ICO (UK) - AMEX
From GDPRhub
| ICO (UK) - AMEX | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 4(11) GDPR Article 7(4) GDPR Regulation 22 of the Privacy and Electronic Communications (EC Directive Regulations 2003 PECR Section 122(5) of the Data Protection Act 2018 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 17.05.2021 |
| Published: | 20.05.2021 |
| Fine: | 90000 GBP |
| Parties: | American Express Services Europe Limited American Express Services Europe Limited |
| National Case Number/Name: | AMEX |
| European Case Law Identifier: | AMEX |
| Appeal: | n/a |
| Original Language(s): | English English |
| Original Source: | ICO (in EN) ICO (in EN) |
| Initial Contributor: | Tara Taubman-Bassirian |
The UK ICO issued a fine to AMEX for sending marketing sollicitations to customers who had opted out. AMEX had classified these emails as 'servicing' emails not requiring consent. The ICO considered the emails in question were all designed to encourage customers to make purchases on their cards, which would benefit AMEX financially. Therefore, AMEX was fined £ 90,000 in infringement of PECR.
English Summary
Facts
Between 1 June 2018 to 31 May 2019, a total of 4,098,841 direct marketing messages were sent to subscribers who had opted-out to receiving marketing emails by, or at the instigation, of American Express Services Europe Limited. These messages contained direct marketing material for which subscribers had not provided adequate consent. 3 customers - Two further complaints were made to the Commissioner in June and July 2019 - had complained receiving marketing emails from AMEX despite having opted out. The Commissioner was satisfied that these emails constituted "direct marketing"as defined by section 122(5) of the DPA 2018 because each of the emails encouraged customers to use their AMEX credit cards to make purchases. One category of emails (the AMEX app emails) also encouraged customers to download and/or use the AMEX app. AMEX internally had classified the emails in question as "servicing" rather than "marketing". Additionally, the ICO pointed that AMEX's "International Email Policy - United Kingdom" indicates that "servicing" emails involve advertising and marketing content. The Commissioner considered that the contravention was serious as between the 12-month period, a confirmed total of 4,098,841 direct marketing messages were sent containing direct marketing material for which subscribers had not provided adequate consent. Additionally, the Commissionner considers having published detailed guidance for those carrying out direct marketing explaining their legal obligations under PECR. In particular it states that organisations can generally only send, or instigate, marketing emails to individuals if that person has specifically consented to receiving them; and highlights the difficulties of relying on indirect consent for email marketing. In case organisations remain unclear on their obligations, the ICO operates a telephone helpline. ICO communications about previous enforcement action where businesses have not complied with PECR are also readily available. ICO concluded that AMEX had failed to take reasonable steps to prevent the contraventions, the condition (b) from section SSA(l) DPA (as extended and modified by PECR) being met.
Dispute
Infringement of Regulation 22 of PECR: transmission of unsolicited communications by means of electronic mail to individual subscribers. AMEX says the emails had not been classified as "marketing emails" but "servicing" emails " feeling that Card Members would be at a disadvantage if they were not aware of these campaigns and promotional periods".
Holding
Sending emails of "Reactivation" or promoting the use of a product is marketing that requires consent. The Commissioner finds that AMEX transmitted or instigated the transmission of the direct marketing messages sent, contrary to Regulation 22 of PECR.
Comment
Despite several customers complaints, AMEX failed to review its marketing model. Customers are becoming increasingly aware of their rights. The best marketing could become respecting customers options. ICO has reacted particularly promptly to the complaints in this case.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
•
ICO.
Information Commissioner's Office
DATA PROTECTION ACT 1998
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
MONETARY PENAL TY NOTICE
To: American Express Services Europe Limited
Of: Belgrave House, 76 Buckingham Palace Road, London, SWl W 9AX
1. The Information Commissioner ("Commissioner") has decided to
issue American Express Services Europe Limite("AMEX") with a
monetary penalty under section SSA of the Data Protection Act 1998
("DPA") .1 The penalty is in relation to a serious contraveofion
Regulation 22 of the Privacy and Electronic Communication(EC
Directive) Regulations 200("PECR").
2. This notice explains the Commissioner's decision.
Legal framework
3. AMEX, whose registered office is given above (Companies House
Registration Number: 01833139) is the organisation stated in this
notice to have transmitteor instigated the transmissioof unsolicited
communications by means of electronic mail to individual subscribers
for the purposes of direct marketing contrary to Regulation 22 of PECR.
1The provisions of the Data Protection Act 1998 remain in force for the purposes of
PECRnotwithstandingthe introductioof the Data Protection Act 2018 (see
paragraph 58(1) of Part 9, Schedule 20 of the 2018 Act).
1 •
ICO.
Information Commissioner's Office
4. Regulation 22 of PECRstates:
"(1)This regulation applies to the transmission of unsolicited
communications by means of electronic mail to individual subscribers.
(2) Except in the circumstances referred to in paragraph (3), a
person shall neither transmit, nor instigate the transmission of,
unsolicited communications for the purposes of direct marketing by
means of electronic mail unless the recipient of the electronic mail has
previously notified the sender that he consents for the time being to
such communications being sent by, or at the instigation of, the
sender.
(3) A person may send or instigate the sending of electronic mail for
the purposes of direct marketing where-
(a) that person has obtained the contact details of the recipient of
that electronic mail in the course of the sale or negotiations for the
sale of a product or service to that recipient;
(b) the direct marketing is in respect of that person's similar products
and services only; and
(c) the recipient has been given a simple means of refusing (free of
charge except for the costs of the transmission of the refusal) the use
of his contact details for the purposes of such direct marketing, at the
time that the details were initially collected, and, where he did not
initially refuse the use of the details, at the time of each subsequent
communication.
2 •
ICO.
Information Commissioner's Office
(4) A subscriber shall not permit his line to be used in contravention
of paragraph (2)."
5. Section 122(5) of the Data Protection Act 201("DPA 2018") defines
direct marketing as "the communication(by whatever means) of
advertising or marketing material which is directed to particular
individuals"This definition also applies for the purposes of PECR(see
DPA 2018 Schedule 19, paragraphs 430 and 432(6)).
6. Consent is defined in Article 4(11) the General Data Protection
Regulation 2016/679 ("GDPR") as "any freely given, specific, informed
and unambiguous indication of the data subject's wishes by which he
or she, by a statement or by a clear affirmataction, signifies
agreement to the processing of personal data relating to him or her".
7. Article 7(4) of the GDPR provides:
"When assessing whether consent is freely given, utmost account
shall be taken of whether ... the performance of a contract, including
the provision of a service, is conditional on consent to the processing
of personal data that is not necessary for the performance of that
contract."
8. Recital 43 of the GDPR states:
"Consent is presumed not to be freely given ... if the performance of a
contract, including the provision of a service, is dependent on the
consent despite such consent not being necessary for such
performance."
3 •
ICO.
Information Commissioner's Office
9. "Individual"is defined in Regulation 2(1) of PECRas "a living individual
and includes an unincorporated body of such individuals".
10. A "subscriber"is defined in Regulation 2(1) of PECRas "a person who
is a party to a contract with a provider of public electronic
communications services for the supply of such services".
11. "Electronic mail" is defined in Regulation 2(1) of PECRas "any text,
voice, sound or image message sent over a public electronic
communications network which can be stored in the network or in the
recipient's terminal equipment until it is collected by the recipient and
includes messages sent using a short message service".
12. Section SSA of the DPA (as amended by the Privacy and Electronic
Communications (EC Directive) (Amendment) Regulations 2011 and
the Privacy and Electronic Communications (Amendment) Regulations
2015) states:
"(1) The Commissioner may serve a person with a monetary penalty
if the Commissioner is satisfied that -
(a) there has been a serious contraventioof the requirements of the
Privacy and Electronic Communications (EC Directive) Regulations 2003
by the person,
(b) subsection (2) or (3) applies.
(2) This subsection applies if the contraventwas deliberate.
(3) This subsection applies if the person -
4 •
ICO.
Information Commissioner's Office
(a) knew or ought to have known that there was a risk that the
contravention would occur, but
(b) failed to take reasonable steps to prevent the
contravention."
13. The Data Protection (Monetary Penalties) (Maximum Penalty and
Notices) Regulations 2010 prescribe that the amount of any penalty
determined by the Commissioner must not exceed £500,000.
14. The Commissioner has issued statutory guidance under section 55C(l)
of the DPA about the issuing of monetary penalties that has been
published on her website.
15. PECRimplemented European legislation (Directive 2002/58/Eaimed
at the protection of the individual's fundameright to privacy in the
electronic communicationssector. PECRwere amended for the purpose
of giving effect to Directive 2009/136/which amended and
strengthenedthe 2002 provisions. For the purposes of this notice, as
EU law applied at the time of the breaches of PECR,the Commissioner
approaches PECRso as to give effect to the Directives.
Background to the case
16. AMEX is a financial services company which is well-known for providing
a range of credit card services, including premium cards with annual
fees.It is a wholly owned subsidiary of American Express Company, its
US-based parent company, and was incorporated on 16 July 1984.
AMEX's registered office is at Belgrave House, 76 Buckingham Palace
Road, London, SWl W 9AX. There are currently 9 active officers on
Companies House, with 55 resigned officers. AMEX has been registered
5 •
ICO.
Information Commissioner's Office
with the InformationCommissioner's Office ("ICO") since 19 June
2006 (registrationnumber Z9506659).
17. The unsolicited marketing in question first came to the Commissioner's
attention after she received three complaints from AMEX customers in
April and May 2019. Each individual had continued to receive
marketing emails from AMEX despite opting-out from receiving them.
18. The first and second complaints concerned emails containing
promotions which linked to AMEX webpages containing offers available
to AMEX customers. The third complaint related to an email
encouraging the subscriber to download the AMEX app to view their
loyalty points balance and explore the latest products and savings
available to them.
19. Two of these complainants had complained directly to AMEX before
complaining to the Commissioner. They provided AMEX's response to
their complaints (dated 26 March 2019 and 9 May 2019 respectively).
AMEX stated that, though the subscribers were opted-out from
receiving marketing emails, the emails had not been classified as
"marketing emails" (defined by AMEX as emails "providing customers
with informationin relation to extra products or services, or to renew
contracts that are coming to an end"). Instead, AMEX classified the
emails as "servicing" emails and dismissed the two complaints on this
basis. In one of its responses, AMEX stated that, "we feel that Card
Members would be at a disadvantage if they were not aware of these
campaigns and promotional periods".
20. The Commissioner sent an initial investigatiletter to AMEX on 3 June
2019. This letter set out the relevant provisions of PECR,the
Commissioner's powers, details of the complaints, and the
6 •
ICO.
Information Commissioner's Office
Commissioner's concerns. The letter requested that AMEX provide
various piecesof information and evidence.
21. AMEX requested an extension until the 4 July 2019. This was granted.
22. Two further complaints were made to the Commissioner in June and
July 2019 by individuals who had opted-out of marketing emails. The
first of these complaints concerned marketing emails received from
AMEX between 22 February 2019 and 25 April 2019. As with previous
complainants,the complainant had initially contacted AMEX and
received a responsejustifyinthe emails on the basis they were
"servicing"rather than "marketing" in nature. AMEX's response to the
complaint stated that "we feel that Card Members would be at a
disadvantage if they were not aware of these campaigns and
promotional periods". The second complaint concerned marketing
emails from AMEX between November 2018 and April 2019. Again, the
complainant initially contacted AMEX. On 1 May 2019, they received a
response which stated"the emails you are receiving are logged as
benefits reinforcementrather than marketing materials.As discussed
inour telephone call, all correspondence classed as marketing has been
opted-out for your account".
23. AMEX responded to the Commissioner on 5 July 2019. This letter
stated, in summary:
a. AMEX differentiatesitself in the marketplace by offering
benefits and rewards;the fee level chosen dictating "the level
of the type of included benefits and rewards". AMEX's
research showed that "benefits and rewards" were the key
drivers in the selection of their products.
7 •
ICO.
Information Commissioner's Office
b. Its customer terms and conditions provide that AMEX will
contact customers with product features, benefits and
rewards. The "servicing" emails in question were "required to
be sent based on legal and contractual requirementsThese
emails were "reinforcementmessages to ensure it is clear how
such benefits work, to ensure Cardmembers to get value for
money and avoid any disappointment or detriment".Such
"servicing" emails "do not promote cardmembers to buy
additional products or services from Amex but outline[ ...] how
to get the most of the rewards, such as -, -or
Membership Rewards". Each "servicing" email contained a
footer stating that "You are being sent this service related
email as it contains information about an integral benefit of
your Card."
c. In response to the Commissioner's letter, AMEX had instigated
an independent internal review of its practices related to
electronic communications.Whilst that review was ongoing, it
had placed an "interim hold" on "servicing" emails sent to
individuals who had opted-out of direct marketing emails.
24. Attached to AMEX's response was 11 distinct terms and conditions
contained in the credit agreementsfor the different cards that it
provides ("Credit Agreements"). Under the heading "Contacting
You", each of the Credit Agreements contain the following (emphasis
added):
"We may send you important messages and other communications
(including alerts about certain activity on your account) about your
account, card or card benefits in line with your preferences. This could
be by email or SMS, on your statements or by posting them in the
8 •
ICO.
Information Commissioner's Office
online account centre, for example, we may send you an alert to
confirm that you've updated your contact information"
25. AMEX provided its 'Cardmember Privacy Statement', which is provided
to UK personal cardmembers when they open an account with AMEX.
Under the heading "Use of information",the policy states that (original
emphasis in bold, added emphasis underlined):
"We use your Personal Information: (i)where it is necessary for the
performance of a contract or compliance with a legal obligation (e.g.,
due diligence financial institutions are required to perform before
approving card accounts); (ii) for our legitimate interests, such as to
establish, exercise or defend legal claims, prevent fraud and/or
enhance our products or services; or (iii) where we have obtained your
consent, such as for marketing purposes. More specifically, we use
your Personal Information to do the following:
• deliver products and services, including to:
• administer and manage your account, such as whether to
approve individual transactions;
• communicate with you through email, SMS or any other
electronic methods about your accounts, products, and services
and to update you about new features and benefits attached to
the products or services that you requested;
• service and manage any benefits and insurance programmes
provided along with the products or services that you requested;
• advertise and market products and services for the American
Express Group of Companies and our Business Partners,
including to:
9 •
ICO.
Information Commissioner's Office
• present content that is personalised in accordance with your
preferences;
• communicate promotions and offers to you (by mail, e-mail,
telephone, SMS, via the internet or using other electronic means)
in relation to products and services that may interest you or
which are similar to your existing American Express products and
services; ..."
26. AMEX provided the Commissioner with its procedures for the sending of
advertisements, financial promotions or other communications.These
included itsInternationalEmail Policy - United Kingdom", dated
August 2018. The Commissioner notes the following elements of this
policy in particular:
a. Section 1 of the policy describes the PECRand how it applies
to email marketing, and includes the statemen that "For non
marketing messages, no consent is required therefore
American Express is not required to either obtain an opt-in or
give the opportunityto opt-out of any other type of
messages".
b. Section 2 is titled "Marketing Emails - General" and states
that "Marketing emails include, but are not limited to, email
messages with the primary purpose of acquisition, cross
selling, includingmmunications provided to promote an
American Express Product or Service". Section 2 goes on to
state that "American Express will generally need an
individual's consent before we can sendarketing emails".
10 •
ICO.
Information Commissioner's Office
c. Section 8 is titled "Servicing and Operational Emails". It
employs the following definitions:
"Operational Emails are defined as:
• Purely factualoperational communication with no
content promoting products or services to recipient
including information promoting services and/or
benefits associated with American Express product
held by recipient - e.g. account alerts
Servicing Emails are defined as:
• Communication including information promoting
services and/or benefits associated with American
Express product held by recipient - e.g. benefit
awareness/ reinforcement
Marketing Emails are defined as:
• Communication promoting products and services
not held by recipient"
d. Section 8 goes on to state that "Without exception all
Marketing and Servicing emailsust be reviewed by the UK
Advertising Review Team".
e. The policy does not, at any stage, repeat the definition of
"direct marketingfrom section 122(5) of the DPA 2018.
27. AMEX provided a PDF titled "Prospect Journey", which included a
screenshot of the initial marketing preferences page presented to a
customer when they open an account with AMEX online. The consent
wording reads as follows:
11 •
ICO.
Information Commissioner's Office
"Please tick this box to get the most out of your new American Express
Card. We will keep you informed via email about promotions associated
with your Card, such as Cardmember events, exclusive presales and
offers. We will not share your email address with other companies to
market their own products or services.The preference you make here
will also apply to other American Express cards if they use the email
address you have provided as part of this applicatioYou can update
your preferences later if you wish."
28. In the 5 July 2019 response, AMEX also provided details of its internal
training procedures, including examples of training materials. The
"Communications and Financial Promotions Training" for the "UK
Advertising Review Team" materials were the only materials provided
by AMEX which appear (at internal page 24 of the document) to refer
to obligations relating to direct marketiHowever, this reference is
indirect and brief, and the material is largely focused on clear, fair and
accurate marketing and compliance with requirements regulated by the
Financial Conduct Authority and Advertising Standards Authority.
29. AMEX provided a spreadsheet of all complaints received regarding
unsolicited emails between 1 June2018 and 31 May 2019. AMEX stated
that, during this period, it had received "22 complaints resulting from
the approximately forty-fourmillion servicing communicationsent to
our cardmember base"; and that, in its view, a number of
the complaints regarded the frequency, rather than content, of the
emails. On the Commissioner's reading, most of these complaints
appear to concern the receipt of marketing emails by customers who
had opted-out from receiving such emails.
12 •
ICO.
Information Commissioner's Office
30. AMEX provided copies of all emails which it had classified as "servicing"
emails, excluding those that were "sent in response to specific legal or
regulatory requirements, such as fraud prevention or credit application
assessment".
31. In total, AMEX provided 352 emails which had been classified as
"servicing", totalling 50,388,228 individual emails.
32. Following review of these emails by the Commissioner, a total of 83
distinct emails sent between 1 June 2018 and 31 May 2019 were
identified as falling within scope of PECR.These emails can be grouped
2
into 9 categories, which are now addressed in turn.
- newsletter
33. The- newsletter was sent to holders of AMEX-cards. 11
distinct emails were sent to subscribers between June 2018 and May
2019. The - newsletter consists of promotions for exclusive events
bookable through the AMEX Concierge service, some of which were
complimentary, but many of which were paid for. The footer of each of
email stated: "All paid offers are subject to availabilibooked on a
first come first served basis and must be booked using your American
Express- Card® through your- Concierge service".
34. In total, 297,410 of these emails were sent to subscribers who had
opted-out from receiving direct marketing emails.
- offers emails3
2
3AMEX has indicated to the Commissioner that these emails concerned promotional offers
over and above the intrinsic rewards scheme which is part of thCard services it
offers customers.
13 •
ICO.
Information Commissioner's Office
35. A key benefit of many of the cards provided by AMEX is'-'·
- is obtained on purchases made via the customer's AMEX
card, with a flat rate of-offered on all purchases and special
rates on specific promotions.AMEX sent 3 distinct emails to customers
regarding -offers. For example, one of the special promotions
offered byAMEX was that, should a customer spend £500 in -
_, they would receive £50 - These emails were titled
"award-winning offers just for you" and contained links to the offers
page of the AMEX website, which would allow individuals to load an
offer on to their card before making a purchase.
36. Of the 5 complaints to the ICO referred to above, 4 concerned this
category of email.
37. In total, 907,656 of these emails were sent to subscribers who had
opted-out from receiving direct marketing emails.
'Come back to_, emails4
38. 10 distinct emails titled ' to-,, were sent to
customers who had not used their card
for a period of time. These emails were worded to encourage the
customer to use their card in order to take advantage of the -
feature and other AMEX offers and benefits. For example, one of these
emails states:
"Remember your American Express®
Credit Card? It could still help you to earn- on all your
purchases and reconnect you with many more benefits.
4Ibid.
14 •
ICO.
Information Commissioner's Office
Have you discovered Amex Offers? You can sign up to save on
shopping, dining and entertainment offers from big brands, direct to
your Card."
39. In total, 36,214 of these emails were sent to subscribers who had
opted-out from receiving direct marketing emails.
5
? card emails
40. AMEX operates a branded card, which allows
customers to accumulate - points upon use of the card. AMEX
sent 6 distinct emails t? Card customers. The content of these
emails was aimed at promoting the use of the card.
41. 4 emails were sent on the 12 April 2019, before the Easter bank
holiday, and were titled "'going away this bank holiday? Don't forget
your Card". For example, one of these emails
stated the following in the body of the email:
"Your American Express® Credit Card provides you with
rewards and benefits which you can use both at home and on trips
abroad.
Discover below some of the great benefits your Card has to offer
before, during and even after your trip.
Remember, don't go abroad without it."
5For sake of completeness: the.caremails were sent by AMEX alone, without the
involvement of
15 •
ICO.
Information Commissioner's Office
42. Two emails were sent with the internal AMEX description
"Reactivation".They appear to have been sent to customers who were
not using their cards. They were titled "Bring your next holiday closer
with your everyday spending". The emails affirmed the benefits of
using the-AMEX card, stating:
"Are you getting the most from your Card?
Your American Express® Credit Card is your passport
to a more rewarding world.
From your daily coffee purchases, streaming services, or your annual
season ticket - whenever you use your Card, you collect-·
Redeem your collected- for flights, hotels, or car hire, or even use
your -for part payment towards an unmissable experience."
43. In total, 302,409 of the• card emails were sent to subscribers who
had opted-out from receiving direct marketing emails.
'Explore' emails
44. AMEX conducted a campaign where it sent emails to customers
regarding the use of their card in specific locations abroad (e.g. Paris).
36 distinct emails of this kind were sent regarding different locations.
As set out below, AMEX has confirmed that these emails were targeted
to locations individuals had travelled to. These emails encouraged the
customer to use the card overseas, rather than merely reminding them
of the ability to use their card. The standard wording used was "Don't
explore [location] without it. From [location] to [locatlive like a
local when youvisit [location]The emails then went on to provide a
city guide of locations where an AMEX card could be used.
16 •
ICO.
Information Commissioner's Office
45. In total, 219,514 of these emails were sent to subscribers who had
opted-out from receiving direct marketing emails.
'Card iswelcome' emails
46. Consumers may be discouraged from using an AMEX card because of
concerns that it will be less widely accepted than cards supplied by
other providers. AMEX sent 4 distinct emails to customers regarding
the availability of, and rewards and benefits of using, their card. These
emails were worded in a way which encouraged the customer to make
purchase on their card. For example, one of these emails stated:
"From grabbing lunch to the weekly shop, your American Express®
Card is welcomed at your favourite supermarkets.
And what's even better, whenever you make purchases you can enjoy
the rewards and protection that come with your Card, even when you
buy online.
So make sure you don't miss out on being rewarded at places like
these: [5 well-known supermarkets]"
47. In total, 330,361 of these emails were sent to subscribers who had
opted-out from receiving direct marketing emails.
'Save your card details'
48. AMEX sent 7 distinct emails titled "save your new card details to every
online account". These emails were designed to encourage individuals
17 •
ICO.
Information Commissioner's Office
to make purchases on their cards, rather than merely reminding them
to update details which may have expired. Each email stated:
"Check out faster whenever you shop online at websites like
or- by saving your new Card
details today.on't miss out on earning Membership Rewards® points
on every eligible purchase that you make.
A more rewarding way to shop online
Get points for every pound you spend, extra points on selected
purchases and redeem for a wide range of shopping, travel and gift
cards."
49. In total, 10,751 of these emails were sent to subscribers who had
opted-out from receiving direct marketing emails.
AMEX app emails
50. AMEX sent 14 distinct emails regarding the AMEX app. 11 of these
emails provided the customer with information regarding administrative
tasks which could be completed via the app. However, 3 of these
emails encouraged customers to use or download the app to access
information regarding rewards and offers. They also promoted the app
with a view to encouraging customers to make purchases on their card.
51. One of these 3 emails stated:
"There's a lot on offer
Your offers are loaded, ready to be redeemed.
18 •
ICO.
Information Commissioner's Office
As a Cardmember, you have access to personalised offers wherever
you are, all on the go with the Amex App - so you'll never miss a
saving while you're out and about again.
Visit the Offers tab discover savings near you."
52. The remaining 2 emails both stated:
"Rewarding your loyalty
Watch your points increase everyday.
Get up-to-date informationon your current rewards points balance,
explore the latest products and savings available, and earn even more
rewards by referring friends and family.
So whether you are earning Membership Rewards® or_, visit the
Membership tab today to keep track of your rewards."
53. In relation to these 3 emails, 1,296,123 in total were sent to
subscribers who had opted-outfrom receiving direct marketinemails.
'Shop Small' emails
54. AMEX runs a promotion called "Shop Small". This is a promotional
period available to AMEX cashback cardholders during which an
improved rate of cashback (e.g. £5 cashback for every £10 pounds
spent) is offered for purchases at certain "small" retailers.
55. AMEX sent a series of emails regarding "Shop Small":
a. An initial email, informing the subscriber of the campaign;
19 •
ICO.
Information Commissioner's Office
b. A notification of registration to the scheme;
c. Three reminder emails about the scheme to those who had
signed upto it; and
d. A thank you email to subscribers for purchasing something
through the scheme.
56. The initial email stated:
"Shop Small celebrates the small businesses that do big things in our
local communitieswhile also rewarding Cardmembers for showing
their support for where they live.
The offer ... incentivises Cardmembers to support their local small
businesses by shopping small frequently, giving them a £5 statement
credit where they have saved the Offer to a qualifying American
Express Card and use it to make a qualifying purchase for at least £10
at participatismall businesses .
... Cardmembers can earn a maximum of £50 back in statement credits
during this December's Shop Small.".
57. In total, 698,403 of the initial emails were sent to subscribers who had
opted-out from receiving direct marketing emails.
20 •
ICO.
Information Commissioner's Office
Summary of direct marketing emails internally classified as "servicing"
58. A summary of the direct marketing emails internally classified by AMEX
as "servicingsent between 1 June 2018 and 31 May 2019 is provided
inthe table below, sorted by subject matter.
Subject Distinct emails Total sent Total sent to
matter involving direct opt-out
marketing
11 660,859 297,410
-ewsletter
3 1,872,260 907,656
-ffers
'Come,back to 10 76,893 36,214
•card 6 633,520 302,409
'Explore' 36 375,955 219,514
'Card is 4 464,876 330,361
welcome'
'Save your 7 22,965 10,751
card details'
AMEX app 3 2,704,536 1,296,123
'Shop Small' 1 727,820
698,403
Total 83 7,539,684 4,098,841
59. Following analysis of the emails provided by AMEX, the Commissioner
sent a further request on 26 July 2019 requesting (a) volumes of
receipts for the emails sent to customers who had opted-out of direct
marketing emails in the period between 1 June 2018 and 31 May 2019
(i.e. how many emails were successfully delivered), and (b) a
screenshotof users' marketing preferences page.
60. AMEX responded on 2 August 2019. It confirmed that it does not
capture receipt informatiso was unable to comply with the first part
21 •
ICO.
Information Commissioner's Office
of the Commissioner's request. However, it was able to provide a
screenshot of the customer marketing preferences page. The consent
wording reads as follows:
"How may we contact you with promotions on getting the most out of
your American Express Card, such as Cardmember events, exclusive
presales and offers? We will not share your email address with other
companies to market their own products or services:
Email [yes/no] ..."
61. Allthe above "servicing" emails were sent to subscribers who had
either (a) decided not to opt-in to promotional email on the initial
marketing preferences page (set out at paragraph 27 above) at the
time of opening their account, or (b) afterwards checked "no" in the
"email" box in the marketing preferences page set out in the paragraph
immediately above.
62. The Commissioner sent a further request for information to AMEX on
20 August 2019 for clarifications on the information it had previously
provided. AMEX responded on 9 September 2019. In summary, AMEX
explained:
a. The procedure via which communications are sent. Marketing,
operational and producteams within AMEX work together to
produce the content across all communication channels and
classify emails they have drafted as either "marketorg"
"servicing" messages. Only those classed as "marketinare
scrubbed against the global marketing suppression list. All
emails are then subject to a review and approval process from
relevant stakeholders, including AMEX's compliance
22 •
ICO.
Information Commissioner's Office
department. The emails are then sent by third party vendors
with whom contracts are held.
b. The proportion of customers opted-out from marketing
communications.
these customers had opted-ino receive marketing. 49.8%
had either opted-out or not opted-in.
c. The "Credit and Charge Card Agreements" for each type of
card, which cardholders must sign before accessing AMEX
services, were drafted by the in-house AMEX legal team, with
advice from external counsel.
d. The "come back to-" emails were sent to
card customers who had had no spend or
balance for three consecutive months. AMEX said that the
emails were sent as a "reinforcememessage to ensure
these Cardmembers are getting the most from their product".
e. The 'Explore ...' emails were "triggered upon the first physical
transaction in the city that the email refers to". AMEX justified
the sending of these emails on the basis that these messages
constituted "servicing" communications which were intended
to "raise awareness of card coverage", noting that "our
customers will not purchase products from American Express
unless they find value in doing so."
63. An end of investigation letter was sent to AMEX on 10 October 2019.
23 •
ICO.
Information Commissioner's Office
64. In conclusion, the Commissioner is satisfied that, between 1 June 2018
and 31 May 2019, AMEX transmitted 4,098,841 marketing emails to
subscribers who had opted-out to receiving marketing emails.
65. The Commissioner has made the above findings of fact on the
balance of probabilities.
66. The Commissioner has considered whether those facts constitute
a contraventionof Regulation 22 of PECRby AMEX and, if so, whether
the conditions of section SSA DPA are satisfied.
The contravention
67. The Commissioner finds that AMEX contravened Regulation 22 of PECR.
68. The Commissioner finds that the contravention was as follows:
69. Between 1 June 2018 and 31 May 2019 there were 4,098,841 direct
marketing emails received by subscribers. The Commissioner is
satisfiedhat these emails constituted "direct marketing" as defined by
section122(5) of the DPA 2018 because each of the emails encouraged
customers to use their AMEX credit cards to make purchases. One
category of emails (the AMEX app emails) also encouraged customers
to download and/or use the AMEX app.
70. AMEX internally classified the emails in question as "servicrather
than "marketing". However, the fact that the emails engaged in
advertising and marketing can be seen from their content. None of the
emails in question were neutrally worded and purely administratiin
nature. Instead, each email sought to encourage the customer to make
purchases on their AMEX card (and, in the case of the AMEX app
24 •
ICO.
Information Commissioner's Office
emails, also to make use of this product). In relation to specific
categories of emails:
a. The - newsletter emails encouraged customers to book
tickets for exclusive events, many of which were paid for.
b. The - offers emails encouraged customers to make
purchases on their cards which qualified for special -
offers.
c. The "come back to-' emails encouraged customers to
make purchases on their cards,
where they had not used those cards for a period of time, by
highlightingthe-feature of the card, as well as other
AMEX offers and benefits.
d. The. card emails encouraged customers to make purchases
on their card by highlighting the rewards and benefits
resulting from such purchases, including the benefits of
accruing - points. Two of these emails sought to
encourage customers not using the card to start making
purchases on it.
e. The "explore ..." emails encouraged individuals to make
purchases on their cards when travelling abroad (rather than
merely reminding them of their ability to use the card), in
particular by providing a city guide of locations where the card
could be used.
f. The "card is welcome" emails encouraged customers to make
purchases on their cards, not only seeking to allay doubts
about the availability of the card, but also by highlighting the
25 •
ICO.
Information Commissioner's Office
benefits and rewards that would result from making such
purchases.
g. The "save your card details" emails encouraged customers to
make purchases on their cards (rather than merely reminding
them to update details which may have expired) by
highlighting the rewards resulting from purchases.
h. Of the 11 AMEX app emails, 3 prompted customers to
download and/or use the app to access informationregarding
their eligibility for rewards and offers, including personalised
offers. Twoof these emails sought to encourage uptake of the
app by promising rewards if customers referred family and
friends.As well as promoting the app in its own right, these
emails promoted the app with a view to encouraging
customers to make purchases on their cards.
i. The initialShop Small" emails encouraged customers to make
purchases on their cards at select "small" retailers by
communicating the existence of-offers on such
purchases.
71. In any event, AMEX's "InternationalEmail Policy - United Kingdom"
indicates that "servicing" emails involve advertising and marketing
content. The policy defines such emails as "Communicationincluding
informationpromoting services and/or benefits associated with
American Express product held by recipient" (emphasis added). This
definition can be contrasted with the definition of "operatiemails:
"Purely factual / operational communicationwith no content promoting
products or services to recipient including informapromoting
26 •
ICO.
Information Commissioner's Office
services and/or benefits associated with American Express product held
byrecipient" (emphasis added).
72. Furthermore, in letters responding to customer complaints, AMEX
stated that "we feel that Card Members would be at a disadvantage if
they were not aware of these campaigns and promotional periods".
AMEX accepted here that "servicing" emails include advertising or
marketing material.
73. The Commissioner finds that AMEX transmitted or instigated the
transmission of the direct marketing messages sent, contrary to
Regulation 22 of PECR.
74. AMEX, as the transmitter or instigator of the direct marketiis,
required to ensure that it is acting in compliance with the requirements
of Regulation 22 of PECR,and to ensure that valid consent to send
those messages had been acquired.
75. The 4,098,841 emails in question were sent to subscribers who had
opted-out from receiving direct marketing communicationsby email.
This is not disputed by AMEX.
76. AMEX states that the emails in question were "required to be sent
based on legal and contractualequirements" arising from its Credit
Agreements with customers. The Commissioner has rejected this
suggestion for the following reasons.
a. The "legal and contractual requirementsreferred to by AMEX
cannot override the statutory protection afforded by PECR
Regulation 22 to explicit opt-out decisions made by
customers.
27 •
ICO.
Information Commissioner's Office
b. The "legal and contractual requirements"referred to by AMEX
are worded in a way which is sensitive to the customer's
marketing preferences. In particular, the Credit Agreements
statethat AMEX "may send you important messages and
other communications ... about your account, card or card
benefitsin line with your preferences" (emphasis added).
Further, AMEX's privacystatement provides that "We use your
Personal Information ... (iii) where we have obtained your
consent, such as for marketing purposes" (emphasis added).
c. Considered alone, the "legal and contractual requirements"
referred to by AMEX do not satisfy the requirement for valid
consent. In particular:
i. Consent to receive direct marketing emails is not "freely
given" where it is a condition of receiving AMEX's
servicesin circumstances where such consent is not
necessary for contractual performance by AMEX.
ii. Nor is consent"freely given" where customers are
unable to withdraw it in the future. The ability of
individuals to withdraw consent is explicitly recognised
at Regulation 22(2) of PECR,which refers to a person
"consent[ing] for the time being" (emphasis added).
iii. Consent isot "informed" where the "legal and
contractualrequirements" relied on by AMEX are not set
out prominentlyand separated from other terms and
conditions, but are contained within overall terms and
conditions.
28 •
ICO.
Information Commissioner's Office
77. The Commissioner is therefore satisfied from the evidence she has
seen that AMEX did not have the necessary valid consent for the
4,098,841 direct marketing messages received by subscribers.
78. AMEX has stated that customers would be "at a disadvantage if they
were not aware of the campaigns and promotional periods". There is no
exemption under PECRRegulation 22 which allows organisations to
send marketing emails they consider advantageous for subscribers
where they have not received prior consent to do so. If there were,
such an exemption would likely be relied on by all persons in breach of
the PECRdirect marketing rules.
79. The Commissioner has gone ono consider whether the conditions
under section SSA DPA (as extended and modified by PECR)are met.
Seriousness of the contravention
80. The Commissioner is satisfied that the contraidentified
above was serious. This is because, between a 12-month period from 1
June 2018 to 31 May 2019, a confirmed total of 4,098,841 direct
marketing messages were sent by, or at the instigation of, of AMEX.
These messages contained direct marketing material for which
subscribers hadot provided adequate consent.
81. The Commissioner isherefore satisfied that condition (a) from
section SSA(l) DPA (as extended and modified by PECR) is met.•
-
Deliberateor negligent contraventions
29 •
ICO.
Information Commissioner's Office
82. The Commissioner does not consider that AMEX deliberately set out to
contravene PECRin this instance.
83. The Commissioner has gone on to consider whether the contravention
identified above was negligent. This consideration comprises two
elements:
84. First, she has considered whether AMEX knew or ought reasonably to
have known that there was a risk that these contraventionswould
occur. She is satisfied that this condition is met for the following
reasons:
a. During the period in question, AMEX sent a large number of
direct marketing emails internally classified as "servicing"
(7,539,684 in total)Itis clear that direct marketing
constitutes an important part of AMEX's business. More
generally, AMEX is one part of a large multinationacompany
and provides services for a large number of customers
Itshould
therefore have sought to ensure its marketing operations
complied with the relevant statutory regime.
b. AMEX had internal procedures to ensure that marketing
communications were sent in accordance with PECR.In
particular, its "InternationEmail Policy - United Kingdom"
explicitly referred to PECRand attempted to provide an
overview of the requirements imposed by it. AMEX also
provided internal training for its employees on legal and
regulatory requirements governing the sending of marketing
communications.
30 •
ICO.
Information Commissioner's Office
c. Both AMEX's definition of "servicing" emails, and its letters
responding to customers complaints, indicate AMEX was
aware that such emails contained advertising and marketing
content.
d. During the period of the contraventio(1 June 2018 and 31
May 2019), AMEX received 22 complaints regarding its
"servicing" communications.
e. AMEX has been registered with the ICO since 19 June 2006.
The Commissioner has published detailed guidance for those
carrying out direct marketing explaining their legal obligations
under PECR. This guidance gives clear advice regarding the
requirements of consent for direct marketing and explains the
circumstances under which organisations are able to carry out
marketing over the phone, by text, by email, by post, or by
fax.In particular it states that organisations can generally
only send, or instigate, marketing emails to individuals if that
person has specifically consented to receiving them; and
highlights the difficulties of relying on indirect consent for
email marketing. In case organisations remain unclear on
their obligations, the ICO operates a telephone helpline. ICO
communications about previous enforcement action where
businesses have not complied with PECRare also readily
available.
85. It is therefore reasonable to suppose that AMEX should have been
aware of its responsibilitin this area.
86. Secondly, the Commissioner has gone on to consider whether AMEX
failed to take reasonable steps to prevent the contraventioAgain,
she is satisfiedat this condition is met.
31 •
ICO.
Information Commissioner's Office
87. Reasonable steps in these circumstances may, in particular, have
included a combination of the following:
a. Ensuring that its internal procedures were compliant with
PECR.In particular, AMEX could have ensured that its
"InternationaEmail Policy - United Kingdom" contained
consideration of how "direct marketing" is defined for the
purposes of PECRand how this applied to emails AMEX had
internally classified at "servicing".
b. Consulting ICO guidance and/or the ICO telephone helpline to
ensure its marketing policy was compliant with PECR.
c. Meaningfully reviewing its approach to marketing following the
receipt of 22 complaints regarding internally classified
"servicing" emails.
88. In the circumstances, the Commissioner is satisfied that AMEX failed to
take reasonable steps to prevent the contraventions.
89. The Commissioner is therefore satisfied that condition (b) from section
SSA(l) DPA (as extended and modified by PECR) is met.
The Commissioner's decision to issue a monetary penalty
90. The Commissioner has taken into account the following
aggravating features of this case:
• As set out above, the breach was negligent.
32 •
ICO.
Information Commissioner's Office
• There has been deliberate action for financial or personal gain.
The emails in question were all designed to encourage
customers to make purchases on their cards, which would
benefit AMEX financially.
• Advice or guidance has been ignored or not acted upon.
Guidance on Direct Marketing and in particular, the sending of
marketing emails is available on the ICO website. The ICO
Helpline is also availablefor organisationswho may require
clarity in their practices.
• AMEX failed to review its marketing model in light of complaints
raised by various individuals.
91. The Commissioner has also taken into account the following mitigating
factors:
• When the Commissioner began her investigation, AMEX
commenced its own independent internal review and
stopped marketing to customers who had opt-out of
receiving direct marketing communications by email. AMEX
has notified the Commissioner that the independent
internal review concluded in December 2019 and that
AMEX has made several changes to its processes and
procedures to ensure compliance with PECR.AMEX has also
confirmed to the Commissioner that it will continue to
assess the changes made as a result of the internal review
to ensure ongoing compliance.
92. Forthe reasons explained above, the Commissioner is satisfied that the
conditions from section SSA(l) DPA have been met in this case. She is
33 •
ICO.
Information Commissioner's Office
also satisfied that the procedural rights under section 55B have been
complied with.
93. The latter has included the issuing of a Notice of Intent (dated 18
February 2021), in which the Commissioner set out her preliminary
thinking.
94. In reaching her final view, the Commissioner considered
representationsreceived by AMEX on 17 March 2021.
95. Within those representationsAMEX did not seek to challenge the
Commissioner's intention to impose a monetary penalty of £90,000. As
AMEX did not advance any new factors in its representationthe
Commissioner did not alter her position as set out in the Notice of
Intent.
96. The Commissioner is accordingly entitled to issue a monetary penalty
in this case.
97. The Commissioner has considered whether, in the circumstances, she
should exercise her discretion so as to issue a monetary penalty.
98. The Commissioner has endeavoured to consider the likely impact of a
monetary penalty on AMEX. In the Notice of Intent, the Commissioner
set out her preliminary conclusion that AMEX has access to sufficient
financial resourceso pay the proposed monetary penalty without
causing undue financial hardship; and that this preliminary conclusion
was unaltered bythe effects of the current Covid-19 pandemic. AMEX
has not provided any informationin response to the Notice of Intent
which has caused the Commissioner to alter her position.
34 •
ICO.
Information Commissioner's Office
99. The Commissioner's underlying objective in imposing a monetary
penalty notice is to promote compliance with PECR.The sending of
unsolicited marketing emails is a matter of significant public concern. A
monetary penalty in this case should act as a general encouragement
towards compliance with the law, or at least as a deterrent against
non-compliance, on the part of all persons running businesses currently
engaging in these practices. The issuing of a monetary penalty will
reinforcehe need for businesses to ensure that they are only
messaging those who specifically consent to receive marketing.
100. Overall, the Commissioner considers that a monetary penalty is a
proportionateand appropriate response to the finding of a serious
contraventionby AMEX.
The amount of the penalty
101. Taking into account all of the above, the Commissioner has decided
that a penalty in the sum of £90,00(Ninety thousand pounds) is
reasonable andproportionate given the particular facts of the case and
the underlying objective in imposing the penalty.
Conclusion
102. The monetary penalty must be paid to the Commissioner's office by
BACS transfer or cheque by 17 June 2021 at the latest. The monetary
penalty is not kept by the Commissioner but will be paid into the
Consolidated Fund which is the Government'sgeneral bank account at
the Bank of England.
103. If the Commissioner receives full payment of the monetary penalty by
16 June 2021 the Commissioner will reduce the monetary penalty by
35 •
ICO.
Information Commissioner's Office
20% to £72,000 (Seventy-two thousand pounds). However, AMEX
should be aware that the early payment discount is not available if it
decides to exercise its right of appeal.
104. There is aright of appeal to the First-tier Tribunal (InforRights)
against:
a) the imposition of the monetary penalty
and/or;
b) the amount of the penalty specified in the monetary penalty
notice.
105. Any notice of appeal should be received by the Tribunal within 28 days
of the date of this monetary penalty notice.
106. Information about appeals is set out in Annex 1.
107. The Commissioner will not take action to enforce a monetary penalty
unless:
• the period specified within the notice within which a monetary
penalty must be paid has expired and all or any of the
monetary penalty has not been paid;
• all relevant appeals against the monetary penalty notice and
any variation of it have either been decided or withdraand
• the period for appealing against the monetary penalty and any
variation of it has expired.
108. In England, Wales and Northern Ireland, the monetary penalty is
recoverable by Order of the County Court or the High Court. In
36 •
ICO.
Information Commissioner's Office
Scotland, the monetary penalty can be enforced in the same manner
as an extract registered decree arbitral bearing a warrant for execution
issued bythe sheriff court of any sheriffdom in Scotland.
Dated the 17hday of May 2021
Andy Curry
Head of Investigations
InformatioCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF
37 •
ICO.
Information Commissioner's Office
ANNEX 1
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
1. Section 48 of the Data Protection Act 1998 gives any person upon
whom a monetary penalty notice or variation notice has been served a right
of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')
against the notice.
2. If you decide to appeal and if the Tribunal considers:-
a) that the notice against which the appeal is brought is not in accordance
with the law; or
b) to the extent that the notice involved an exercise of discretion by the
Commissioner, that she ought to have exercised her discretion differently,
the Tribunal will allow the appeal or substitute such other decision as could
have been made by the Commissioner. In any other case the Tribunal will
dismissthe appeal.
3. You may bring an appeal by serving a notice of appeal on the Tribunal
at the following address:
GRC & GRPTribunals
PO Box 9300
Arnhem House
31 Waterloo Way
Leicester
LEl 8DJ
a) The notice of appeal should be sent so it is received by the Tribunal
within 28 days of the date of the notice.
b) If your notice of appeal is late the Tribunal will not admit it unless the
Tribunal has extended the time for complying with this rule.
38 •
ICO.
Information Commissioner's Office
4. The notice of appeal should state:-
a) your name and address/name and address of your representative (if
any);
b) an address where documents may be sent or delivered to you;
c) the name and address of the Information Commissioner;
d) detailsof the decision to which the proceedings relate;
e) the result that you are seeking;
f) the grounds on which you rely;
g) you must provide with the notice of appeal a copy of the monetary
penalty notice or variation notice;
h) if you have exceeded the time limit mentioned above the notice of
appeal must include a request for an extension of time and the reason why
the notice of appeal was not provided in time.
5. Before deciding whether or not to appeal you may wish to consult your
solicitor or another adviser. At the hearing of an appeal a party may conduct
his case himself or may be represented by any person whom he may
appoint for that purpose.
6. The statutory provisions concerning appeals to the First-tier Tribunal
(Information Rights) are contained in sections 48 and 49 of, and Schedule 6
to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal)
(General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No.
1976 (L.20)).
3
