times, explaining the problem and suggesting remedies. To get fined at all, HelloFresh must have ignored these letters.
The UK government never wanted to introduce anti-spam legislation; it was forced on them by the EU, and our implementation was kitted out with loopholes.
>They sent 80 million spams in a year; that's more than the number of humans (including infants) in their target market.
These messages weren't completely unsolicited. The people who had received them had opted-in to receive marketing messages, but the opt-in wasn't clear about exactly what type of messages would be sent and so the consent was deemed invalid. 80 million messages is a lot, but it's a perfectly reasonable total for a large company with millions of customers.
>but before issuing a fine, the ICO will write several times, explaining the problem and suggesting remedies. To get fined at all, HelloFresh must have ignored these letters.
This is simply untrue. The ICO has fined numerous organisations for a one-off breach - in one case, for using CC instead of BCC when sending a single email to 105 people. The ICO stated in their penalty notice that HelloFresh had fully cooperated with the investigation; failure to cooperate is an aggravating factor, but it is absolutely not a prerequisite for a fine.
I'm not saying that bankrupting businesses is the best strategy, but it can be helpful. If you put fear into these companies that they can get wiped out at a moments notice they will smarten up really quick. If you show them that they will get a fairly cheap slap-on-the-wrist warning first they will ignore the rules until they get the first warning, then toe the line.
So if you want the whole industry to follow the rules without investigating and fining each one-by-one you better make sure that your first action against them makes them regret their choices.
HelloFresh made an honest mistake. It's the sort of mistake that anyone could have made. They had poor understanding of some fairly complex legislation and wrote an insufficiently clear opt-in statement. This led to some people who had consented to receive promotional e-mails instead receiving text messages, or emails of a type that they didn't expect based on the opt-in.
The regulator is fully satisfied that HelloFresh made an honest mistake, they're satisfied that they've taken adequate steps to fix the underlying problem, but the fine essentially says "you made a fairly minor mistake, but you're a big company and we expect better".
What you're proposing is an arbitrary and disproportionate punishment pour encourager les autres. It's the corporate equivalent of sending people to the gulags for littering. It doesn't work, it's hugely costly and it is (rightly) illegal in any country governed by the rule of law. You can't make people infallible through fear.
> HelloFresh made an honest mistake. It's the sort of mistake that anyone could have made.
They did not, as explained by countless posters below you. What they did was skimped regulation.
> You can't make people infallible through fear.
Corporations are not people. Their only incentive mechanism is that of profit extraction. If you make the cost of noncompliance infinitely high, there's infintely high incentive not to be incompliant. Humanizing a form of establishing an economic enterprise with littering examples as if that's valid is one funny joke you did there.
They made no honest mistake at all. I used them two years ago, did the unsubscribe thing three times since and still get spam from them. They know exactly what they are doing, same as beer53.
There are far worse entities than HelloFresh that are still alive as of today and given that the ICO is trying hard to get parties to comply it is kind of logical that they take an individual approach to each case. That said I think 140K is too low.
You are kind of stating the problem with individual approaches.
> There are far worse entities than HelloFresh that are still alive as of today
If these entities saw HelloFresh bankrupted with no prior warning and no option for recourse some number of them will clean up their act. When they see the first fine being tiny they will just double down because they know that they will get a warning before any serious action. And other entities that were following the rules will reconsider and start breaking them because they realize that the cost is tiny so they may as well get the benefit.
Basically there is some value to making an example of HelloFresh and showing that you will not get a warning, breaking the rules will not be tolerated. The first offense will be punished more than they have profited off of the crime.
I am playing a bit of a devil's advocate here. I think the correct position is likely somewhere in the middle. But it is clearly flawed if for each individual business their first fine is less than than their profits for doing the crime. Because that incentivizes every business to break the rules until they get their first "warning".
I'm all for exponentially increasing fines with the first one a base 10% of turnover wiping out roughly half of last years profits for most entities. The second violation would wipe out all of their profits for a year, the third would undo two years of life and so on. Before you get to 5 you either get the message or you're done.
If regulators followed your advice and started putting companies out of business with that sledgehammer/nut approach to enforcement then the UK economy would crash faster than you can watch a lettuce go bad. (Again.)
Weird take since the ICO has been about the only major privacy watchdog outside the EU to fine these companies. The EU is literally the last bastion of consumer protection rights.
I think parent is saying the exceptionally low fine sets a bad precedent for this being a slap on the wrist offense - that it would be better if no action were taken to at least give an aura of potential accountability for other bad actors.
Did you reply to the right comment? Who mentioned the EU? What do consumer protection rights have to do with the article or my comment? Consumer protection rights are about good and services, not data privacy.
I don’t think so, not for me at least… because any time I hear their name I’m going to remember what the ICO says, especially when we ourselves take time to ensure our own checkout is fair. £140,000 is a slap on the wrist so I am sure they will learn a valuable lesson to respect customers a bit more.
ICO's pricing of spam doesn't seem very well thought out.
For one, there's a lack of enforcement on this tax. Many customers get away with sending spam while evading payment. ICO is in the business of selling forgiveness, so they need to catch people.
Then the pricing structure is strange. In a given time period, spam can be taxed up to a maximum of 500k, but there is no limit on the amount of spam you are allowed to send.
This benefits larger players, as long as your spam operation scales profitably beyond the fixed cap of the tax's pricing structure.
Funny, I subscribed to HelloFresh for a few months and I get TXTs from them a few times a month now. I try to unsubscribe and report/ban the number every time but they just send a message from another number the next time. Really frustrating.
The ICO has always been a bit of a wet blanket. Never really uses its powers effectively. From pathetic fines to putting out press releases about raids before they happen. £140k is just the cost of doing business with 79 million spam emails and 1 million spam texts.
I receive a lot of physical mail from HelloFresh and there's no clear way to opt-out. I've never (willingly or knowingly) signed up to their service or any marketing bits.
I've been getting tons of physical mail I didn't ask for for years. We need a spam filter for the USPS. I only check my mailbox when I know something I want is coming, or if I need some grocery ads for kindling, because it's all garbage. It drives me insane how wasteful it is, chopping down trees just to make mailers that noone wants.
I literally gave up on having a mailbox because of physical mail spam. I realized that they don't deliver mass mail to business addresses, and so I took down my mailbox and now just have all my mail sent to my work address. I've been doing it for ten years now, and it works, but it does lead to weirdness occasionally.
Most often I encounter people who actually get angry at me for not having a mailbox, call me selfish, call me the unibomber, tell me it is illegal. I still cannot figure out why people get emotionally charged about it.
A short while after I did it, the USPS reported to HUD that my address was vacant, and HUD reported that to the bank that holds my mortgage. This of course freaked them out until I explained to them what was going on.
I was also unable to take advantage of the free Covid test kits that the Federal government said were available to "every family in America". Turns out it was really every family in America with a residential mailbox. Ok, that was my choice, but there *are* still rural communities that rely on general delivery at the post office rather than individual mailboxes.
I do occasionally hit companies who's web app will tell me my address isn't good because it is a business address instead of a residential address. They are few enough though that I can just not do business with them and it hasn't impacted me much.
It doesn't help with the spam but if you sign up with USPS's Informed Delivery, you can at least see if you're getting anything that day. Which can at least save you trips on collecting your mail until you receive something you care about.
What we really need
is an email address like <my address>@usps.com and all physical mail that isn’t from a registered law firm or government institution to be rejected because I’ve “opted-in to electronic physical mail”. Emails to that address would be forwarded to the personal email addresses of household members based on the named recipient. And sending those emails should cost the same as a stamp.
Would help cut down on the massive amount of waste that is physical spam and help generate profit for the postal service
I don't think you can opt out of this kind of advertising, and it's important that people en masse don't, because it subsidizes the entire mail system.
I have a sheet of printed labels that say 'Return to sender, unsolicited mail' which I use for such instances.
I am of the belief that the offending business must then pay to receive it back. Not really sure if this is true but it does seem to work in many cases since the amount of junk mail I get now is less than one a month.
Same here. For kicks I checked my USPS Informed Delivery emails and not only did I find one with Hello Fresh, it has its own dedicated section within the email with share links.
It seems like Hello Fresh has an agreement with and/or pays USPS to deliver their advertisements, to the point of getting a spot in their emails.
Physical mail isn't covered by the legislation. Anyone can have bulk mail delivered by the postman, to any address. There is no way to opt-out of snail-mail, unless it's unaddressed. I think you can't even opt-out of mail addressed to "Occupant".
> Buy a "return to sender" stamp, apply it to the mail and give it back to the post carrier.
You can't. It doesn't work. (USPS) Most of the junk mail we receive is presort, bulk rate, etc., and there's no return service for it. The letter carrier will reject it and give it back to you. You can throw it out. You can write to the sender (email/post) and request removal from their list.
One problem I get, is that I've "gone paperless" everywhere possible, yet some entities still insist on sending paper mail in certain circumstances. These are very important bits of correspondence, and I can't seem to get across the message that I don't want their paper shit. In one case I've received physical membership cards, and one of them was stolen from my mailbox (somewhere after Informed Delivery scanned it, even.) But they can't administratively prevent these mailings from being triggered.
Yesterday I created an account on John Lewis' website, and I was please to see that during sign-up, they had an unchecked "Tick here if you want our newsletter."
Then, later I placed an order, and during credit card checks I noticed a "Tick here if you do NOT want our newsletter", which was of course unchecked and that's how the fuckers got me.
Fuck this dark pattern, and fuck the Product Manager that requested it. There literally should be a law that says you cannot ask a user to check a box NOT to give away their data.
I just mark all marketing emails as spam now. Since I never want them, I can't have opted in to it so it's spam. Seems very effective at having my email provider forward all future emails from them to spam and hopefully tarnishes their sender trust rating a little.
I got a late payment fee from Klarna for a similar reason. They kept spamming my phone with push notifications, so I revoked their permission to send them. Some time later they weren't able to charge my card and only communicated this by push notication (they had my phone numer, email and postal address). The invoice was something like a week away from being sent for collections when I opened the app by accident and saw it. I go out of my way not to do business with them since then.
Indeed. If someone is going to argue credibly for treating everything from commercial sources as spam then they also need to explain how businesses can provide any information they are actively required to provide to their customers either by law or by whatever method the customer is using to pay them. In general the merchants have no say in this and the penalties for failing to provide the information can be far more severe than anything they're going to suffer for losing a few people who don't understand what spam is and abuse the mark-as-spam button when reading their mail.
It is their choice to pollute the channel they use to communicate with customers with spam. They don’t have to send spam, and if they offer the option they shouldn’t make opting out difficult or dark-patterned.
The problem is that there are people who will classify any unsolicited mail from any business they've dealt with as spam. And by "classify" I mean hitting whatever button they have in their email client that says so - which for online email services is likely to affect future processing of mail from related sources for themselves and potentially for others as well.
It doesn't matter to those people whether there was a quick and easy way to unsubscribe or change preferences. It doesn't matter to those people that they actively requested that kind of mail a few months ago and have forgotten. It doesn't matter to those people that they might end up blocking important messages they do want later. It doesn't even matter to those people that they're flagging information that is required by law to be provided to them. There is no nuance here. Got mail. Hit "spam". Done.
Some of these people even think that marking the transactional "thanks for your payment" mail as spam will somehow end their subscription to your service or get them out of a long-term contract early! Then they'll issue a chargeback that is also totally inappropriate and in violation of contract and claim that they gave notice to cancel by "unsubscribing" from the emails by marking them as spam.
Dealing with customer support for those people is not fun. In a perfect world it would go both ways and we could have a system that notified us of such behaviour immediately so we could choose not to do business with those people in the future. It is as sure an indicator of a customer who is not worth the trouble as I have ever found after people attempting actually criminal behaviour.
Spam is a difficult problem. Obviously a lot of senders really are abusing the recipients in ways that are not welcome and should ideally be stopped. But there are plenty of recipients abusing the senders of legitimate messages too.
> The problem is that there are people who will classify any unsolicited mail from any business they've dealt with as spam.
I'd agree if this was the edge-case, but the truth is that most businesses tend to lean towards sending more email than they need to, so overzealous use of the spam button is an expected reaction in response.
> which for online email services is likely to affect future processing of mail from related sources for themselves and potentially for others as well.
That's the system working as designed - if in aggregate most people signal that they don't want to receive a certain piece of mail or all mail from a certain sender, chances are I will agree with their decision.
> But there are plenty of recipients abusing the senders of legitimate messages too.
I'll be happy to change my mind once email becomes strictly opt-in and senders would err on the side of caution and the default is no email at all and you must explicitly opt into every distinct category of email, with the opt-in being located in the same annoying and hard-to-reach places as the opt-outs currently are.
That's not (yet?) the case, suggesting the spam button isn't being pressed enough. You're trying to guilt people about liberal use of the mark-as-spam button but you seem to have no issues with senders liberally using the "send spam" button.
You're trying to guilt people about liberal use of the mark-as-spam button but you seem to have no issues with senders liberally using the "send spam" button.
On the contrary. I dislike spam as much as the next person and I have never allowed my own businesses to engage in "common" practices I consider unacceptable even when that has almost certainly cost us money.
I'm just saying there are two sides to this story and extreme solutions in favour of either one side will probably have undesirable side effects for innocent parties.
The opt-out rule requires that what is wanted to be marketed to a customer is corresponding products or services to what they have bought.
There are four basic conditions to be able to make use of the opportunity to
market products without consent to existing customers. All four conditions must be fulfilled, cf. the Marketing Act § 10, subsection 2:
1) During a previous purchase, the customer has himself provided his email to the vendor,
2) The customer must be informed that the email may be used for advertising in the future,
3) The customer must have the opportunity to opt out of email marketing/advertising on it time when the email was disclosed to the vendor, and
4) The customer must have the opportunity to opt out of receiving email marketing at all times subsequent inquiries from the vendor.
"Corresponding products" are defined as:
- It must be products that the vendor itself sells.
- There must be a connection between the first purchase and the subsequent purchases marketed products, but the products do not have to be identical.
- Corresponding "product groups" are covered by the option.
Same thing with data processing consent popups/cookie banners.
The vast majority of them aren’t compliant (the GDPR bans tricking/annoying people into granting consent), but are able to proliferate because it’s not enforced anywhere near enough.
Legal, but wrong. There is no such thing as a ambiguous consent, and it's a fucking catastrophe that we've legislated ambiguous consent into our statute.
It’s already the case with GDPR. (B2B spam is different)
If you get a random sales/marketing email, you have the right to find out where they got your details from and where did they get your consent to email you.
This doesn't matter much when emails are sold and sent from outside the EU/UK. This would probably need to be a protocol-level adjustment to ensure consent before contact.
Regulators typically start with a small fine and then if the behavior continues, fines and penalties increase exponentially.
Having worked inside a number of companies who've received fines, the ones that intend to continue operating change their behavior immediately and install controls to avoid this escalation path.
The obvious exception is when the behavior change creates an existential threat to the core business model, i.e. the company literally cannot change its behavior.
This just incentivizes companies to do this behaviour until their first warning. If you want companies to follow the rules from the get-go you better make sure that your first fine makes them regret ignoring the rules.
If you make the incentives to ignore the rules until they get caught the first time then companies will do that. HelloFresh got huge numbers of subscribers based on this strategy for pennies. Even if they stop now the next competitor will do the same thing until they get the first fine.
It's like saying that your first murder should just result in a warning or a token fine. This basically gives everyone one "free" murder and it would be a waste not to use it. (Moral issues aside of course)
Agreed, i.e. * IF * we want companies to follow the rules... but so far, society (certainly American society...) does not seem to actually want companies to always follow the rules... sigh...
HelloFresh also sends marketing snail mail if they have your postal address.
The market starts to be crowded and they are obviously aggressively marketing their product. We'll see if that can last. It's crazy that they got $367 million in total funding for a recipe and ingredients (meal kits) subscription business but they apparently now have 6 billion euros in revenue so it seems to work.
The service is really good. But very little to differentiate it from any of the other services with the result that when we used it we just swapped between whichever service give us a discounted offer. We could keep it up for months on end without paying the full subscription price.
The worst part is that (at least in Canada) this isn't illegal. Unsolicited calls, texts and email are illegal but snail mail is fine.
It seems that all form of communication should have the same rules, but the laws are special cases. Probably if they start messaging you via WhatsApp that is also fine.
I don't know about Canada, but in the US, the postal system is subsidized by spam. Essentially spam is the most profitable aspect of the service, and so it's endorsed at the expense of everything else. Since the sender pays costs for postal mail, it's completely different than SMS or emails.
I'd rather pay a tiny bit more taxes than print and mail spam only to be thrown out without being read. Then shipped to the recycler. What a waste of resources and my time.
The problem is that you have to commit to basically three meals per week for 2+ people and then opt-out for subsequent weeks, they're not cheap and they're often a reasonable bit of work to prep. I tried Blue Apron once and it was basically too much up-front commitment and too much work.
Local grocery stores have an increasingly amount of semi-prepped meals which make a lot more sense for me.
> As part of this investigation, it was also discovered that the company continued to contact some individuals even after they had requested this to stop.
If the messages had an opt-out mechanism that worked, they likely would have gotten away with the other things.
I think it's because some emails might have already been sent and be sitting in the outbound mail queues of various mail servers. Some of those might retry for up to 14 days.
Hence, 14 days to be sure you won't get any more emails.
I don’t buy that sorry. Sounds plausible but isn’t an excuse.
I can’t imagine many mail servers will retry up to 14 days unless the spammers configured it to do so. That’s a very uncommon length of time.
And it’s totally within the spammers’ control to choose and/or configure mail servers with a shorter duration. Just how important do they think their spam is!
It seems like they are basically selling papal indulgences on the cheap? Who gets the revenue they generate from absolving these companies of their sins?
We tried them towards the end of last year, but compared to Gousto, found the quality and recipes lacking. Then there were the weird free things in the box, some Nivea face cream in one of them… very strange. I guess they must be making enough from cutting back and 3rd party deals to not worry about the slap on the wrist
I’m in process of fighting Hellofresh for still sending my family personalised "reactivation" spam even though we requested full private data removal per GDPR. I’d be glad to report it to the respective institution in Germany.
One week before the first lockdown - when most offices had sent their staff home - HelloFresh were knocking door to door on my street to flog subscriptions, not minding that they might have been spreading the virus.
The worst about Hello Fresh is the subscription itself, you get meals every week, unless you opt-out. Of course that you will forget to opt out at some point, so they just send you 3 meals of their choice. No 'Hey, we will send you this, are you ok with it or do you want to change it?'
Plus, the receipes aren't that good if you are an above average cook. You get something Indian and it is a gringo version of the real thing, even if the real thing is easy to do.
Or, there is a mistake in the recipe, such as an ingredient not appearing in the walkthrough. I subscribe to stuff like this so that I can cook without using my brain after being tired, not having to check meticulously every dish.
After two months, I happily unsubscribed. The scammyness aside, I do not see any advantage in using the service for how much it costs.
I tried Hello Fresh because of their "free" box promotion, and I have to say as a single person who lives alone, it was great to both have sensible portion sizes, and reducing the mental overhead of having to think about what to cook during weekdays, along the planning and shopping that comes with it.
It's nice not to have to eat Bolognese for 4 days if you make one, since beef mince normally only comes in 500g sizes and so on. I know you can freeze it, but you get my point.
That being said, I agree with the others that the recipes are quite simple, and once you know them it becomes just as easy to buy the ingredients at the shop and make it yourself.
Another disadvantage I've noticed is the amount of packaging, it can't be environmentally friendly. They ship perishables wrapped inside mineral wool with a non-recyclable plastic bag with ice, everything is in a huge cardboard box, there's tons of printed recipes and promotional codes printed on cards, and tons and tons of little plastic and paper wrappers for everything.
We have been reassured hundreds of times by vocal HN posters that spam text messages are strictly an American problem, and that it never ever happens in the "civilized" world.
1) they will sign you up via this or another dark pattern so that you will have to threaten legal action and otherwise waste time demanding they refund you – I imagine many people agree to receive their low quality food for some time instead of wasting the energy on arguing with them
2) the produce they sent us in Germany was lowest possible quality, soft potatoes, discounter stuff that might have been at the end of its shelf life, so even at 4€ per meal they are profiting for sure
I've never used a meal kit delivery company but isn't the grocery market extremely cost-competitive?
Retailers like wal-mart only make about a 3% profit margin. And that's with the customer taking on the picking, packing and delivery. Are meal kit companies really charging twice retail for the things they supply?
I spent 25 minutes trying to cancel my hello fresh subscription but it pretended like it couldn’t find my account and customer service was useless. I thankfully used a burner virtual credit card and just disabled the card, but they attempted and failed to charge the card three times a week for months before giving up. Scummy company
Good opportunity to repost how HelloFresh is a scammy company.
I got tricked into a very dark-patterned coffee subscription company called Amora Coffee.
I got one of their coupon with a Hello Fresh box. Which, by association, at the time increased my trust in this Amora Coffee company. And now, after being scammed, only ruined my trust in the Hello Fresh company. Never bought it again, never will, and will tell everyone who asks not to buy.
I will try to list all the dark patterns that I remember but you can google "Amora Coffee scam".
First, they present themselves as a regular e-commerce selling coffee. They offer a coupon for a free first purchase.
The site seems legit enough and they only ask you to pay $1 for delivery fee. It seems a great deal, even if the coffee is not that good, worth trying it. You even think that they must have a really good product to offer a free full-sized sample. Their conversion rate must be phenomenal at this step.
But in that step alone there are two parts of the scam already.
You realize them only after you paid.
In the receipt, if you took the time to read it and pay attention (how often do people really read the receipt of what they just purchased?), you learn that you just signed up to a subscription!! You are not just buying one bag, you are paying a subscription and, unless you cancel, you will be charged full price soon enough.
The $1 dollar fee is that they need your credit card to be able to charge you the recurrent fee before you know it is a scam (you will know soon enough). They probably charge $1 just to avoid trouble with the credit card companies (they will have a first legitime, undisputed payment after all).
The subscription itself is another step of the scam. You pay every two weeks, not every month as it's the common practice. Also, they claim that to not be charged, you have to cancel the next delivery before it has shipped. In practice, it all means that you have to cancel the subscription (that you never knew you had signed up to) in a week, which is even before the first "free" delivery has arrived.
So, I was savvy enough to get the scam in time by reading the receipt and googling "Amora Coffee scam". So, I just would cancel immediately.
How do you cancel? You have to go to their site, log in into your account and cancel there.
Ok, the scammers have not given up stealing my money just yet. To my surprise, the email I used to make the first purchase is not my username to log into their site. I have yet to create an account. To do that I have to input my email and a numerical code that is hidden in the receipt that I got. It is there, but you have to find it with no help at all.
Did I just jumped all the obstacles that the thieves were putting in front of me? No! The "create your account" form just didn't work!! Looking on online reviews you notice that that form is not working for over an year!!
It is impossible to cancel your subscription.
So I find a email, send a very straightforward message telling them to cancel. So I have not being charged. Apparently I avoided the scam.
Still, they got that first $1 of mine from the initial purchase. Probably what they bribed Hello Fresh with to steal from their customers.
I remember reading this when it was originally posted.
Getting scammed sucks, and there are clearly some dark patterns. But it's 2024; handing your credit card and personal details over to a random company without understanding the terms is crazy.
And by "understand the terms", I'm not suggesting you comb through the documentation to find answers. If the company isn't clear and up-front about how their product works, they aren't serious. Don't give them your money. For a subscription service: what do I get? what do I owe? what are my obligations? how do I cancel?
But, this sort of marketing works because people will do silly things to get something for "free".
> Why would you continue to subscribe to a bullshit company that does this?
They said they subscribed which could mean that they have since unsubscribed. I think they’re texting them because they want them back as a customer - it makes no sense to pester your currently paying customers.
As someone who is stressed by all the spam emails, texts, whatsapps and robo calls in my digital life, I appreciate this news a lot. Great going Mr. Sunak, keep giving them more fines until this "spam business" becomes unprofitable!
Bearing in mind that the ICO's remit is to ensure compliance rather than dole out punishment, this seems broadly reasonable. I'm quite confident that HelloFresh understand that a) they're being watched and b) the ICO won't be nearly so lenient if HelloFresh come to their attention again. I know that people get very angry about spam, but a huge fine that would "guarantee deterrence" would rightly be challenged in court as disproportionate.
https://ico.org.uk/media/action-weve-taken/mpns/4027967/hell...