UK data regulator fines American Express up to 0.021p per email after opted-out folk spammed 4.1 million times

Bank made $1.4bn in profits alone last quarter

American Express has been fined 0.009 per cent of its annual profits by the Information Commissioner's Office (ICO) after spamming people who opted out of its marketing emails with 4.1 million unwanted messages.

The £90,000 fine was announced today after the British data regulator ruled the US bank had broken the law.

"This is a clear example of a company getting it wrong and now facing the reputational consequences of that error," said ICO head of investigations Andy Curry, recognising the fine was effectively small change for Amex.

"Between 1 June 2018 and 21 May 2019, 4,098,841 of those emails were marketing emails, designed to encourage customers to make purchases on their cards which would benefit Amex financially. It was a deliberate action for financial gain by the organisation. Amex also did not review its marketing model following customer complaints," said the ICO in a statement.

Customers were encouraged to spend £500 on their American Express credit cards in return for a £50 benefit, under the title "award-winning offers just for you".

The bank ignored complaints and when those customers went to the ICO, bankers claimed the spam was "a requirement of its Credit Agreements with customers". This was untrue – and the customers bombarded with spam had already opted out of marketing emails.

Justifying the spamming of its own customers, Amex claimed the spam was internally classified as a service message instead of marketing. Service messages are meant to be used for information about the service – for example, notifications of scheduled downtime or changes in interest rates. Instead Amex sent them unwanted inbox filler advertising new products and services.

The bank told its customers: "We feel that Card Members would be at a disadvantage if they were not aware of these campaigns and promotional periods."

The ICO found that Amex had broken the Privacy and Electronic Communications Regulations 2003, the law on sending marketing emails. The ICO's monetary penalty notice, which stated that Amex acted negligently rather than deliberately, said: "AMEX, as the transmitter or instigator of the direct marketing, is required to ensure that it is acting in compliance with the requirements of Regulation 22 of PECR, and to ensure that valid consent to send those messages had been acquired."

In Amex's case, 49 per cent of its customers had not opted in to receive marketing emails or had explicitly opted out – yet many of these collectively received the millions of messages sent by the bank anyway.

We have attempted to contact American Express for comment and will update this article if we hear back. In Q4 FY2020 alone Amex made $1.4bn in profit.

The maximum fine for a breach of PECR is £500,000, though the regulator indicated it would impose a £90k penalty in a preliminary notice back in February, to which Amex did not object.

The £90k fine equates to 0.021p per nuisance email however it is discounted to £72k if paid by 15 June. This would mean the regulatory cost to Amex of doing business by sending 4.1 million unlawful marketing emails would be about 0.017p per message. Yesterday the ICO priced unlawful emails at 9.5p when it fined a coronavirus track-and-trace company for identical lawbreaking. ®

Similar topics

Other stories you might like

  • Heart FM's borkfast show – a fine way to start your day

    Jamie and Amanda have a new co-presenter to contend with

    There can be few things worse than Microsoft Windows elbowing itself into a presenting partnership, as seen in this digital signage for the Heart breakfast show.

    For those unfamiliar with the station, Heart is a UK national broadcaster with Global as its parent. It currently consists of a dozen or so regional stations with a number of shows broadcast nationally. Including a perky breakfast show featuring former Live and Kicking presenter Jamie Theakston and Britain's Got Talent judge, Amanda Holden.

    Continue reading
  • Think your phone is snooping on you? Hold my beer, says basic physics

    Information wants to be free, and it's making its escape

    Opinion Forget the Singularity. That modern myth where AI learns to improve itself in an exponential feedback loop towards evil godhood ain't gonna happen. Spacetime itself sets hard limits on how fast information can be gathered and processed, no matter how clever you are.

    What we should expect in its place is the robot panopticon, a relatively dumb system with near-divine powers of perception. That's something the same laws of physics that prevent the Godbot practically guarantee. The latest foreshadowing of mankind's fate? The Ethernet cable.

    By itself, last week's story of a researcher picking up and decoding the unintended wireless emissions of an Ethernet cable is mildly interesting. It was the most labby of lab-based demos, with every possible tweak applied to maximise the chances of it working. It's not even as if it's a new discovery. The effect and its security implications have been known since the Second World War, when Bell Labs demonstrated to the US Army that a wired teleprinter encoder called SIGTOT was vulnerable. It could be monitored at a distance and the unencrypted messages extracted by the radio pulses it gave off in operation.

    Continue reading
  • What do you mean you gave the boss THAT version of the report? Oh, ****ing ****balls

    Say what you mean

    NSFW Who, Me? Ever written that angry email and accidentally hit send instead of delete? Take a trip back to the 1990s equivalent with a slightly NSFW Who, Me?

    Our story, from "Matt", flings us back the best part of 30 years to an era when mobile telephones were the preserve of the young, upwardly mobile professionals and fixed lines ruled the roost for more than just your senior relatives.

    Back then, Matt was working for a UK-based fixed-line telephone operator. He was dealing with a telephone exchange which served a relatively large town. "I ran a reasonably ordinary, read-only command to interrogate a specific setting," he told us.

    Continue reading

Biting the hand that feeds IT © 1998–2021