By Matt Getz and Michael Smyth
The U.K.'s data protection regulator — the Information Commissioner's Office — fined American Express Services Europe Ltd. £90,000 ($124,300) in May for sending more than 4 million unsolicited direct marketing emails to customers over a 12-month period.
The action on the U.K.-headquartered American Express Co. subsidiary serves as a handy reminder that the General Data Protection Regulation isn't the only game in town.
In this case, the violation was of a different, though related, regulation: the Privacy and Electronic Communications (EC Directive) Regulations.
The PECR regulates all direct marketing by electronic mail. This includes text messages and social media direct messages as well as emails, whether personal data is processed or not.
Under PECR Regulation 22, a person must not send electronic mail direct marketing to individuals unless the recipient:
- Has specifically consented; or
- Is an existing customer who has purchased a similar product or service from the same organization and has been provided with, but not exercised, the choice to opt out of marketing communications.
Direct marketing is defined, by Section 122(5) of the Data Protection Act, as "communication (by whatever means) of advertising or marketing material which is directed to particular individuals," but as will be seen, whether or not a communication is clearly considered marketing.
The condition of consent is quite onerous and has become more so since the enactment of the GDPR, as the PECR now applies the GDPR's definition of consent — Article 4(11) of the GDPR, which states:
[A]ny freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Importantly, under Article 7(4) of the GDPR, consent cannot usually be a condition for performance of a contract. In other words, organizations cannot require that persons agree to receive later marketing emails in order to obtain the company's services.
The ICO's Investigation
The ICO's investigation began following five complaints from AmEx customers who received emails from AmEx about company offers and the AmEx mobile app, although they had opted out of receiving marketing communications.
AmEx argued that the emails were not direct marketing. Rather, it said they were sent for the purpose of "servicing" customers: "Card Members would be at a disadvantage if they were not aware of these campaigns and promotional periods."
It also argued that in some instances they were required to be sent as part of AmEx's contractual requirements with its customers.
But the ICO disagreed, for four key reasons:
- The emails were not neutrally worded and "purely administrative";
- Regulation 22 provides no exception for marketing communications that the organization considers would be "advantageous" for customers, in the absence of consent;
- The emails sought to encourage customers to use their AmEx card or the AmEx app, which would benefit AmEx financially; and
- To the extent AmEx may have considered that the emails were sent as part of its contractual requirements, the ICO considered that contractual terms "cannot override the statutory protection afforded by PECR Regulation 22," including because consent is not freely given if it is required as a condition of providing services but is not in fact necessary for contractual performance.
While AmEx had a set of email marketing policies, the ICO considered that the policies could have gone further in ensuring that AmEx's procedures were compliant with PECR.
Other Recent Action Against Direct Marketing
AmEx is not the only company recently investigated and fined by the ICO for breaches of the PECR. On March 5, the ICO levied a £250,000 fine against Leads Work Ltd. for sending the following unsolicited text message over 2.6 million times in mid-2020:
In lockdown and want to earn extra cash? Avon is now FULLY ONLINE, FREE to do and paid weekly. Reply with your name for info. 18+ only. Text STOP to opt out.
Unlike the AmEx emails, which led to only five complaints, out of 50 million such emails sent, the LWL text message led to what the ICO called a "record" 10,000 complaints.
On June 8, the ICO also fined Colour Car Sales Ltd., Solarwave Ltd. and LTH Holdings Ltd. a total of £415,000. These fines followed complaints concerning marketing text messages and phone calls to customers, which lacked appropriate consent.
These actions further underscore the ICO's willingness to act on complaints to ensure PECR compliance.
The facts of the AmEx case show that the line between servicing and marketing communications is not clear.
In particular, reasonable minds could differ as to whether you should inform existing customers about your app — even if they may have opted out from marketing emails.
In particular, the ICO appears to consider content that "engage[s] in advertising and marketing" as being antithetical to a servicing communication.
As above, organizations should very carefully ensure that communications sent to customers without appropriate marketing consents are neutrally worded and truly administrative in nature.
In a financial services context, for example, the ICO has implied that it would consider communications relating to fraud prevention or credit application assessment as falling into that category.
It is therefore essential that firms carefully consider the rationale for sending communications, and clearly document the reasons they may consider that consent is not required.
It is important to have a set of written policies, as AmEx did; but it is equally, if not more important, to review them carefully and regularly to ensure that they incorporate and foster compliant behavior.
Alternatively, if consent is relied on as a basis to send direct marketing communications, an effective audit trail compliant with Article 7(1) of the GDPR should be kept.
This should include the details of consents that have been obtained, including the time, scope and form of consent. Consents should also be monitored and refreshed as necessary.
The fines may not seem huge: £90,000 is not, in the absolute, a large number for a firm like AmEx and it equates to only 0.2 p per infringing email. But the costs in management time and reputation may be much higher.
According to the ICO's monetary penalty notice, it first contacted AmEx in June 2019, so the process took almost two years, and AmEx searched and produced for it 352 distinct emails.
Keeping up with changing regulations is necessary and, as ever, more complex post-Brexit. In the EU, the e-Privacy Directive, which the PECR implements, is being replaced with the e-Privacy Regulation, which will not apply in the U.K.
In the U.K., the ICO consulted from 2018 to early 2020 on a draft Direct Marketing Code of Practice. The consultation has been closed for 15 months and there is no word as to when the final code will be released.
This article was first published by Law360 on July 2, 2021.