American Express fined by UK agency for illegal email distribution

By /

American Express Services Europe Ltd., more widely known as Amex, has received a fine from the United Kingdom’s Information Commission Office. The ICO is a UK authority designed to enforce and uphold information rights. Much of the ICO’s authority comes from the Data Protection Act 2018, the UK General Data Protection Regulation (the United Kingdom’s version of the EU GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004, and Privacy and Electronic Communications Regulations 2003.

According to the press release, American Express received a fine to the tune of £90,000 (about $127,000) for sending 4 million marketing emails to customers who had opted out.

The ICO began investigating Amex due to a large number of customer complaints to the agency. The results of the investigation are described in the following excerpt:

During the investigation the ICO found that Amex had sent over 50 million, of what it classed as, servicing emails to its customers. The ICO revealed that for nearly 12 months, between 1 June 2018 and 21 May 2019, 4,098,841 of those emails were marketing emails, designed to encourage customers to make purchases on their cards which would benefit Amex financially. It was a deliberate action for financial gain by the organisation. Amex also did not review its marketing model following customer complaints.

Amex deliberately ignored the complaints on the erroneous grounds that the emails were “servicing” and not marketing, the ICO said. The ICO actually has a clear definition to differentiate servicing and marketing emails. According to the UK authority, service emails “contain routine information such as changes to terms and conditions and payment plans or notice of service interruptions.” On the other hand, marketing emails are “any communication of advertising or marketing material directed at particular individuals.”

Amex was fined as they were in direct violation of Regulation 22 of the Privacy and Electronic Communications Regulations 2003. This particular regulation requires companies to abstain from marketing communications unless given explicit permission otherwise. As they had clearly not abided by these standards, American Express Services Europe was deemed to be in violation and punished.

Featured image: Flickr / The Comedian

About The Author

Derek Kortepeter is a graduate of UCLA and tech journalist. Kortepeter specializes in areas such as cyber defense, privacy rights, cyber warfare, and governmental InfoSec policy.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top