Sign in
Create FREE Account

HelloFresh’s $7.5M California Settlement for “Dark Patterns”

Table of Contents

California prosecutors secured a $7.5 million settlement from HelloFresh over alleged “subscription trap” practices, reinforcing the state’s aggressive stance on deceptive digital design and auto-renewal programs. California is getting more and more aggressive coming after businesses who don’t respect users privacy and engage in deceptive practices. Receive a free compliance audit to see if your website is compliant courtesy of Captain Compliance. 

What Happened

HelloFresh agreed to pay $7.5 million to resolve a civil lawsuit claiming the company enrolled consumers in recurring subscriptions without proper consent and made cancellation too difficult. The payment includes $6.38 million in civil penalties, $120,000 in investigative costs, and $1 million in restitution for eligible California consumers who faced problematic charges.

Prosecutors pursued the matter as part of the state’s Automatic Renewal Task Force, a multi-county effort formed to police “subscription traps” and related deceptive online practices.

Why California Cares: The Automatic Renewal Law

California’s Automatic Renewal Law (ARL), codified at Business & Professions Code §17600 et seq., aims to stop ongoing charges to consumers’ payment methods without their explicit consent. The statute requires clear disclosure of key terms, affirmative consent before charging, post-purchase acknowledgment, and simple, immediate cancellation methods—now including “click-to-cancel” options for online signups.

Dark Patterns: The Design Behind the Deception

The Federal Trade Commission (FTC) has long warned that so-called dark patterns—interfaces engineered to trick or hinder users—can lead consumers to buy services, share more data, or stay subscribed against their intentions. Tactics the agency highlights include obstructing cancellation (the “roach motel”), pre-checked boxes, burying key fees or terms, confusing toggles, disguised ads, and misdirection during checkout.

In practical terms, dark patterns show up in places consumers encounter daily:

  • Ambiguous consent flows:Accept all” is prominent while “reject” is hidden or requires extra clicks.
  • Forced continuity: Free trials that quietly convert to paid plans with hard-to-find cancellation paths.
  • Confirmshaming: Wording that guilts users into staying subscribed (e.g., “No thanks, I hate savings”).
  • Pre-selected add-ons: Boxes ticked by default, adding services a user never intended to buy.
  • Obscured disclosures: Key terms placed below the fold or behind hyperlinks during checkout.

California’s action against HelloFresh maps closely onto this rubric: prosecutors alleged inadequate disclosure of renewal terms, lack of affirmative consent, and cancellation frictions—classic dark-pattern hallmarks.

Not Just “Subscriptions”: The Privacy Angle

While the HelloFresh case centers on auto-renewal, California is simultaneously pushing on privacy enforcement—particularly where interface design undermines meaningful choice. The state’s landmark Sephora settlement required changes to how the retailer honored opt-out requests and disclosed “sale” of personal information under the CCPA, underscoring that misleading UX and non-functional privacy controls can trigger penalties.

The throughline is clear: whether it’s a subscription or a consent banner, design that confuses, coerces, or blocks consumer choices can be treated as unlawful under California’s consumer protection and privacy regimes.

How Enforcement Is Evolving

California has broadened its toolkit. ARL updates and enforcement guidance now emphasize easy, online cancellation for online signups, retention of consent records, and prompt confirmation of termination—requirements that directly neutralize dark-pattern playbooks.

On the privacy side, the Attorney General has made clear that ignoring user-enabled signals (like Global Privacy Control) or deploying interfaces that frustrate opt-outs can violate the CCPA/CPRA—an approach inaugurated by the Sephora action and reinforced by ongoing sweeps.

What This Means for Well-Known Brands

Recognizable consumer brands face heightened exposure because they operate at scale, iterate interfaces rapidly, and often rely on conversion-optimized funnels. The HelloFresh resolution illustrates that “friction by design” around sign-ups and cancellations is no longer a gray area; it is a regulatory risk with real dollar consequences. Just earlier this week we broke the news about the FTC settlement with Match Group for almost twice as much as HelloFresh is being fined here. One thing is for sure data privacy litigation and risks is growing each month and more of these multi-million dollar fines are being announced each and every month. Just look at the settlement with Aspen Dental for $18.7 million earlier this month.

Companies should expect prosecutors and regulators to scrutinize:

  • Disclosure prominence: Auto-renewal price, cadence, and cancellation terms must be conspicuous at checkout (not after a free trial starts).
  • Affirmative consent: Clear, specific assent to renewal terms—no pre-checked boxes or bundled consent.
  • Click-to-cancel: An online termination method that is as easy as sign-up, with immediate confirmation.
  • Privacy choices that work: Functioning opt-outs (including GPC), accurate privacy disclosures, and no manipulative consent UX.

Compliance Playbook: Design for Choice, Not Confusion

  1. Audit critical flows: Map every step of sign-up, trial, renewal, cancellation, and privacy consent. Flag extra clicks, hidden links, or ambiguous language.
  2. Standardize disclosures: Present renewal price, billing interval, trial end date, and how to cancel in the same visual pane as the purchase button.
  3. Require explicit consent: Use unticked boxes or unambiguous “I agree” statements tied to clearly summarized terms.
  4. Make cancellation symmetric: If customers can start online, they must be able to stop online in a few clicks—no phone trees, chat-only gates, or weekday-only windows.
  5. Harden privacy controls: Honor GPC, ensure opt-out toggles actually function, and avoid pressure wording (“confirmshaming”) around consent.
  6. Retain evidence: Keep records of disclosures and consent to demonstrate compliance during investigations.

Deceptive patterns causes HelloFresh Fine

How To Remove Dark Patterns and Be Privacy Compliant?

HelloFresh’s $7.5 million settlement is the latest signal that California will treat dark and deceptive patterns as more than UX quirks—they’re enforcement targets. For brands, the safest path is clear, symmetrical design that makes it as easy to decline as it is to accept, and as easy to cancel as it is to subscribe. If you want an audit of your privacy and compliance practices and want to work with a firm that will pay your fine if you receive one while using our privacy software then book a demo below with a Captain Compliance superhero team member.

Written by: 

Kiril Krastanoff

Relevant Posts

Recent Posts

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.

Book a Demo

Data Privacy and Compliance from Superheroes

Copyright © 2025 Captain Compliance | Cookie Transparency Powered By 
730 NW 9th St, Fort Lauderdale, FL 33311 | +1 (954) 408-2192 | heroes@captaincompliance.com