Amex fined £90,000 by UK Regulator for sending unsolicited marketing emails

  1. Home
  2. Latest
  3. Amex fined for unsolicited emails

Amex fined £90,000 by UK Regulator for sending unsolicited marketing emails

Amex fined £90,000 by UK Regulator for sending unsolicited marketing emails

ICO fines Amex £90,000 for sending over 4 million marketing emails without consent. Amex tried to argue those emails were ‘service messages’ but in reality those messages clearly promoted Amex and incentivized customers to use their Amex cards. It took only a handful of complaints from Amex customers to mobilize the ICO to investigate. Ultimately all of Amex’s arguments were given short shrift and a fine followed.

American Express Services Europe was fined by the Information Commissioner’s Office on 17 May 2021 for a serious contravention of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

This matter illustrates very well the difference between marketing and service communications. Many businesses frequently wrestle with the difference between a direct electronic marketing message (which requires consent) and service messages (which can often be sent based on legitimate interests). It also highlights the importance about the process of obtaining consent which meets the high threshold required by the UK GDPR.

Over a period of 12 months Amex sent unsolicited marketing emails to its customers. Those emails told the customers about various benefits that they could get from use of their Amex cards. They explained what features and rewards customers would get as well as other promotional material relating to Amex. The ICO received a “handful of complaints from customers” and decided to investigate this potential breach. It analysed over 50 million emails sent by Amex and concluded that over 4 million were obviously direct marketing communications which required consent.

Amex argued that these emails were not marketing communication but were in fact service messages. The Amex arguments included:

  • they did not encourage customers to make new purchases of Amex cards or products;
  • the intention was to remind customers that they would be rewarded with points if they made purchases;
  • customers who were not aware of the benefits would be disadvantaged compared to others.

The ICO rejected this, and found that the emails did amount to marketing. It was found that the 4 million wrongly-sent emails encouraged existing customers to make purchases in order to collect Amex points. In every way the communications would have benefitted Amex financially. In its press release, the ICO went on to say that:

“Service messages contain routine information such as changes to terms and conditions and payment plans or notice of service interruptions. Direct marketing is defined as any communication of advertising or marketing material directed at particular individuals. It is against the law to send marketing emails to people unless consent has been freely given. This is contained in Regulation 22 of the Privacy and Electronic Communications Regulations 2003.”

Under PECR, marketing emails may only be sent to individuals who have consented to receive them.
The UK GDPR provides that consent must be freely given, specific, informed, and unambiguous, given by a statement of agreement. The ICO found that the Amex customers who had received the unsolicited emails in question had opted-out of receiving marketing communications. However, when signing up for credit services with Amex, the terms and conditions of the services provided that Amex has a legitimate interest to send its customers important communications about the services. Amex tried to justify its behaviour by saying that the service emails were sent based on legal and contractual requirements arising from the terms and conditions; again this was given short shrift by the ICO.

In our experience, many in house legal teams, DPOs and company secretaries or compliance teams are frequently asked by their colleagues in marketing or promotions to comment on whether a particular email is a service communication or marketing communication, often with pressure to say it is the former rather than the latter. This case illustrates how hard it is for messages to be service communications. They need to be very bland, non-promotional and straight forward communications that are entirely focussed on delivering a message about practical service issues. Importantly, if there is any element of promotion connected to the message, it will almost certainly be marketing.

This article was prepared by Olivia Malek