UK regulator fines AmEx over sending four million unsolicited emails
American Express (AmEx) has been handed a £90,000 fine by the UK’s Information Commissioner’s Office (ICO) for sending four million unsolicited marketing emails to customers.
The ICO says it followed “just a handful” of customers complaining Amex had sent them marketing emails despite opting out.Between 1 June 2018 and 21 May 2019, it found American Express Services Europe sent more than 50 million emails. Some 4,098,841 of which counted as unwanted marketing emails “designed to encourage customers to make purchases on their cards which would benefit AmEx financially”, the ICO said.
The ICO adds that these subscribers “had not provided adequate consent” to receive such content.
FinTech Futures reached out to AmEx directly for comment. A spokesperson said: “Respecting our customers’ marketing preferences is a matter we take very seriously. When the ICO brought this issue to our attention, we took immediate action to address the concerns raised.”
“Deliberate action for financial gain”
AmEx was, over this nearly 12-month period, in breach of its interpretation of the UK’s Privacy and Electronic Communications Regulations (PECR).
Whilst the ICO cites definitions from the UK’s Data Protection Act and General Data Protection Regulation (GDPR), it does not wage the fine under these regulations.
“It was a deliberate action for financial gain by the organisation,” the regulator determined. “AmEx also did not review its marketing model following customer complaints.”
Instead, AmEx “rejected its customers’ complaints saying the emails were servicing emails and not marketing”, the ICO explains.
The content of the emails centred around rewards-driven online shopping. As well as downloading the AmEx app, and tips on how to get the best out of your AmEx card.
Andy Curry, ICO’s investigations head, calls the incident “a clear example of a company getting it wrong”. He adds that AmEx is “now facing the reputational consequences of that error”.
“AmEx’s arguments, which included that customers would be disadvantaged if they weren’t aware of campaigns, and that the emails were a requirement of its ‘Credit Agreements’ with customers, were groundless,” Curry concludes.
The ICO defines servicing emails as containing “routine information”. Such as changes to terms and conditions, payment plans, or service availability – i.e. maintenance interruptions.
Direct marketing emails, however, count as “any communication of advertising or marketing material directed at particular individuals”.
Under the UK’s PECR, the ICO can issue fines of up to £500,000 on a data controller. That’s more than five times the fine the ICO landed AmEx with.