American Express breaches data laws with emails – what you need to know

The most recent fine issued to American Express Services Europe Limited (Amex) from the Information Commissioner’s Office (ICO) is the perfect example for anyone doing email marketing.

In this article I’ll go through the case and how you can avoid fines from the ICO.

How did American Express breach PECR?

The ICO found that from 1 June 2018 until 21 May 2019, Amex sent over 4 million unlawful emails to customers. 

These emails were classed as ‘service emails’ but were actually marketing emails.

  • Service emails, also known as transactional emails are emails that contain legitimate updates that might impact a customer. For example, this could be an update about: a recent payment on their account, an expected delivery date for an order, a recent customer service interaction or changes to a contract or legal document such as a privacy policy. 
  • Marketing emails are classified as those “designed to encourage customers to make purchases.”(Source: ICO). These are emails that the customer must freely give consent to receive (as covered under GDPR-EU & GDPR-UK & PECR) or must qualify under a PECR soft-opt-in.

American Express classified these communications as “service emails” but the ICO found that they were effectively marketing emails.  

Why were the emails classified as “marketing emails” and not “service emails”?

The below information is all sourced from the ICO’s judgement which you can read in full here

As per the judgement, the emails were seen as marketing promotions as they would benefit Amex financially. This included:

  • The emails linked to Amex’s website and contained offers available to Amex customers. 
  • Emails that encouraged the subscriber to download the Amex app to view their loyalty points balance and explore the latest products and savings available to them. 

There were three distinct emails that only had promotional content. An example of one of these three emails stated that if a customer spent £500 on [redacted product] they would receive £50 on [redacted product]. The email was titled “award-winning offers just for you” and included links to the offer.

Amex stated that it considered these communications ‘service emails’ as “we feel that Card Members would be at a disadvantage if they were not aware of these campaigns and promotional periods”. 

The ICO did not find this to be the case. 

What other data breaches did American Express commit?

American Express did not take the appropriate actions after receiving the customer complaints.

Customers who had clicked to opt-out of these emails were still having these emails sent to them. They were not unsubscribed from these marketing lists.

Amex did not respond in the best interest of the customer following customer complaints and did not review its marketing model. The ICO found this was deliberate decision to not rectify the situation and to not uphold a customer’s data privacy rights.

Check the updates for yourself: American Express’ Email Preferences information page. Do you think this is easily understandable for customers?

How large was the fine? 

Under Privacy and Electronic Communications Regulations (PECR), the maximum monetary penalty that the ICO has power to impose on a data controller is £500,000.

American Express were fined £90,000, and did not contest this fine.

This may not seem like a large amount, but the impacts for Amex will be the reputational damage and the customer dissatisfaction. This case will be permanently on the ICO’s site and the impact has been covered by data regulation groups. You can read more about what happens to the money when companies pay a data privacy fine here.

How Amex is seen on the ICO’s News section.

How many complaints were made?


There were only three complaints to the ICO, which shows how serious the ICO takes these complaints.

Of those three complaints, two made direct complaints to American Express, expressing that they did not want to receive these emails. Amex responded, saying that these emails were NOT marketing emails as they were “providing customers with information in relation to extra products or services, or to renew contracts that are coming to an end” (Source: ICO).

The customers reached out to the ICO after finding this response insufficient and during ICO’s investigation, they found that these emails were marketing emails.

Head of ICO Investigations Andy Curry said:

“This is a clear example of a company getting it wrong and now facing the reputational consequences of that error.” (Source: ICO)

What can we learn?

There’s three key learnings that marketers or those reviewing email campaigns should consider.

1. It doesn’t take much for cases to be investigated

Three complaints was all it took. Previously, consumers and other members of the data privacy community have called out the ICO for inaction. 

Increasingly, the ICO is taking more enforcement action. The soft approach taken when GDPR was first introduced is starting to wane as the ICO ramps up hiring of case officers.

2. There is a clear distinction between marketing and service communications

Sales growth is important, there’s always pressure to deliver results. However, keeping your customers updated is different from trying to sell them additional products. This can impact brand reputation both immediately and in the long run, as customers grow frustrated with communications they did not sign up for.

Sending a customer important information about their account, like a change to the terms and conditions is a service email. Sending customers a promotional offer is clearly a direct marketing email.

There would likely have been multiple marketers working on this campaign. So we wonder what definitions of service vs marketing communications Amex was relying on? We also wonder if the team was kept up to date with GDPR training as required by law, or if they had access to a data privacy officer or data privacy law trained manager to consult with? 

3. What you do after matters as much as the breach itself

The emails were clearly in breach of Regulation 22 of the Privacy and Electronic Communications Regulations (PECR) 2003. However, as we can glean from Amex’s response it did not take the time to review PECR regulation properly after the complaints and it continued to define these emails as “service communications”.

There was an additional error when customers were not unsubscribed properly, which is when the customers reached out to the ICO. 

This shows the importance of regular data privacy law reviews and taking a customer-centric approach when dealing with complaints. If Amex had sought to address their customer’s complaints in a more sympathetic way then perhaps they could have avoided these ICO complaints.

Read the full report on the ICO’s website here.