The UK ICO fined HelloFresh £140,000 for sending 80,893,013 spam messages (79.7M emails + 1.1M SMS) over seven months. The consent mechanism bundled marketing with age verification, and users were not told they would receive messages for 24 months after cancelling.

In 2016, attackers stole personal data of 57 million Uber riders and drivers, including 600,000 driver license numbers. Chief Security Officer Joe Sullivan paid the hackers $100,000 through Uber's bug bounty program, disguising the ransom payment as a legitimate security reward. Sullivan directed the hackers to sign NDAs and delete the stolen data. He concealed the breach from the FTC, which was already investigating Uber for a previous breach. Sullivan was convicted of obstruction of justice and misprision of felony in October 2022 -- the first C-suite executive in history criminally convicted for covering up a data breach. He was sentenced to three years' probation. Uber paid $148 million to settle with all 50 US states.

Instacart's S-1 filing (September 2023 IPO) revealed that advertising is a core revenue driver, not just delivery fees. Instacart's Carrot Ads platform allows CPG brands like Pepsi, Procter & Gamble, Coca-Cola, and Nestlé to target ads to customers based on their purchase history. Your grocery data tells advertisers more about your health than almost any other data source: diabetic food purchases reveal diabetes, gluten-free products reveal celiac disease, prenatal vitamins reveal pregnancy, alcohol purchases reveal drinking habits, baby food reveals a new child. Instacart partners with 1,500+ retailers, creating a unified purchasing database across grocery chains. The company stated in its S-1: "We generate revenue from advertising" -- not just from delivering your groceries. Your shopping list is an advertising product.

Deliveroo implemented mandatory facial recognition check-ins requiring riders to take selfies before starting shifts. The system used biometric matching against riders' profile photos to verify identity. Independent research and rider reports documented disproportionate failure rates for darker-skinned riders due to algorithmic bias in the facial recognition technology. Riders locked out by false negatives could not work -- losing income with no immediate human appeal process. The algorithmic decision was treated as final. Riders reported being permanently deactivated after the system repeatedly failed to recognize them. A technology designed to "protect" rider accounts became a mechanism that disproportionately prevented Black and brown riders from earning a living.

In May 2019, attackers accessed 4.9 million records belonging to customers, Dashers, and merchants through a third-party service provider. Exposed data included names, email addresses, delivery addresses, order histories, hashed passwords, and the last four digits of payment cards. Approximately 100,000 Dashers had their driver license numbers stolen. DoorDash did not discover the breach until September 2019 -- four months after it occurred. The company had suffered a previous unreported breach in 2018 affecting a similar number of users. DoorDash notified affected users only after the breach became public knowledge.

The FTC sued Grubhub in June 2022 for multiple deceptive practices. Grubhub charged diners surprise fees at checkout that weren't disclosed when browsing -- including delivery fees, service fees, and "small order fees" that appeared only at the final purchase step. Grubhub listed restaurants on its platform without their permission, leading to orders placed with restaurants that had no agreement with Grubhub and couldn't fulfill them properly. Grubhub marketed "free" delivery while charging inflated menu prices and service fees. The company also made deceptive earnings claims to recruit delivery drivers. The FTC settlement required $25 million in payments. Grubhub's business model relied on hidden fees and phantom restaurant listings to create the appearance of a larger, cheaper platform than it actually was.