American Express Services Europe Limited (AMEX) becomes the thirteenth company to be fined by the Information Commissioner’s Office for failures to comply with direct marketing requirements in 2021. The financial services company was recently fined £90,000 by the ICO for sending over four million marketing emails without the consent of its customers.
Between 1 June 2018 and 21 May 2019, AMEX sent over 50 million emails which it classed as “servicing communications” to its customers. The ICO, however, disagreed with how AMEX had classified a large number of those emails. Following an ICO investigation, prompted by various customer complaints, the ICO found that over 4 million of those emails were, in fact, marketing emails. This was because the emails were intended to encourage customers to make card transactions that would benefit American Express financially. The ICO described AMEX’s practices as “a deliberate action for financial gain by the organisation”.
In general terms, direct marketing emails can only be sent where:
- contact details have been obtained through the course of a sale or negotiations for the sale of a product or service;
- the direct marketing is in respect of a similar product/service; and
- the recipient has been given a simple means of refusing the use of his contact details for such purposes.
These rules can be found in the Privacy and Electronic Communications (EC Directive) Regulations 2003 or PECR as they are better known.
Although AMEX had an opt-out mechanism in place, it failed to monitor the system and customers continued to receive marketing emails despite having opted-out from them. AMEX also did not review its marketing model following customer complaints.
As this ruling demonstrates, the distinction between service messages and marketing messages is an important one and can have significant financial consequences for those engaged in marketing. Service messages do not come within the scope of the rules on direct marketing whereas marketing messages do.
The moral of the story is that businesses should exercise caution before classifying emails as service messages rather than marketing emails. Service messages can best be described as those that contain routine information such as information about delivery arrangements, product safety, changes to terms and conditions and payment plans or notice of service interruptions. In contrast, direct marketing is any communication of advertising or marketing material that is directed at particular individuals.
As AMEX found to its cost, if a message includes any significant promotional material aimed at getting customers to buy extra products or services or to renew contracts that are coming to an end, that message will be considered to include marketing material and will be subject to the rules on direct marketing.
Cracking down on unlawful marketing
The AMEX fine follows a long list of fines issued by the ICO for failures to comply with telemarketing and e-marketing requirements confirming the ICO’s clear intention to crack down on the unlawful sending of emails and telephone calls for marketing purposes.
In particular, several companies have been investigated and fined by the ICO for sending unsolicited marketing emails and telephone calls during the COVID-19 pandemic. Most recently, Tested.me Ltd, a company which provides contact tracing QR codes, was fined for sending marketing emails without the consent of users. The ICO found that the QR code provider used the personal data of individuals who gave their data to businesses for government contact tracing purposes to send direct marketing emails.
In response to this, and the general increase in the usage of QR code technology, the ICO has met with providers to ensure they understand their obligations and assist in improving their practice. In addition, the ICO created guidance for QR code providers and those who collect data for contact tracing purposes. These businesses should read the guidance carefully and understand how to process the data and the specific purposes for collecting the data.
More generally, businesses contemplating a marketing campaign need to be aware of and comply with applicable data protection requirements. Please read our dos and don’ts of marketing campaigns here.
- Be aware of data protection regulations in relation to marketing.
- Ensure you obtain consent before marketing.
- Make sure you offer an opt-out mechanism and do not market to those who opt-out.
- Seek legal advice if you are unsure.
How can we help?
If you have queries in relation to marketing campaigns and potential liabilities under UK data protection law, please get in touch with a member of our specialist GDPR & Cyber Security team.