Amex Fined After Sending Over Four Million Spam Emails
American Express is the latest big-name brand to receive a fine from the UK’s data protection regulator after spamming millions of customers.
The Information Commissioner’s Office (ICO) fined American Express Services Europe (Amex) £90,000 after it sent over four million marketing emails to customers who did not want them.
The ICO said it began its investigation after complaints from some of those customers, who claimed to have opted out of receiving the missives.
Amex rejected these complaints, saying the emails were about “servicing” rather than marketing, according to the ICO. The content of these messages apparently included how to get the most out of your card, info on the rewards of shopping online with Amex, and how to download the firm’s app.
However, the ICO disagreed, claiming that a little over four million of the 50 million emails sent as part of this campaign were “a deliberate action for financial gain by the organization” — and as such constituted a marketing effort.
In addition, Amex decided not to review its marketing model following the customer complaints.
Andy Curry, the ICO’s head of investigations, argued that Amex is now facing the “reputational consequences” of making the wrong call.
“The emails in question all clearly contained marketing material, as they sought to persuade and encourage customers to use their card to make purchases,” he added.
“Amex’s arguments, which included that customers would be disadvantaged if they weren’t aware of campaigns, and that the emails were a requirement of its Credit Agreements with customers, were groundless.”
Curry encouraged all companies to revisit their procedures and take time out to better understand the differences between service and marketing emails, ensuring their policies are compliant.
Although the ICO is the UK’s regulator for GDPR, this fine was issued under the country’s Privacy and Electronic Communications Regulations 2003, which state that it’s illegal to send marketing emails to people unless they have freely consented.
Source: Infosecurity Magazine