The UK data regulator fined American Express (Amex) £90,000 for sending over 4 million spam emails to customers in a year.
During the inquiry, the UK Information Commissioner’s Office (ICO) discovered that Amex had sent over 50 million emails to its customers that they said were service emails.
According to the ICO, between June 1, 2018, and May 21, 2019, 4,098,841 of those emails were marketing emails intended to enable consumers to use their cards to make transactions that would help Amex financially.
The ICO found Amex’s claim that they were sending emails to warn their customers about ongoing promotions to be unfounded.
The emails were direct marketing emails sent to consumers who had opted out, according to the UK data regulator.
Also read: Domino’s data breach: Users’ data available on dark web
Since marketing emails were a part of Credit Agreements with consumers, the company dismissed the concerns and chose not to review its marketing model.
According to Andy Curry, the ICO’s Head of Investigations, their investigation was sparked by a small number of reports from consumers who were tired of being bombarded with emails they didn’t want to receive.
He also said that they will advise all businesses to review their processes and become familiar with the distinctions between a service email and a marketing email, as well as ensure that their email interactions with customers are legal.
Amex violated Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR), which gives people specific privacy rights in relation to electronic communications, by sending marketing emails to people who didn’t want to receive them.
While the UK data watchdog has the power to fine data controllers up to £500,000, it chose to fine Amex just £90,000 because the company did not want to breach PECR in this case.
Amex has until June 17 to pay the fine, and if it is paid in advance, the Commissioner will decrease it by 20% to £72,000.
You might also like: E-commerce giant Mercari data breach: several data exposed