Are your service messages actually direct marketing?
Navigating the line between service messages and marketing messages can be tricky, as American Express has just discovered.
The ICO has fined AMEX for a contravention under the Privacy and Electronic Communications Regulations (PECR), and this is not the first time the regulator’s spotlight has shone on this area.
Others have been sanctioned before for sending ‘service’ messages that are found to fall under the definition of direct marketing, to customers who’ve opted out of marketing.
It’s important to point out we all have feet of clay; I’m sure many other organisations are shimmying along this regulatory tightrope. Some consciously pushing the boundaries, others inadvertently breaking the rules.
And just to be clear, in this case the ICO found AMEX hadn’t deliberately flouted the rules but did find them to be negligent.
With that in mind, what did AMEX do? How can you avoid making the same mistake?
The ruling in a nutshell
An ICO investigation found AMEX had sent marketing emails to people who’d not given their consent or who’d opted out. More than four million messages were sent over the course of a year (June 2018 – May 2019).
The key here is AMEX’s decision to internally classify these emails as ‘service’ messages, which is why customers who’d opted out / objected to marketing still received them.
The ICO disagreed and determined these were direct marketing, and marketing opt-outs should have been applied.
What was the content of the emails?
During the investigation AMEX provided the ICO with a number of different types of emails which they classed as ‘service’ messages.
The nature of these emails ranged from encouraging people to download the AMEX app, to how to make the most of an AMEX card, rewards and offers, how to earn more rewards by referring friends, getting an improved rate on cashback, and so on.
Why were they internally classed as ‘service’ messages?
In its defence AMEX said the emails were an integral part of the service they provide to AMEX customers. Their argument was that a crucial aspect of being an AMEX customer was taking advantage of member benefits. They said this was cited by customers as one of the primary reasons for having an AMEX card.
AMEX therefore determined these messages were necessary and “required to be sent based on legal and contractual requirements”.
They said the aim of the communications was to reinforce messages, to make sure customers were clear on how their benefits worked. They also said they wanted to make sure card members got value for money and “avoided any disappointment or detriment”.
In short, you might argue AMEX decided to fix the line between service and marketing messaging too far in the direction of marketing. The ICO certainly thought so.
I’m sure AMEX won’t be alone in having taken this approach.
The ICO’s conclusion
The regulator assessed the content of the emails and found the following:
- The emails encouraged customers to use their AMEX credit cards to make purchases or, in specific cases, download an app
- The emails were clearly of an advertising and promotional nature
- None were “neutrally worded and purely administrative” in nature
Whatever their stated purpose internally, the ICO found the email content fell under the definition of direct marketing. The emails were aimed at encouraging customer actions from which AMEX would financially gain.
The Data Protection Act 2018 (“DPA 2018”) defines direct marketing as “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”. This definition also applies for the purposes of PECR.
These emails were sent to customers irrespective of whether they had given their consent to promotional emails (when they opened an account) or had subsequently opted-out of marketing emails.
The ICO ruled that as these were not essential service messages, AMEX could not rely on them being necessary for contractual requirements.
The penalty notice makes it clear:
There is no exemption under PECR Regulation 22 which allows organisations to send marketing emails they consider advantageous for subscribers where they have not received prior consent to do so. If there were, such an exemption would likely be relied on by all persons in breach of the PECR direct marketing rules.
In its findings the ICO says AMEX should have made sure it’s marketing operations complied with the relevant statutory regime, and that it was reasonable to suppose AMEX should have been aware of its responsibilities.
The penalty notice reveals AMEX received twenty-two complaints about ‘service’ emails during the period investigated. Five people complained directly to the ICO, some after initially raising their concerns with AMEX (but not all).
What struck me was the tiny percentage of complainants… especially when you consider AMEX sent out four million emails. (Admittedly this figure is likely to include repeated emails to the same individuals).
It starkly illustrates how only a few complaints can cause a world of pain. (There have been cases in the past based on a single complaint).
How was the fine determined?
For those wondering why this wasn’t an eye-watering multi-million pound fine, it should be remembered this was a contravention of PECR not GDPR. Under PECR, the maximum fine that can be levied is £500,000.
In determining whether to issue a monetary notice, the Commissioner judged that AMEX had access to sufficient financial resources to pay the proposed fine without causing it undue financial hardship.
The Commissioner considered a penalty sum of £90k was both reasonable and proportionate.
The penalty notice notes AMEX undertook its own independent internal review, when the Commissioner began her investigation. AMEX stopped marketing to customers who had opted-out of receiving direct marketing communications by email and has made changes to processes and procedures to ensure compliance with PECR.
Okay, so what IS a service message?
The ICO’s draft Direct Marketing Code of Practice sets out what would be considered a ‘service message’.
Essentially, it’s a communication sent to individuals for administrative or customer service reasons, which must be neutral in tone, purely providing important and necessary service information.
It must NOT include any advertising or promotional materials. The ICO says the key is in the ‘phrasing, tone and context’.
If a message is actively promoting or encouraging an individual to make use of a particular service, a special offer, or upgrade for example, then it is likely to be direct marketing.
And, if your email communications are likely to fall under the definition of direct marketing, you should be adhering to the email marketing rules under PECR.
What lessons can be learnt?
This fine is a wake-up call for many organisations who’ve not clearly defined service versus marketing messages. And for those who are knowingly taking a risk? Watch out!
Do you have clear rules for your marketing and communications teams to follow? Do your people understand where to draw the line? Do you have an internal compliance review process for emails purported to be ‘service;’ emails?
In AMEX’s case, the penalty notice reveals they did have an internal email communications policy with training in place. However, the ICO found they’d classified ‘service’ messages incorrectly.
I suspect this case will be of particular interest to businesses who’ve taken a decision to class customers as ‘members’ and taken the step of bundling promotional messages in as being necessary ‘service’ messages.
This case shows semantics aren’t good enough here; the ICO takes a strict interpretation and a handful of complaints can put you firmly in their crosshairs.
The key, for me, is AMEX sent emails which were not absolutely necessary, and AMEX customers who didn’t want to receive these had no way of objecting to them.
Let’s not forget the right to object to processing is a fundamental data protection right; you need a robust justification for refusing to fulfil this. (And the right to object to direct marketing is absolute).
Maybe if AMEX been able to provide an opt-out from such comms, given people a choice, some wouldn’t have felt the need to complain to the ICO.
There’s a clear message here to take your customers seriously, if they are complaining they may have a point. You can read the full details in the ICO Penalty Notice.
Data protection team over-stretched or need some specialist support? Find out how we can help with no-nonsense practical privacy advice – Contact Us.