American Express Services Europe Limited – €105,300 Fine (United Kingdom, 2021)

Between 1 June 2018 to 31 May 2019, a total of 4,098,841 direct marketing messages were sent to subscribers who had opted-out to receiving marketing emails by, or at the instigation, of AMEX. These messages contained direct marketing material for which subscribers had not provided adequate consent. AMEX says the emails had not been classified as "marketing emails" but "servicing" emails " feeling that Card Members would be at a disadvantage if they were not aware of these campaigns and promotional periods". They consequently argued such emails did not demand consent under the UK PECR. The ICO was satisfied that these emails constituted "direct marketing" as defined by section 122(5) of the UK Data Protection Act 2018, because each of the emails encouraged customers to use their AMEX credit cards to make purchases. One category of emails (the AMEX app emails) also encouraged customers to download and/or use the AMEX app. Additionally, the ICO pointed out that AMEX's "International Email Policy - United Kingdom" indicates that "servicing" emails involve advertising and marketing content. The ICO considered that the contravention was serious as between the 12-month period, a confirmed total of 4,098,841 direct marketing messages were sent containing direct marketing material for which subscribers had not provided adequate consent. Further, AMEX had failed to take reasonable steps to prevent the contraventions. The ICO therefore fined AMEX £90,000.