ICO (UK) - AMEX
|ICO (UK) - AMEX|
|Relevant Law:||Article 4(11) GDPR|
Article 7(4) GDPR
Regulation 22 of the Privacy and Electronic Communications (EC Directive
Regulations 2003 PECR
Section 122(5) of the Data Protection Act 2018
|Parties:||American Express Services Europe Limited|
American Express Services Europe Limited
|National Case Number/Name:||AMEX|
|European Case Law Identifier:||AMEX|
|Original Language(s):||English |
|Original Source:||ICO (in EN) |
ICO (in EN)
|Initial Contributor:||Tara Taubman-Bassirian|
The UK ICO fined American Express ('AMEX') £90,000 for sending 4,098,841 direct marketing communications to customers who had opted out from receiving these.
English Summary[edit | edit source]
Facts[edit | edit source]
Between 1 June 2018 to 31 May 2019, a total of 4,098,841 direct marketing messages were sent to subscribers who had opted-out to receiving marketing emails by, or at the instigation, of AMEX. These messages contained direct marketing material for which subscribers had not provided adequate consent. AMEX says the emails had not been classified as "marketing emails" but "servicing" emails " feeling that Card Members would be at a disadvantage if they were not aware of these campaigns and promotional periods". They consequently argued such emails did not demand consent under the UK PECR.
Holding[edit | edit source]
The ICO was satisfied that these emails constituted "direct marketing" as defined by section 122(5) of the UK Data Protection Act 2018, because each of the emails encouraged customers to use their AMEX credit cards to make purchases. One category of emails (the AMEX app emails) also encouraged customers to download and/or use the AMEX app. Additionally, the ICO pointed out that AMEX's "International Email Policy - United Kingdom" indicates that "servicing" emails involve advertising and marketing content.
The ICO considered that the contravention was serious as between the 12-month period, a confirmed total of 4,098,841 direct marketing messages were sent containing direct marketing material for which subscribers had not provided adequate consent. Further, AMEX had failed to take reasonable steps to prevent the contraventions.
The ICO therefore fined AMEX £90,000.
Comment[edit | edit source]
Despite several customers complaints, AMEX failed to review its marketing model. Customers are becoming increasingly aware of their rights. The best marketing could become respecting customers options. ICO has reacted particularly promptly to the complaints in this case.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.
• ICO. Information Commissioner's Office DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENAL TY NOTICE To: American Express Services Europe Limited Of: Belgrave House, 76 Buckingham Palace Road, London, SWl W 9AX 1. The Information Commissioner ("Commissioner") has decided to issue American Express Services Europe Limite("AMEX") with a monetary penalty under section SSA of the Data Protection Act 1998 ("DPA") .1 The penalty is in relation to a serious contraveofion Regulation 22 of the Privacy and Electronic Communication(EC Directive) Regulations 200("PECR"). 2. This notice explains the Commissioner's decision. Legal framework 3. AMEX, whose registered office is given above (Companies House Registration Number: 01833139) is the organisation stated in this notice to have transmitteor instigated the transmissioof unsolicited communications by means of electronic mail to individual subscribers for the purposes of direct marketing contrary to Regulation 22 of PECR. 1The provisions of the Data Protection Act 1998 remain in force for the purposes of PECRnotwithstandingthe introductioof the Data Protection Act 2018 (see paragraph 58(1) of Part 9, Schedule 20 of the 2018 Act). 1 • ICO. Information Commissioner's Office 4. Regulation 22 of PECRstates: "(1)This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers. (2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender. (3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where- (a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that person's similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication. 2 • ICO. Information Commissioner's Office (4) A subscriber shall not permit his line to be used in contravention of paragraph (2)." 5. Section 122(5) of the Data Protection Act 201("DPA 2018") defines direct marketing as "the communication(by whatever means) of advertising or marketing material which is directed to particular individuals"This definition also applies for the purposes of PECR(see DPA 2018 Schedule 19, paragraphs 430 and 432(6)). 6. Consent is defined in Article 4(11) the General Data Protection Regulation 2016/679 ("GDPR") as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmataction, signifies agreement to the processing of personal data relating to him or her". 7. Article 7(4) of the GDPR provides: "When assessing whether consent is freely given, utmost account shall be taken of whether ... the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract." 8. Recital 43 of the GDPR states: "Consent is presumed not to be freely given ... if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance." 3 • ICO. Information Commissioner's Office 9. "Individual"is defined in Regulation 2(1) of PECRas "a living individual and includes an unincorporated body of such individuals". 10. A "subscriber"is defined in Regulation 2(1) of PECRas "a person who is a party to a contract with a provider of public electronic communications services for the supply of such services". 11. "Electronic mail" is defined in Regulation 2(1) of PECRas "any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient and includes messages sent using a short message service". 12. Section SSA of the DPA (as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 and the Privacy and Electronic Communications (Amendment) Regulations 2015) states: "(1) The Commissioner may serve a person with a monetary penalty if the Commissioner is satisfied that - (a) there has been a serious contraventioof the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 by the person, (b) subsection (2) or (3) applies. (2) This subsection applies if the contraventwas deliberate. (3) This subsection applies if the person - 4 • ICO. Information Commissioner's Office (a) knew or ought to have known that there was a risk that the contravention would occur, but (b) failed to take reasonable steps to prevent the contravention." 13. The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe that the amount of any penalty determined by the Commissioner must not exceed £500,000. 14. The Commissioner has issued statutory guidance under section 55C(l) of the DPA about the issuing of monetary penalties that has been published on her website. 15. PECRimplemented European legislation (Directive 2002/58/Eaimed at the protection of the individual's fundameright to privacy in the electronic communicationssector. PECRwere amended for the purpose of giving effect to Directive 2009/136/which amended and strengthenedthe 2002 provisions. For the purposes of this notice, as EU law applied at the time of the breaches of PECR,the Commissioner approaches PECRso as to give effect to the Directives. Background to the case 16. AMEX is a financial services company which is well-known for providing a range of credit card services, including premium cards with annual fees.It is a wholly owned subsidiary of American Express Company, its US-based parent company, and was incorporated on 16 July 1984. AMEX's registered office is at Belgrave House, 76 Buckingham Palace Road, London, SWl W 9AX. There are currently 9 active officers on Companies House, with 55 resigned officers. AMEX has been registered 5 • ICO. Information Commissioner's Office with the InformationCommissioner's Office ("ICO") since 19 June 2006 (registrationnumber Z9506659). 17. The unsolicited marketing in question first came to the Commissioner's attention after she received three complaints from AMEX customers in April and May 2019. Each individual had continued to receive marketing emails from AMEX despite opting-out from receiving them. 18. The first and second complaints concerned emails containing promotions which linked to AMEX webpages containing offers available to AMEX customers. The third complaint related to an email encouraging the subscriber to download the AMEX app to view their loyalty points balance and explore the latest products and savings available to them. 19. Two of these complainants had complained directly to AMEX before complaining to the Commissioner. They provided AMEX's response to their complaints (dated 26 March 2019 and 9 May 2019 respectively). AMEX stated that, though the subscribers were opted-out from receiving marketing emails, the emails had not been classified as "marketing emails" (defined by AMEX as emails "providing customers with informationin relation to extra products or services, or to renew contracts that are coming to an end"). Instead, AMEX classified the emails as "servicing" emails and dismissed the two complaints on this basis. In one of its responses, AMEX stated that, "we feel that Card Members would be at a disadvantage if they were not aware of these campaigns and promotional periods". 20. The Commissioner sent an initial investigatiletter to AMEX on 3 June 2019. This letter set out the relevant provisions of PECR,the Commissioner's powers, details of the complaints, and the 6 • ICO. Information Commissioner's Office Commissioner's concerns. The letter requested that AMEX provide various piecesof information and evidence. 21. AMEX requested an extension until the 4 July 2019. This was granted. 22. Two further complaints were made to the Commissioner in June and July 2019 by individuals who had opted-out of marketing emails. The first of these complaints concerned marketing emails received from AMEX between 22 February 2019 and 25 April 2019. As with previous complainants,the complainant had initially contacted AMEX and received a responsejustifyinthe emails on the basis they were "servicing"rather than "marketing" in nature. AMEX's response to the complaint stated that "we feel that Card Members would be at a disadvantage if they were not aware of these campaigns and promotional periods". The second complaint concerned marketing emails from AMEX between November 2018 and April 2019. Again, the complainant initially contacted AMEX. On 1 May 2019, they received a response which stated"the emails you are receiving are logged as benefits reinforcementrather than marketing materials.As discussed inour telephone call, all correspondence classed as marketing has been opted-out for your account". 23. AMEX responded to the Commissioner on 5 July 2019. This letter stated, in summary: a. AMEX differentiatesitself in the marketplace by offering benefits and rewards;the fee level chosen dictating "the level of the type of included benefits and rewards". AMEX's research showed that "benefits and rewards" were the key drivers in the selection of their products. 7 • ICO. Information Commissioner's Office b. Its customer terms and conditions provide that AMEX will contact customers with product features, benefits and rewards. The "servicing" emails in question were "required to be sent based on legal and contractual requirementsThese emails were "reinforcementmessages to ensure it is clear how such benefits work, to ensure Cardmembers to get value for money and avoid any disappointment or detriment".Such "servicing" emails "do not promote cardmembers to buy additional products or services from Amex but outline[ ...] how to get the most of the rewards, such as -, -or Membership Rewards". Each "servicing" email contained a footer stating that "You are being sent this service related email as it contains information about an integral benefit of your Card." c. In response to the Commissioner's letter, AMEX had instigated an independent internal review of its practices related to electronic communications.Whilst that review was ongoing, it had placed an "interim hold" on "servicing" emails sent to individuals who had opted-out of direct marketing emails. 24. Attached to AMEX's response was 11 distinct terms and conditions contained in the credit agreementsfor the different cards that it provides ("Credit Agreements"). Under the heading "Contacting You", each of the Credit Agreements contain the following (emphasis added): "We may send you important messages and other communications (including alerts about certain activity on your account) about your account, card or card benefits in line with your preferences. This could be by email or SMS, on your statements or by posting them in the 8 • ICO. Information Commissioner's Office online account centre, for example, we may send you an alert to confirm that you've updated your contact information" 25. AMEX provided its 'Cardmember Privacy Statement', which is provided to UK personal cardmembers when they open an account with AMEX. Under the heading "Use of information",the policy states that (original emphasis in bold, added emphasis underlined): "We use your Personal Information: (i)where it is necessary for the performance of a contract or compliance with a legal obligation (e.g., due diligence financial institutions are required to perform before approving card accounts); (ii) for our legitimate interests, such as to establish, exercise or defend legal claims, prevent fraud and/or enhance our products or services; or (iii) where we have obtained your consent, such as for marketing purposes. More specifically, we use your Personal Information to do the following: • deliver products and services, including to: • administer and manage your account, such as whether to approve individual transactions; • communicate with you through email, SMS or any other electronic methods about your accounts, products, and services and to update you about new features and benefits attached to the products or services that you requested; • service and manage any benefits and insurance programmes provided along with the products or services that you requested; • advertise and market products and services for the American Express Group of Companies and our Business Partners, including to: 9 • ICO. Information Commissioner's Office • present content that is personalised in accordance with your preferences; • communicate promotions and offers to you (by mail, e-mail, telephone, SMS, via the internet or using other electronic means) in relation to products and services that may interest you or which are similar to your existing American Express products and services; ..." 26. AMEX provided the Commissioner with its procedures for the sending of advertisements, financial promotions or other communications.These included itsInternationalEmail Policy - United Kingdom", dated August 2018. The Commissioner notes the following elements of this policy in particular: a. Section 1 of the policy describes the PECRand how it applies to email marketing, and includes the statemen that "For non marketing messages, no consent is required therefore American Express is not required to either obtain an opt-in or give the opportunityto opt-out of any other type of messages". b. Section 2 is titled "Marketing Emails - General" and states that "Marketing emails include, but are not limited to, email messages with the primary purpose of acquisition, cross selling, includingmmunications provided to promote an American Express Product or Service". Section 2 goes on to state that "American Express will generally need an individual's consent before we can sendarketing emails". 10 • ICO. Information Commissioner's Office c. Section 8 is titled "Servicing and Operational Emails". It employs the following definitions: "Operational Emails are defined as: • Purely factualoperational communication with no content promoting products or services to recipient including information promoting services and/or benefits associated with American Express product held by recipient - e.g. account alerts Servicing Emails are defined as: • Communication including information promoting services and/or benefits associated with American Express product held by recipient - e.g. benefit awareness/ reinforcement Marketing Emails are defined as: • Communication promoting products and services not held by recipient" d. Section 8 goes on to state that "Without exception all Marketing and Servicing emailsust be reviewed by the UK Advertising Review Team". e. The policy does not, at any stage, repeat the definition of "direct marketingfrom section 122(5) of the DPA 2018. 27. AMEX provided a PDF titled "Prospect Journey", which included a screenshot of the initial marketing preferences page presented to a customer when they open an account with AMEX online. The consent wording reads as follows: 11 • ICO. Information Commissioner's Office "Please tick this box to get the most out of your new American Express Card. We will keep you informed via email about promotions associated with your Card, such as Cardmember events, exclusive presales and offers. We will not share your email address with other companies to market their own products or services.The preference you make here will also apply to other American Express cards if they use the email address you have provided as part of this applicatioYou can update your preferences later if you wish." 28. In the 5 July 2019 response, AMEX also provided details of its internal training procedures, including examples of training materials. The "Communications and Financial Promotions Training" for the "UK Advertising Review Team" materials were the only materials provided by AMEX which appear (at internal page 24 of the document) to refer to obligations relating to direct marketiHowever, this reference is indirect and brief, and the material is largely focused on clear, fair and accurate marketing and compliance with requirements regulated by the Financial Conduct Authority and Advertising Standards Authority. 29. AMEX provided a spreadsheet of all complaints received regarding unsolicited emails between 1 June2018 and 31 May 2019. AMEX stated that, during this period, it had received "22 complaints resulting from the approximately forty-fourmillion servicing communicationsent to our cardmember base"; and that, in its view, a number of the complaints regarded the frequency, rather than content, of the emails. On the Commissioner's reading, most of these complaints appear to concern the receipt of marketing emails by customers who had opted-out from receiving such emails. 12 • ICO. Information Commissioner's Office 30. AMEX provided copies of all emails which it had classified as "servicing" emails, excluding those that were "sent in response to specific legal or regulatory requirements, such as fraud prevention or credit application assessment". 31. In total, AMEX provided 352 emails which had been classified as "servicing", totalling 50,388,228 individual emails. 32. Following review of these emails by the Commissioner, a total of 83 distinct emails sent between 1 June 2018 and 31 May 2019 were identified as falling within scope of PECR.These emails can be grouped 2 into 9 categories, which are now addressed in turn. - newsletter 33. The- newsletter was sent to holders of AMEX-cards. 11 distinct emails were sent to subscribers between June 2018 and May 2019. The - newsletter consists of promotions for exclusive events bookable through the AMEX Concierge service, some of which were complimentary, but many of which were paid for. The footer of each of email stated: "All paid offers are subject to availabilibooked on a first come first served basis and must be booked using your American Express- Card® through your- Concierge service". 34. In total, 297,410 of these emails were sent to subscribers who had opted-out from receiving direct marketing emails. - offers emails3 2 3AMEX has indicated to the Commissioner that these emails concerned promotional offers over and above the intrinsic rewards scheme which is part of thCard services it offers customers. 13 • ICO. Information Commissioner's Office 35. A key benefit of many of the cards provided by AMEX is'-'· - is obtained on purchases made via the customer's AMEX card, with a flat rate of-offered on all purchases and special rates on specific promotions.AMEX sent 3 distinct emails to customers regarding -offers. For example, one of the special promotions offered byAMEX was that, should a customer spend £500 in - _, they would receive £50 - These emails were titled "award-winning offers just for you" and contained links to the offers page of the AMEX website, which would allow individuals to load an offer on to their card before making a purchase. 36. Of the 5 complaints to the ICO referred to above, 4 concerned this category of email. 37. In total, 907,656 of these emails were sent to subscribers who had opted-out from receiving direct marketing emails. 'Come back to_, emails4 38. 10 distinct emails titled ' to-,, were sent to customers who had not used their card for a period of time. These emails were worded to encourage the customer to use their card in order to take advantage of the - feature and other AMEX offers and benefits. For example, one of these emails states: "Remember your American Express® Credit Card? It could still help you to earn- on all your purchases and reconnect you with many more benefits. 4Ibid. 14 • ICO. Information Commissioner's Office Have you discovered Amex Offers? You can sign up to save on shopping, dining and entertainment offers from big brands, direct to your Card." 39. In total, 36,214 of these emails were sent to subscribers who had opted-out from receiving direct marketing emails. 5 ? card emails 40. AMEX operates a branded card, which allows customers to accumulate - points upon use of the card. AMEX sent 6 distinct emails t? Card customers. The content of these emails was aimed at promoting the use of the card. 41. 4 emails were sent on the 12 April 2019, before the Easter bank holiday, and were titled "'going away this bank holiday? Don't forget your Card". For example, one of these emails stated the following in the body of the email: "Your American Express® Credit Card provides you with rewards and benefits which you can use both at home and on trips abroad. Discover below some of the great benefits your Card has to offer before, during and even after your trip. Remember, don't go abroad without it." 5For sake of completeness: the.caremails were sent by AMEX alone, without the involvement of 15 • ICO. Information Commissioner's Office 42. Two emails were sent with the internal AMEX description "Reactivation".They appear to have been sent to customers who were not using their cards. They were titled "Bring your next holiday closer with your everyday spending". The emails affirmed the benefits of using the-AMEX card, stating: "Are you getting the most from your Card? Your American Express® Credit Card is your passport to a more rewarding world. From your daily coffee purchases, streaming services, or your annual season ticket - whenever you use your Card, you collect-· Redeem your collected- for flights, hotels, or car hire, or even use your -for part payment towards an unmissable experience." 43. In total, 302,409 of the• card emails were sent to subscribers who had opted-out from receiving direct marketing emails. 'Explore' emails 44. AMEX conducted a campaign where it sent emails to customers regarding the use of their card in specific locations abroad (e.g. Paris). 36 distinct emails of this kind were sent regarding different locations. As set out below, AMEX has confirmed that these emails were targeted to locations individuals had travelled to. These emails encouraged the customer to use the card overseas, rather than merely reminding them of the ability to use their card. The standard wording used was "Don't explore [location] without it. From [location] to [locatlive like a local when youvisit [location]The emails then went on to provide a city guide of locations where an AMEX card could be used. 16 • ICO. Information Commissioner's Office 45. In total, 219,514 of these emails were sent to subscribers who had opted-out from receiving direct marketing emails. 'Card iswelcome' emails 46. Consumers may be discouraged from using an AMEX card because of concerns that it will be less widely accepted than cards supplied by other providers. AMEX sent 4 distinct emails to customers regarding the availability of, and rewards and benefits of using, their card. These emails were worded in a way which encouraged the customer to make purchase on their card. For example, one of these emails stated: "From grabbing lunch to the weekly shop, your American Express® Card is welcomed at your favourite supermarkets. And what's even better, whenever you make purchases you can enjoy the rewards and protection that come with your Card, even when you buy online. So make sure you don't miss out on being rewarded at places like these: [5 well-known supermarkets]" 47. In total, 330,361 of these emails were sent to subscribers who had opted-out from receiving direct marketing emails. 'Save your card details' 48. AMEX sent 7 distinct emails titled "save your new card details to every online account". These emails were designed to encourage individuals 17 • ICO. Information Commissioner's Office to make purchases on their cards, rather than merely reminding them to update details which may have expired. Each email stated: "Check out faster whenever you shop online at websites like or- by saving your new Card details today.on't miss out on earning Membership Rewards® points on every eligible purchase that you make. A more rewarding way to shop online Get points for every pound you spend, extra points on selected purchases and redeem for a wide range of shopping, travel and gift cards." 49. In total, 10,751 of these emails were sent to subscribers who had opted-out from receiving direct marketing emails. AMEX app emails 50. AMEX sent 14 distinct emails regarding the AMEX app. 11 of these emails provided the customer with information regarding administrative tasks which could be completed via the app. However, 3 of these emails encouraged customers to use or download the app to access information regarding rewards and offers. They also promoted the app with a view to encouraging customers to make purchases on their card. 51. One of these 3 emails stated: "There's a lot on offer Your offers are loaded, ready to be redeemed. 18 • ICO. Information Commissioner's Office As a Cardmember, you have access to personalised offers wherever you are, all on the go with the Amex App - so you'll never miss a saving while you're out and about again. Visit the Offers tab discover savings near you." 52. The remaining 2 emails both stated: "Rewarding your loyalty Watch your points increase everyday. Get up-to-date informationon your current rewards points balance, explore the latest products and savings available, and earn even more rewards by referring friends and family. So whether you are earning Membership Rewards® or_, visit the Membership tab today to keep track of your rewards." 53. In relation to these 3 emails, 1,296,123 in total were sent to subscribers who had opted-outfrom receiving direct marketinemails. 'Shop Small' emails 54. AMEX runs a promotion called "Shop Small". This is a promotional period available to AMEX cashback cardholders during which an improved rate of cashback (e.g. £5 cashback for every £10 pounds spent) is offered for purchases at certain "small" retailers. 55. AMEX sent a series of emails regarding "Shop Small": a. An initial email, informing the subscriber of the campaign; 19 • ICO. Information Commissioner's Office b. A notification of registration to the scheme; c. Three reminder emails about the scheme to those who had signed upto it; and d. A thank you email to subscribers for purchasing something through the scheme. 56. The initial email stated: "Shop Small celebrates the small businesses that do big things in our local communitieswhile also rewarding Cardmembers for showing their support for where they live. The offer ... incentivises Cardmembers to support their local small businesses by shopping small frequently, giving them a £5 statement credit where they have saved the Offer to a qualifying American Express Card and use it to make a qualifying purchase for at least £10 at participatismall businesses . ... Cardmembers can earn a maximum of £50 back in statement credits during this December's Shop Small.". 57. In total, 698,403 of the initial emails were sent to subscribers who had opted-out from receiving direct marketing emails. 20 • ICO. Information Commissioner's Office Summary of direct marketing emails internally classified as "servicing" 58. A summary of the direct marketing emails internally classified by AMEX as "servicingsent between 1 June 2018 and 31 May 2019 is provided inthe table below, sorted by subject matter. Subject Distinct emails Total sent Total sent to matter involving direct opt-out marketing 11 660,859 297,410 -ewsletter 3 1,872,260 907,656 -ffers 'Come,back to 10 76,893 36,214 •card 6 633,520 302,409 'Explore' 36 375,955 219,514 'Card is 4 464,876 330,361 welcome' 'Save your 7 22,965 10,751 card details' AMEX app 3 2,704,536 1,296,123 'Shop Small' 1 727,820 698,403 Total 83 7,539,684 4,098,841 59. Following analysis of the emails provided by AMEX, the Commissioner sent a further request on 26 July 2019 requesting (a) volumes of receipts for the emails sent to customers who had opted-out of direct marketing emails in the period between 1 June 2018 and 31 May 2019 (i.e. how many emails were successfully delivered), and (b) a screenshotof users' marketing preferences page. 60. AMEX responded on 2 August 2019. It confirmed that it does not capture receipt informatiso was unable to comply with the first part 21 • ICO. Information Commissioner's Office of the Commissioner's request. However, it was able to provide a screenshot of the customer marketing preferences page. The consent wording reads as follows: "How may we contact you with promotions on getting the most out of your American Express Card, such as Cardmember events, exclusive presales and offers? We will not share your email address with other companies to market their own products or services: Email [yes/no] ..." 61. Allthe above "servicing" emails were sent to subscribers who had either (a) decided not to opt-in to promotional email on the initial marketing preferences page (set out at paragraph 27 above) at the time of opening their account, or (b) afterwards checked "no" in the "email" box in the marketing preferences page set out in the paragraph immediately above. 62. The Commissioner sent a further request for information to AMEX on 20 August 2019 for clarifications on the information it had previously provided. AMEX responded on 9 September 2019. In summary, AMEX explained: a. The procedure via which communications are sent. Marketing, operational and producteams within AMEX work together to produce the content across all communication channels and classify emails they have drafted as either "marketorg" "servicing" messages. Only those classed as "marketinare scrubbed against the global marketing suppression list. All emails are then subject to a review and approval process from relevant stakeholders, including AMEX's compliance 22 • ICO. Information Commissioner's Office department. The emails are then sent by third party vendors with whom contracts are held. b. The proportion of customers opted-out from marketing communications. these customers had opted-ino receive marketing. 49.8% had either opted-out or not opted-in. c. The "Credit and Charge Card Agreements" for each type of card, which cardholders must sign before accessing AMEX services, were drafted by the in-house AMEX legal team, with advice from external counsel. d. The "come back to-" emails were sent to card customers who had had no spend or balance for three consecutive months. AMEX said that the emails were sent as a "reinforcememessage to ensure these Cardmembers are getting the most from their product". e. The 'Explore ...' emails were "triggered upon the first physical transaction in the city that the email refers to". AMEX justified the sending of these emails on the basis that these messages constituted "servicing" communications which were intended to "raise awareness of card coverage", noting that "our customers will not purchase products from American Express unless they find value in doing so." 63. An end of investigation letter was sent to AMEX on 10 October 2019. 23 • ICO. Information Commissioner's Office 64. In conclusion, the Commissioner is satisfied that, between 1 June 2018 and 31 May 2019, AMEX transmitted 4,098,841 marketing emails to subscribers who had opted-out to receiving marketing emails. 65. The Commissioner has made the above findings of fact on the balance of probabilities. 66. The Commissioner has considered whether those facts constitute a contraventionof Regulation 22 of PECRby AMEX and, if so, whether the conditions of section SSA DPA are satisfied. The contravention 67. The Commissioner finds that AMEX contravened Regulation 22 of PECR. 68. The Commissioner finds that the contravention was as follows: 69. Between 1 June 2018 and 31 May 2019 there were 4,098,841 direct marketing emails received by subscribers. The Commissioner is satisfiedhat these emails constituted "direct marketing" as defined by section122(5) of the DPA 2018 because each of the emails encouraged customers to use their AMEX credit cards to make purchases. One category of emails (the AMEX app emails) also encouraged customers to download and/or use the AMEX app. 70. AMEX internally classified the emails in question as "servicrather than "marketing". However, the fact that the emails engaged in advertising and marketing can be seen from their content. None of the emails in question were neutrally worded and purely administratiin nature. Instead, each email sought to encourage the customer to make purchases on their AMEX card (and, in the case of the AMEX app 24 • ICO. Information Commissioner's Office emails, also to make use of this product). In relation to specific categories of emails: a. The - newsletter emails encouraged customers to book tickets for exclusive events, many of which were paid for. b. The - offers emails encouraged customers to make purchases on their cards which qualified for special - offers. c. The "come back to-' emails encouraged customers to make purchases on their cards, where they had not used those cards for a period of time, by highlightingthe-feature of the card, as well as other AMEX offers and benefits. d. The. card emails encouraged customers to make purchases on their card by highlighting the rewards and benefits resulting from such purchases, including the benefits of accruing - points. Two of these emails sought to encourage customers not using the card to start making purchases on it. e. The "explore ..." emails encouraged individuals to make purchases on their cards when travelling abroad (rather than merely reminding them of their ability to use the card), in particular by providing a city guide of locations where the card could be used. f. The "card is welcome" emails encouraged customers to make purchases on their cards, not only seeking to allay doubts about the availability of the card, but also by highlighting the 25 • ICO. Information Commissioner's Office benefits and rewards that would result from making such purchases. g. The "save your card details" emails encouraged customers to make purchases on their cards (rather than merely reminding them to update details which may have expired) by highlighting the rewards resulting from purchases. h. Of the 11 AMEX app emails, 3 prompted customers to download and/or use the app to access informationregarding their eligibility for rewards and offers, including personalised offers. Twoof these emails sought to encourage uptake of the app by promising rewards if customers referred family and friends.As well as promoting the app in its own right, these emails promoted the app with a view to encouraging customers to make purchases on their cards. i. The initialShop Small" emails encouraged customers to make purchases on their cards at select "small" retailers by communicating the existence of-offers on such purchases. 71. In any event, AMEX's "InternationalEmail Policy - United Kingdom" indicates that "servicing" emails involve advertising and marketing content. The policy defines such emails as "Communicationincluding informationpromoting services and/or benefits associated with American Express product held by recipient" (emphasis added). This definition can be contrasted with the definition of "operatiemails: "Purely factual / operational communicationwith no content promoting products or services to recipient including informapromoting 26 • ICO. Information Commissioner's Office services and/or benefits associated with American Express product held byrecipient" (emphasis added). 72. Furthermore, in letters responding to customer complaints, AMEX stated that "we feel that Card Members would be at a disadvantage if they were not aware of these campaigns and promotional periods". AMEX accepted here that "servicing" emails include advertising or marketing material. 73. The Commissioner finds that AMEX transmitted or instigated the transmission of the direct marketing messages sent, contrary to Regulation 22 of PECR. 74. AMEX, as the transmitter or instigator of the direct marketiis, required to ensure that it is acting in compliance with the requirements of Regulation 22 of PECR,and to ensure that valid consent to send those messages had been acquired. 75. The 4,098,841 emails in question were sent to subscribers who had opted-out from receiving direct marketing communicationsby email. This is not disputed by AMEX. 76. AMEX states that the emails in question were "required to be sent based on legal and contractualequirements" arising from its Credit Agreements with customers. The Commissioner has rejected this suggestion for the following reasons. a. The "legal and contractual requirementsreferred to by AMEX cannot override the statutory protection afforded by PECR Regulation 22 to explicit opt-out decisions made by customers. 27 • ICO. Information Commissioner's Office b. The "legal and contractual requirements"referred to by AMEX are worded in a way which is sensitive to the customer's marketing preferences. In particular, the Credit Agreements statethat AMEX "may send you important messages and other communications ... about your account, card or card benefitsin line with your preferences" (emphasis added). Further, AMEX's privacystatement provides that "We use your Personal Information ... (iii) where we have obtained your consent, such as for marketing purposes" (emphasis added). c. Considered alone, the "legal and contractual requirements" referred to by AMEX do not satisfy the requirement for valid consent. In particular: i. Consent to receive direct marketing emails is not "freely given" where it is a condition of receiving AMEX's servicesin circumstances where such consent is not necessary for contractual performance by AMEX. ii. Nor is consent"freely given" where customers are unable to withdraw it in the future. The ability of individuals to withdraw consent is explicitly recognised at Regulation 22(2) of PECR,which refers to a person "consent[ing] for the time being" (emphasis added). iii. Consent isot "informed" where the "legal and contractualrequirements" relied on by AMEX are not set out prominentlyand separated from other terms and conditions, but are contained within overall terms and conditions. 28 • ICO. Information Commissioner's Office 77. The Commissioner is therefore satisfied from the evidence she has seen that AMEX did not have the necessary valid consent for the 4,098,841 direct marketing messages received by subscribers. 78. AMEX has stated that customers would be "at a disadvantage if they were not aware of the campaigns and promotional periods". There is no exemption under PECRRegulation 22 which allows organisations to send marketing emails they consider advantageous for subscribers where they have not received prior consent to do so. If there were, such an exemption would likely be relied on by all persons in breach of the PECRdirect marketing rules. 79. The Commissioner has gone ono consider whether the conditions under section SSA DPA (as extended and modified by PECR)are met. Seriousness of the contravention 80. The Commissioner is satisfied that the contraidentified above was serious. This is because, between a 12-month period from 1 June 2018 to 31 May 2019, a confirmed total of 4,098,841 direct marketing messages were sent by, or at the instigation of, of AMEX. These messages contained direct marketing material for which subscribers hadot provided adequate consent. 81. The Commissioner isherefore satisfied that condition (a) from section SSA(l) DPA (as extended and modified by PECR) is met.• - Deliberateor negligent contraventions 29 • ICO. Information Commissioner's Office 82. The Commissioner does not consider that AMEX deliberately set out to contravene PECRin this instance. 83. The Commissioner has gone on to consider whether the contravention identified above was negligent. This consideration comprises two elements: 84. First, she has considered whether AMEX knew or ought reasonably to have known that there was a risk that these contraventionswould occur. She is satisfied that this condition is met for the following reasons: a. During the period in question, AMEX sent a large number of direct marketing emails internally classified as "servicing" (7,539,684 in total)Itis clear that direct marketing constitutes an important part of AMEX's business. More generally, AMEX is one part of a large multinationacompany and provides services for a large number of customers Itshould therefore have sought to ensure its marketing operations complied with the relevant statutory regime. b. AMEX had internal procedures to ensure that marketing communications were sent in accordance with PECR.In particular, its "InternationEmail Policy - United Kingdom" explicitly referred to PECRand attempted to provide an overview of the requirements imposed by it. AMEX also provided internal training for its employees on legal and regulatory requirements governing the sending of marketing communications. 30 • ICO. Information Commissioner's Office c. Both AMEX's definition of "servicing" emails, and its letters responding to customers complaints, indicate AMEX was aware that such emails contained advertising and marketing content. d. During the period of the contraventio(1 June 2018 and 31 May 2019), AMEX received 22 complaints regarding its "servicing" communications. e. AMEX has been registered with the ICO since 19 June 2006. The Commissioner has published detailed guidance for those carrying out direct marketing explaining their legal obligations under PECR. This guidance gives clear advice regarding the requirements of consent for direct marketing and explains the circumstances under which organisations are able to carry out marketing over the phone, by text, by email, by post, or by fax.In particular it states that organisations can generally only send, or instigate, marketing emails to individuals if that person has specifically consented to receiving them; and highlights the difficulties of relying on indirect consent for email marketing. In case organisations remain unclear on their obligations, the ICO operates a telephone helpline. ICO communications about previous enforcement action where businesses have not complied with PECRare also readily available. 85. It is therefore reasonable to suppose that AMEX should have been aware of its responsibilitin this area. 86. Secondly, the Commissioner has gone on to consider whether AMEX failed to take reasonable steps to prevent the contraventioAgain, she is satisfiedat this condition is met. 31 • ICO. Information Commissioner's Office 87. Reasonable steps in these circumstances may, in particular, have included a combination of the following: a. Ensuring that its internal procedures were compliant with PECR.In particular, AMEX could have ensured that its "InternationaEmail Policy - United Kingdom" contained consideration of how "direct marketing" is defined for the purposes of PECRand how this applied to emails AMEX had internally classified at "servicing". b. Consulting ICO guidance and/or the ICO telephone helpline to ensure its marketing policy was compliant with PECR. c. Meaningfully reviewing its approach to marketing following the receipt of 22 complaints regarding internally classified "servicing" emails. 88. In the circumstances, the Commissioner is satisfied that AMEX failed to take reasonable steps to prevent the contraventions. 89. The Commissioner is therefore satisfied that condition (b) from section SSA(l) DPA (as extended and modified by PECR) is met. The Commissioner's decision to issue a monetary penalty 90. The Commissioner has taken into account the following aggravating features of this case: • As set out above, the breach was negligent. 32 • ICO. Information Commissioner's Office • There has been deliberate action for financial or personal gain. The emails in question were all designed to encourage customers to make purchases on their cards, which would benefit AMEX financially. • Advice or guidance has been ignored or not acted upon. Guidance on Direct Marketing and in particular, the sending of marketing emails is available on the ICO website. The ICO Helpline is also availablefor organisationswho may require clarity in their practices. • AMEX failed to review its marketing model in light of complaints raised by various individuals. 91. The Commissioner has also taken into account the following mitigating factors: • When the Commissioner began her investigation, AMEX commenced its own independent internal review and stopped marketing to customers who had opt-out of receiving direct marketing communications by email. AMEX has notified the Commissioner that the independent internal review concluded in December 2019 and that AMEX has made several changes to its processes and procedures to ensure compliance with PECR.AMEX has also confirmed to the Commissioner that it will continue to assess the changes made as a result of the internal review to ensure ongoing compliance. 92. Forthe reasons explained above, the Commissioner is satisfied that the conditions from section SSA(l) DPA have been met in this case. She is 33 • ICO. Information Commissioner's Office also satisfied that the procedural rights under section 55B have been complied with. 93. The latter has included the issuing of a Notice of Intent (dated 18 February 2021), in which the Commissioner set out her preliminary thinking. 94. In reaching her final view, the Commissioner considered representationsreceived by AMEX on 17 March 2021. 95. Within those representationsAMEX did not seek to challenge the Commissioner's intention to impose a monetary penalty of £90,000. As AMEX did not advance any new factors in its representationthe Commissioner did not alter her position as set out in the Notice of Intent. 96. The Commissioner is accordingly entitled to issue a monetary penalty in this case. 97. The Commissioner has considered whether, in the circumstances, she should exercise her discretion so as to issue a monetary penalty. 98. The Commissioner has endeavoured to consider the likely impact of a monetary penalty on AMEX. In the Notice of Intent, the Commissioner set out her preliminary conclusion that AMEX has access to sufficient financial resourceso pay the proposed monetary penalty without causing undue financial hardship; and that this preliminary conclusion was unaltered bythe effects of the current Covid-19 pandemic. AMEX has not provided any informationin response to the Notice of Intent which has caused the Commissioner to alter her position. 34 • ICO. Information Commissioner's Office 99. The Commissioner's underlying objective in imposing a monetary penalty notice is to promote compliance with PECR.The sending of unsolicited marketing emails is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. The issuing of a monetary penalty will reinforcehe need for businesses to ensure that they are only messaging those who specifically consent to receive marketing. 100. Overall, the Commissioner considers that a monetary penalty is a proportionateand appropriate response to the finding of a serious contraventionby AMEX. The amount of the penalty 101. Taking into account all of the above, the Commissioner has decided that a penalty in the sum of £90,00(Ninety thousand pounds) is reasonable andproportionate given the particular facts of the case and the underlying objective in imposing the penalty. Conclusion 102. The monetary penalty must be paid to the Commissioner's office by BACS transfer or cheque by 17 June 2021 at the latest. The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government'sgeneral bank account at the Bank of England. 103. If the Commissioner receives full payment of the monetary penalty by 16 June 2021 the Commissioner will reduce the monetary penalty by 35 • ICO. Information Commissioner's Office 20% to £72,000 (Seventy-two thousand pounds). However, AMEX should be aware that the early payment discount is not available if it decides to exercise its right of appeal. 104. There is aright of appeal to the First-tier Tribunal (InforRights) against: a) the imposition of the monetary penalty and/or; b) the amount of the penalty specified in the monetary penalty notice. 105. Any notice of appeal should be received by the Tribunal within 28 days of the date of this monetary penalty notice. 106. Information about appeals is set out in Annex 1. 107. The Commissioner will not take action to enforce a monetary penalty unless: • the period specified within the notice within which a monetary penalty must be paid has expired and all or any of the monetary penalty has not been paid; • all relevant appeals against the monetary penalty notice and any variation of it have either been decided or withdraand • the period for appealing against the monetary penalty and any variation of it has expired. 108. In England, Wales and Northern Ireland, the monetary penalty is recoverable by Order of the County Court or the High Court. In 36 • ICO. Information Commissioner's Office Scotland, the monetary penalty can be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued bythe sheriff court of any sheriffdom in Scotland. Dated the 17hday of May 2021 Andy Curry Head of Investigations InformatioCommissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 SAF 37 • ICO. Information Commissioner's Office ANNEX 1 SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 1. Section 48 of the Data Protection Act 1998 gives any person upon whom a monetary penalty notice or variation notice has been served a right of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal') against the notice. 2. If you decide to appeal and if the Tribunal considers:- a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that she ought to have exercised her discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismissthe appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: GRC & GRPTribunals PO Box 9300 Arnhem House 31 Waterloo Way Leicester LEl 8DJ a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 38 • ICO. Information Commissioner's Office 4. The notice of appeal should state:- a) your name and address/name and address of your representative (if any); b) an address where documents may be sent or delivered to you; c) the name and address of the Information Commissioner; d) detailsof the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the monetary penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time and the reason why the notice of appeal was not provided in time. 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First-tier Tribunal (Information Rights) are contained in sections 48 and 49 of, and Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No. 1976 (L.20)). 3