American Express Fined Over Millions of Spam Messages | Threatpost

American Express Services Europe has been fined £90,000 ($127,377) by a U.K. regulator, which found the company illegally blasted out 4 million marketing emails to customers who had opted out of receiving them.

Critics said the fine, which is nominal for the multi-national financial brand, isn’t likely to do much to deter Amex, or any other company, from engaging in the practice.

Amex claimed the emails weren’t marketing messages, but service communications, which are allowed under U.K. information privacy regulations. However, an investigation by the U.K.’s Information Commissioner’s Office found that out of 50 million emails Amex sent and classified as “service” emails over a 12-month period, 4,098,841 were marketing messages, “designed to encourage customers to make purchases on their cards which would benefit Amex financially. It was a deliberate action for financial gain by the organization,” the ICO announcement of the fine explained, adding the company continued the practice even following consumer complaints.

PECR Makes Marketing Spam Illegal

Privacy and Electronic Communications Regulations (PECR) gives customers in the U.K. control over the marketing messaging they receive, and grants the ICO authority to fine companies in violation of basic rules. In fact, PECR explicitly makes it illegal to send marketing messages to consumers without permission.

“Our investigation was initiated from just a handful of complaints from customers, tired of being interrupted with emails they did not want to receive,” ICO head of investigations Andy Curry said. “I would encourage all companies to revisit their procedures and familiarize themselves with the differences between a service email and a marketing email and ensure their email communications with customers are compliant with the law.”

Fine ‘Slap on the Hand’

Netenrich’s John Bambenek said fines this small aren’t likely to do much to deter companies from pushing boundaries.

“Many countries have laws that regulate sending spam,” Bambenek told Threatpost by email. “In the U.S., the CAN-SPAM Act governs this. The reason we keep seeing spam is because the laws governing it are truly toothless. ”

Dirk Schrader from New Net Technologies described the fine as “a slap on the hand to Amex,” and added, “likely the company will simply accept the fine and tune their messaging as it is now seen as known offender.”

Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.