In May 2021, the UK Information Commissioner’s Office (ICO) fined American Express Services Europe Limited (Amex) £90,000 for sending more than four million marketing emails to individual subscribers (customers) who did not want to receive them.[1]

Amex customers had complained to the ICO that they were getting the marketing emails despite having opted out from them. Two customers had continued to receive the unsolicited emails after complaining directly to Amex. Amex had told these customers that the emails were not ‘marketing emails’ but rather ‘servicing emails’, which fall outside the rules for direct marketing. In one of its responses, Amex told the ICO ‘we feel that Card members would be at a disadvantage if they were not aware of these campaigns and promotional periods’.

The ICO disagreed. As its guidance states: ‘Service messages contain routine information such as changes to terms and conditions and payment plans or notice of service interruptions’. The ICO considered that the emails in question all clearly contained marketing material, as they sought to persuade and encourage customers to use their card to make purchases. The customers had not given adequate consent to receive them.

ACMA compliance action

In Australia, the Spam Act 2003 (Spam Act) regulates direct marketing using a commercial electronic message such as an email, instant message, SMS or MMS. Faxes are not commercial electronic messages under Spam regulation 6, and voice calls by telephone are covered separately by the Do Not Call Register Act 2006 (DNCR Act).

The Spam Regulations 2021 under the Spam Act came into effect on 1 April 2021. They clarify what is required for ‘unsubscribe’ options in relation to the unsubscribe facility that must be included in commercial electronic messages. These include that when a message recipient wants to use the unsubscribe facility provided, they should not be required to:

  • Use a premium service;
  • Provide personal information (within the meaning of the Privacy Act 1988) in addition to the electronic address to which the message was sent; or
  • Log into an existing account or create a new one.

These new regulations are an indication that the Australian Communication and Media Authority (ACMA) will continue its active monitoring of systems, processes and practices under the Spam laws, and take enforcement action if necessary. This action includes issuing infringement notices, accepting court-enforceable undertakings and giving formal warnings to businesses. ACMA may also commence proceedings in the Federal Court of Australia.

To date in the period 2020-21 ACMA has accepted five undertakings under the Spam Act. In January 2021, ACMA announced that Kogan Australia Pty Ltd had agreed to a three-year enforceable undertaking and paid a A$310, 800 infringement notice in relation to a finding that it had sent more than 42 million marketing emails to recipients who could not easily unsubscribe. In mid 2020, Woolworths paid a A$1million infringement notice and entered into an enforceable undertaking after ACMA found it had sent more than five million marketing emails to customers for sometimes lengthy periods after their unsubscribe request was made.[2]

Will ACMA turn its attention next to breaches relating to the sending of ‘factual information’, the Australian equivalent of the UK’s ‘service messages’?  Or to what constitutes valid consent to receive commercial electronic messages? Some trend indication was given by ACMA’s key compliance priorities for 2020-21, which included illegal financial services marketing by SMS, email and phone. As ACMA notes, these can cause serious harm, particularly for vulnerable people. Public consultation about priorities for the year ahead concluded in March 2021.

Key takeaways

In light of this heightened compliance focus, businesses would be well advised to take heed of the mistakes recently made by others and review their marketing procedures and practices to ensure that:

  • They understand the difference between a ‘commercial electronic message’ and a ‘designated commercial electronic message’ that is factual information;
  • Their commercial electronic messages always include a functional opt out or unsubscribe option; and
  • That they have made it easy to opt out of marketing emails.

[1] The penalty is in relation to a serious contravention of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). It is issued under s 55A of the Data Protection Act 1998.


For further information please contact:

This article is for general information purposes only and does not constitute legal or professional advice.  It should not be used as a substitute for legal advice relating to your particular circumstances.  Please also note that the law may have changed since the date of this article.