ICO fines Amex £90,000 for sending unlawful marketing emails

3 mins

Posted on 25 May 2021

ICO fines Amex £90,000 for sending unlawful marketing emails

The ICO has fined American Express Services Europe Limited (Amex) £90,000 for unlawfully sending more than four million marketing emails to customers.

Servicing and marketing emails 

Between 1 June 2018 and 31 May 2019 Amex sent over 50 million emails to its customers, some of whom complained they were receiving marketing emails despite opting out. Amex rejected the complaints, alleging the emails were servicing emails, not marketing emails, and so not covered by the specific rules around electronic marketing. 

Organisations may send service messages containing routine information, such as changes to terms and conditions and payment plans, notice of service interruptions or product safety. However, strict rules apply for direct marketing messages. These are any communication of advertising or marketing material directed at particular individuals. The ICO's guidance explains this key difference in more detail. Marketing emails may not be sent to individuals unless they have consented (under the Privacy and Electronic Communications Regulations 2003 (“PECR”)). 

ICO investigates and imposes fine 

The ICO received three complaints from customers in April and May 2019, which it investigated. After the investigation commenced, it received two further complaints in June and July 2019.

The ICO’s investigations found the emails in question included:

  • Details on the rewards of shopping online with Amex
  • Information on getting the most out of using the card
  • Encouragement for customers to download the Amex app

The ICO disagreed with Amex’s argument that the emails were service emails. Amex had sent over 50 million purported servicing emails to its customers. Between 1 June 2018 and 21 May 2019, over four million of these were marketing emails designed to encourage customers to use their Amex card for purchases, which would benefit Amex financially. The emails were therefore for Amex’s financial gain and classified as marketing. The ICO noted Amex did not review its marketing model despite receiving the customer complaints.

The ICO fined Amex £90,000 for sending unlawful marketing emails.  


The rules around electronic marketing are strict. This fine reflects the importance of knowing when emails are marketing emails, in contrast to service emails. The maximum fine under the PECR is £500,000.  Despite there being only five complaints in total, the ICO considered the breach to be serious and worthy of a substantial fine.

If the material advertises any goods or services of the business, or contains any significant promotional material aimed at making customers purchase extra products or services, and is targeted at specific individuals, it is likely to be captured by the PECR and subject to the rules on direct marketing.

Future Development: E-Privacy Regulations

The PECR are likely to be replaced in Europe by the E-Privacy Regulations. While they have yet to be enacted, and once enacted will apply in the EU, UK businesses will need to take note of them if they do business within the EU. In addition, the E-Privacy Regulations will apply to any processing of electronic communications data related to:

  • Electronic communications services provided to end-users within the EU, and
  • End-users’ terminal equipment located in the EU (for example, any cookies or similar monitoring or tracking applications on the end user’s devices)

For further information around electronic communications and marketing, please contact our Data Protection Team.

The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.

Back to top