UK data regulator fines American Express up to 0.021p per email after opted-out folk spammed 4.1 million times

American Express has been fined 0.009 per cent of its annual profits by the Information Commissioner's Office (ICO) after spamming people who opted out of its marketing emails with 4.1 million unwanted messages.

The £90,000 fine was announced today after the British data regulator ruled the US bank had broken the law.

"This is a clear example of a company getting it wrong and now facing the reputational consequences of that error," said ICO head of investigations Andy Curry, recognising the fine was effectively small change for Amex.

"Between 1 June 2018 and 21 May 2019, 4,098,841 of those emails were marketing emails, designed to encourage customers to make purchases on their cards which would benefit Amex financially. It was a deliberate action for financial gain by the organisation. Amex also did not review its marketing model following customer complaints," said the ICO in a statement.

Customers were encouraged to spend £500 on their American Express credit cards in return for a £50 benefit, under the title "award-winning offers just for you".

The bank ignored complaints and when those customers went to the ICO, bankers claimed the spam was "a requirement of its Credit Agreements with customers". This was untrue – and the customers bombarded with spam had already opted out of marketing emails.

• UK data watchdog fines 'pandemic partner' biz £8k: It sent 84,000 marketing emails to people who'd given info for track and trace
• Oops, says Manchester City Council after thousands of number plates exposed in parking ticket spreadsheet
• UK watchdog would cease to enforce data protection law if Supreme Court sided with Google, its lawyer tells judges
• Scottish National Party members found among list of names signed up to rival Alba Party after website whoopsie

Justifying the spamming of its own customers, Amex claimed the spam was internally classified as a service message instead of marketing. Service messages are meant to be used for information about the service – for example, notifications of scheduled downtime or changes in interest rates. Instead Amex sent them unwanted inbox filler advertising new products and services.

The bank told its customers: "We feel that Card Members would be at a disadvantage if they were not aware of these campaigns and promotional periods."

The ICO found that Amex had broken the Privacy and Electronic Communications Regulations 2003, the law on sending marketing emails. The ICO's monetary penalty notice, which stated that Amex acted negligently rather than deliberately, said: "AMEX, as the transmitter or instigator of the direct marketing, is required to ensure that it is acting in compliance with the requirements of Regulation 22 of PECR, and to ensure that valid consent to send those messages had been acquired."

In Amex's case, 49 per cent of its customers had not opted in to receive marketing emails or had explicitly opted out – yet many of these collectively received the millions of messages sent by the bank anyway.

We have attempted to contact American Express for comment and will update this article if we hear back. In Q4 FY2020 alone Amex made $1.4bn in profit.

The maximum fine for a breach of PECR is £500,000, though the regulator indicated it would impose a £90k penalty in a preliminary notice back in February, to which Amex did not object.

The £90k fine equates to 0.021p per nuisance email however it is discounted to £72k if paid by 15 June. This would mean the regulatory cost to Amex of doing business by sending 4.1 million unlawful marketing emails would be about 0.017p per message. Yesterday the ICO priced unlawful emails at 9.5p when it fined a coronavirus track-and-trace company for identical lawbreaking. ®