AMEX Data Breach

AMEX Data Breach 2021: ICO imposes £90,000 fine

Last week, the Information Commissioner’s Office (“ICO”) fined American Express (“Amex”) £90,000 (subject to an early payment discount of 20% and any appeal by Amex) for sending more than four million unwanted marketing emails to customers. Below, we explore what triggered the fine and the key learnings for your organisation.


In its news announcement about the fine, the ICO explained that it began investigating Amex after receiving a handful of complaints from the company’s customers. The complaints centred around receiving unwanted marketing emails, whereby the customers had opted out of communications but were still receiving them.

Amex itself had rejected the customer complaints, stating that the emails were ‘service emails’, and not marketing. For context, service communications are non-promotional. Their purpose is purely informative, and the tone and phrasing are straightforward. Common examples include changes to terms and conditions, payment plan modifications, delivery notifications, or service interruptions.

Under the Privacy and Electronic Communications Regulations (“PECR”), service communications can be sent to customers without prior consent. On the other hand, marketing communications, which aim to financially benefit or promote the business, require consent if they are being sent to an individual (or an ‘individual subscriber’ to use the terminology in the PECR). Alternatively, they must meet the requirements for relying on the ‘soft opt-in’, as set out at Regulation 22(3) of the PECR.

Amex argued that the emails it sent to customers did not fall under the marketing banner and, therefore, did not require consent, on the basis that:

  • Customers would be disadvantaged compared to others if they did not know of the campaigns shared
  • The emails were a requirement of its Credit Agreements with customers

However, the ICO disagreed and held that the emails were, in fact, promotional. They included “details on the rewards of shopping online with Amex; getting the most out of using the card and encourage[ed] customers to download the Amex app.”

The investigation found that, between June 2018 and July 2019, Amex sent over 50 million, what they called, ‘servicing emails’ customers. However, from its analysis, the ICO concluded that over 4 million of those emails were actually marketing emails, intended to encourage customers to engage with the company and make purchases on their cards. This, the ICO noted, “would benefit Amex financially.”

What was the fine for?

Under the PECR, marketing emails can only be sent to customers and prospects who have explicitly consented to them. This is referenced in article 22, which states that:

“a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents.”

The word consent is paramount here. As outlined in the General Data Protection Regulation (“GDPR”), it must be a freely given, specific, unambiguous statement of agreement.

In the case of Amex, the customers who complained to the ICO had given the opposite of consent. They had actively opted-out of receiving these emails, but were still receiving them. Because the ICO deemed the communications to be direct marketing, they therefore found the company to be in violation of article 22.

As a result, the ICO fined Amex £90,000 for the violation. The monetary penalty could have gone up to £500,000, but the ICO minimised the fine on the basis that Amex did not realise it was thwarting regulations, given that it seemed to genuinely think the emails were ‘service communications’.


The fine highlights the confusion between marketing and service communications within many businesses. Within PECR and GDPR, service communications can be sent based on legitimate interests, meaning no prior permission is needed. However, as the Amex fine illustrates, marketing communications need lawful consent (if the soft opt-in is not available).

Complexity arises in this space when messages blur the boundaries of both services and marketing. For example, let’s say you are a telecoms provider, and you send a message to a customer like this: “Your data allowance is almost up. Click here to purchase more.”

The first half of this communication is a service message but the second half, encouraging the customer to purchase more data, is promotional. While you may consider this communication a service message, the ICO notes in its Direct Marketing Guidance that “if the call or message includes any promotional material, or collects data to use in future marketing exercises, the call or message will be for direct marketing purposes.”

It is also important to remember the interplay between PECR and GDPR. Article 21 of the GDPR (and the UK GDPR here in the UK post-Brexit) is the right to object. This right is not absolute except in the case of marketing. In respect of which Article 21(2) states:

“Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.”

What is also interesting about this case is that the ICO contacted Amex after having received only three complaints. It clearly doesn’t take more than a few complaints for the ICO’s PECR team to take an interest in perceived violations, and it is worth noting that this team are far more proactive in enforcing PECR than the ICO has proven to be in enforcing GDPR.


In its conclusion of the Amex penalty, the ICO encouraged “all companies to revisit their procedures and familiarise themselves with the differences between a service email and a marketing email, and ensure their email communications with customers are compliant with the law.”

For your business, this fine is a reminder to carefully consider what you define as service communications. If emails, texts or calls are in any way self-serving or promotional, you are at risk of a compliance violation under PECR.

As mentioned above, the ICO’s Direct Marketing Guide is a good place to start, to familiarise yourself with the nuances of service communications and marketing consent. In line with this, it’s also worth reviewing your current mass email strategy and checking with legal/data protection specialists that your proposed communications are in line with PECR.

In conclusion, the Amex example shows that consumers are becoming more data protection and privacy-aware. Both customers and regulators do not take lightly to organisations negligently processing their data. By staying compliant and fulfilling your regulatory obligations, you can save your company from hefty fines, while also improving your relationship with customers.

Need Help?

If you’re concerned about the legitimacy of your marketing communications, or need help to understand the mosaic of compliance regulations out there, we’re here to assist. As a specialist data protection consultancy, Evalian is well placed to help you feel confident moving forward. Get in touch today.

Evalian Icon PNG

Written by Evalian®