article featured image


ICO, the UK data regulator decided to fine American Express with £90,000 for their email marketing campaigns in which they have sent over 4 million spam emails to customers.

Between a 12-month period from 1 June 2018 to 31 May 2019, a confirmed total of 4,098,841 direct marketing messages were sent by, or at the instigation, American Express Services Europe Limited. These messages contained direct marketing material for which subscribers had not provided adequate consent.


The ICO issued clear guidance in order to properly define the difference between marketing and services emails.

As per the definition they provided service messages are meant to contain routine information such as changes to terms and conditions and payment plans or notice of service interruptions, and direct marketing refers to any communication of advertising or marketing material directed at particular individuals.

The ICO clearly stipulates that it’s against the law to send marketing emails to people unless consent has been freely given.

During the investigation the ICO found that Amex had sent over 50 million, of what it classed as, servicing emails to its customers. The ICO revealed that for nearly 12 months, between 1 June 2018 and 21 May 2019, 4,098,841 of those emails were marketing emails, designed to encourage customers to make purchases on their cards which would benefit Amex financially. It was a deliberate action for financial gain by the organization. Amex also did not review its marketing model following customer complaints.


In response, Amex declared that they were servicing emails designed to inform their customers of ongoing campaigns, but the ICO showed that the messages were direct marketing emails sent to customers who opted out.

Amex apparently rejected the complaints and also took the decision not to review its marketing model, considering that the marketing emails were a requirement of Credit Agreements with customers.

American Express broke regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR) that allows people to have specific privacy rights in relation to electronic communications.

Direct marketing emails classified by Amex as servicing emails


ICO can impose monetary penalties of up to £500,000 on the data controllers, but decided to only fine Amex with £90,000 as the company did not “deliberately set out to contravene PECR in this instance,” and also allow Amex to pay the fine by June 17th, with the possibility of paying a discounted amount if the payment is made in advance.

This is a clear example of a company getting it wrong and now facing the reputational consequences of that error.

The emails in question all clearly contained marketing material, as they sought to persuade and encourage customers to use their cards to make purchases. Amex’s arguments, which included, that customers would be disadvantaged if they weren’t aware of campaigns and that the emails were a requirement of its Credit Agreements with customers, were groundless.

Our investigation was initiated from just a handful of complaints from customers, tired of being interrupted with emails they did not want to receive. I would encourage all companies to revisit their procedures and familiarise themselves with the differences between a service email and a marketing email and ensure their email communications with customers are compliant with the law.


Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *