United States Securities and Exchange Commission
Washington, D.C. 20549

NOTICE OF EXEMPT SOLICITATION
Pursuant to Rule 14a-103

Name of the Registrant: American Express Company

Name of persons relying on exemption: Change Finance, P.B.C.

Address of persons relying on exemption: 705 Grand View Drive, Alexandria, VA 22305

Written materials are submitted pursuant to Rule 14a-6(g) (1) promulgated under the Securities Exchange Act of 1934. Submission is not required of this filer under the terms of the Rule, but is made voluntarily in the interest of public disclosure and consideration of these important issues.

 

PROXY MEMORANDUM

TO: Shareholders of American Express Company

RE: Item No. 6 (“Proposal Relating to Abortion & Consumer Data Privacy”)

DATE: April, 11, 2023

CONTACT: Dorrit Lowsen, Change Finance at shareholder.advocacy@change-finance.com

This is not a solicitation of authority to vote your proxy. Please DO NOT send us your proxy card; Change Finance, P.B.C. is not able to vote your proxies, nor does this communication contemplate such an event. Change Finance urges shareholders to vote for Item No. 6 following the instructions provided on management's proxy mailing.

Change Finance, P.B.C. urges shareholders to vote YES on Item No. 6 on the 2023 proxy ballot of American Express Company (the “Company”). The Resolved clause states:

Shareholders request that our Board issue a public report detailing any known and potential risks and costs to the Company of fulfilling information requests regarding American Express customers for the enforcement of state laws criminalizing abortion access, and setting forth any strategies beyond legal compliance that the Company may deploy to minimize or mitigate these risks. The report should be produced at reasonable expense, exclude proprietary or legally privileged information, and be published no later than September 1, 2024.

.

About Change Finance, P.B.C.

Change Finance, P.B.C. aims to leverage the power of capital markets to promote a more just and sustainable world – a world driven by an economy in service to life.

Change Finance is a long-term shareholder in American Express Company. We support this shareholder proposal because the Company amasses massive amounts of personal sensitive data but lacks transparency as to how such data is or may imperil access to reproductive healthcare. In a time when abortion access is criminalized or severely restricted by half of the states, greater understanding about the Company’s data handling practices is warranted.

Background on the Proposal

Reproductive rights are under siege in the United States. States have passed more than 1,380 restrictions on abortion access since Roe v. Wade – the U.S. Supreme Court ruling in 1973 that legalized the procedure.¹ Following the reversal of Roe v. Wade in June 2022, twelve states have banned most abortion services outright.²

The overturning of the protections of Roe v. Wade elevates the need for the report requested in this Proposal. Law enforcement in abortion-restrictive states have relied on consumer data to investigate and prosecute individuals who have sought abortion or have provided aid to those who have, and are expected to continue to do so.

Digital reproductive health footprints can be easily accessed by law enforcement and lead to criminal charges. Meta recently received significant negative press after complying with a data request from a local Nebraska police department for private Facebook messages between a mother and daughter, who were both subsequently charged with felony crimes related to the alleged illegal termination of the daughter’s pregnancy (for additional examples, see Addendum A).³

_____________________________

¹ https://tinyurl.com/4az3pce3

² https://www.nytimes.com/interactive/2022/us/abortion-laws-roe-v-wade.html

³ https://tinyurl.com/msazvebu

As a nationwide business, American Express amasess large troves of consumer data. Indeed, the Company has 56.4 million cards in circulation in the United States alone, and has captured nearly a 19% share of the domestic credit card market.⁴ Notwithstanding, American Express has been largely silent on the issue of data privacy following the revocation of constitutional abortion protections. For example, in response to a popular New York Times report in June 2022 on how payment data could become evidence of illegal abortions, American Express “declined to comment.”⁵

Given the nature of the Company’s sensitive data, American Express will be especially vulnerable to law enforcement data requests related to abortion, particularly with respect to interstate conflicts regarding exercise of reproductive rights in states where abortion remains legal. Americans largely oppose criminalizing abortion, thereby amplifying the risk of reputational damage that may ensue from the Company’s participation in the enforcement of abortion-related criminal laws. Indeed, a January 2023 national poll from Change Research on behalf of Planned Parenthood reveals that “Americans strongly oppose law enforcement being used to enforce abortion bans.”⁶ Similarly, a May 2023 Kaiser Family Foundation national survey found that “majorities of the U.S. public oppose criminalizing women, doctors, or people who assist those seeking abortion care.”⁷ According to the Kaiser survey, at least two-thirds of respondents living in certain states threatened by abortion bans opposed “criminalizing doctors for performing abortions (69%), making it a crime for women to cross state lines to get an abortion (76%), making it a crime for a woman to get an abortion (74%), or allowing private citizens to sue people who provide or assist in abortions (78%).”⁸

Shareholders have reason to be concerned about whether the enforcement of criminal abortion laws will impact the reputation and financial wellbeing of the Company. The Proposal therefore calls upon management to examine the risks associated with the Company’s current data handling practices, including its response to government information requests, in the face of new restrictive abortion laws.

Rationale in Support of the Proposal

1. The Company’s data handling policies are unclear, inconsistent, and incomplete.

2. American Express does not offer transparency reporting regarding data privacy.

3. The Company collects sensitive consumer information beyond credit card usage data that may be vulnerable to abortion-related prosecutions.

4. Regulatory and legal compliance is insufficient to minimize privacy risks related to reproductive healthcare.

_____________________________

⁴ https://www.zippia.com/american-express-careers-566/statistics/

⁵ https://www.nytimes.com/2022/06/29/business/payment-data-abortion-evidence.html

⁶ https://changeresearch.com/wp-content/uploads/2023/01/PPFA-_-Poll-Results-January-2023-1.pdf

⁷ https://www.kff.org/womens-health-policy/poll-finding/kff-health-tracking-poll-views-knowledge-abortion-2022/

⁸ Id.

The Company’s data handling policies are unclear, inconsistent, and incomplete

Consumers interact with American Express in a number of ways governed by different privacy policies that are unclear, vague, and incomplete.

Credit card transactions. According to the Company’s Privacy Notice for consumer products, American Express retains personal information from credit card users such as, among other things, “transaction history and account history.”⁹ It states that personal user data may be shared in response to “legal investigations.” These investigations could include legal actions related to abortion as initiated by law enforcement agencies or those seeking to take advantage of “vigilante abortion laws,” which incentivize citizens with a cash bounty if they succeed in suing individuals who have helped a person get an illegal abortion (such as Texas SB 8, enacted in 2021).

Online interactions with consumers. Consumers may interact with American Express online to research information, engage with the Company on social media, or make payments on their credit card bills. According to the Company’s Online Privacy Statement, the Company may collect personal information from online interactions with consumers, including an individual’s general location, IP addresses, browsing history, and geolocation.¹⁰ However, similar to how it shares credit card data, American Express may provide personal online information to law enforcement in order to comply with government data requests.

While there are constitutional safeguards against government intrusions, these safeguards do not protect consumers who voluntarily share information with a third party. Since American Express gathers explicit or implicit consent from its credit card users and online consumers, law enforcement officials can generally ask the Company to hand over consumer data with a simple request such as a letter from an official government email address or a subpoena, neither of which are reviewed by a judge to ensure that the request is legally sound. However, American Express is not required to hand over the data unless the data request is made pursuant to a judicially enforceable order like a search warrant.

American Express has failed to clarify if law enforcement data requests must be accompanied by a court order or if the Company could voluntarily share the data. For instance, could the Company disclose information about a transaction made at a reproductive healthcare facility in response to a letter from a police department seeking evidence in connection with an illegal abortion, even if the request has not been reviewed or approved by a judge? Financial institutions like PayPal and Salesforce have confirmed they will only respond to law enforcement requests when legally required to.¹¹

_____________________________

⁹ https://www.americanexpress.com/content/dam/amex/us/company/Privacy/Personal-Charge_5.2021.pdf

¹⁰ https://www.americanexpress.com/us/company/privacy-center/online-privacy-disclosures/

¹¹ https://www.paypal.com/us/legalhub/privacy-full (PayPal); https://tinyurl.com/mr2rkue6 (Salesforce)

Without clear disclosures regarding the Company’s data sharing practices, American Express consumers and investors are left puzzled as to how this data may be used for the enforcement of abortion related laws that could result in significant financial penalties and prison time.

American Express does not offer transparency reporting regarding data privacy, exposing the Company to financial and reputational risks

A recent empirical study in the Journal of Marketing showed that vulnerabilities concerning the misuse of commercial data can generate negative outcomes for businesses, including negative abnormal stock returns and damaging customer behaviors such as negative word of mouth and switching to a close business rival.¹² These findings could apply to data vulnerabilities from actual and potential disclosures of abortion-related data to law enforcement, thereby amplifying consumer worries about data misuse. Consequently, corporations collecting large troves of consumer data, such as American Express, are likely exposing themselves to higher financial and reputational risks. Apropos to the current Proposal, the study found that data transparency, among other things, can alleviate these detrimental effects.

American Express does not publish transparency reporting regarding data privacy, in contrast to many other publicly traded companies that do offer transparency reporting specifically on the issue of government data requests. Meta, Amazon and Google offer such reporting semiannually, which includes details on the types of requests, compliance rates and jurisdictional information.¹³ This information would be extremely helpful for investors to make determinations about the Company’s risk exposure as well as serve as an accountability tool. In turn, consumers would gain more assurances that American Express respects the privacy of their data.

Why a YES Vote is Warranted: A Response to the American Express Opposition Statement

In opposing the Proposal, the Company states its data management practices are readily accessible online. Yet as we have described above, these privacy disclosures lack critical information, especially about the Company’s ability to share consumer data for law enforcement purposes. American Express has not updated its online privacy notices since before the U.S. Supreme Court revoked constitutional abortion rights in June 2022.

_____________________________

¹² See Kelly D. Martin et al., Data Privacy: Effects on Customer and Firm Performance, 81.1 Journal of Marketing at 36-58 (2017), https://doi.org/10.1509/jm.15.0497

¹³ https://transparency.fb.com/data/government-data-requests/ (Meta); https://tinyurl.com/y37bzv97(Amazon); https://transparencyreport.google.com/?hl=en_US (Google).

The Company further provides that it receives limited information from credit card purchases and is required to comply with laws regulating government data requests and data retention. However, existing privacy regulations may not be sufficient to minimize the privacy risks contemplated by the Proposal. In addition, the laws cited by the Company purportedly limiting the ability to improve its data handling practices either regulate only one type of data (financial information) or are irrelevant to the concerns of this Proposal.

The Company collects sensitive consumer information beyond credit card usage data that may be vulnerable to abortion-related prosecutions

According to the Company’s opposition statement, it “does not have information about what a customer is purchasing with their cards” such as “product-level” data that would reveal the actual products or services purchased by the card user. However, the Company confirms retaining data about “the monetary amount of the transactions and the merchant where the transaction occurred.” Such information alone would be extremely useful for the enforcement of criminal abortion laws. For example, information about a purchase on a specific date at a reproductive healthcare facility could serve as one piece of evidence indicating that a customer visited that facility for abortion-related purposes. Information about a purchase made at an out-of-state pharmacy, could be used by law enforcement as evidence indicating that the customer purchased abortifacients in a state where abortion is legal but took the medication in a state where the procedure is criminalized.

In addition to transactional information, American Express collects data from its online interactions with consumers, as described above. Some of this data is deeply sensitive and personal and could also serve as evidence that a person aided, provided or received an illegal abortion. For instance, the Company could collect data related to searches related to reproductive health data and privacy (e.g., “Will the American Express monthly statement show that I went to Planned Parenthood?”) or about a consumer’s geolocation at a reproductive healthcare clinic. Whether this data could indeed produce such information or actually place a consumer at risk of abortion-related prosecution is exactly what the Proposal urges American Express to evaluate as part of the requested risk analysis report.

Regulatory and legal compliance is insufficient to minimize privacy risks related to reproductive healthcare

Data privacy laws in the United States are considered by many experts to be lacking in scope and woefully outdated. In fact, there is no single, comprehensive federal law regulating how companies collect, store, or share customer data. In opposing the Proposal, the Company points to two federal laws to essentially say it is severely limited in its ability to enhance its consumer privacy protection or is otherwise required to adopt some of the mitigation measures discussed in the Proposal. Yet the Company again ignores the totality of the data at issue and misleading cites to a law that is irrelevant to the concerns raised by investors in this Proposal.

1. Privacy safeguards like deletion rights could be applied to consumer non-financial data

Federal banking institutions are covered by the Gramm-Leach-Bliley Act (“GLBA”), which requires retention of certain data such as financial transactional data. However, the types of consumer information at issue in the Proposal extend beyond transactional credit card data to cover other types of non-financial data such as online consumer information. As previously described, law enforcement could potentially use a customer’s browsing history to verify if there are any abortion-related searches, or the location of a customer’s cellphone to identify whether the customer was near a reproductive healthcare clinic at a specific time (see Addendum A for examples of this type of law enforcement conduct). As such, deletion rights akin to those provided by the California Consumer Privacy Act could still be applicable to data that is not governed by the GLBA.

Most companies doing business in California, Virginia and the European Union are also required to provide consumers with “deletion rights,” as contemplated by the Proposal.¹⁴ Deletion rights generally grant consumers the ability to have personal information erased in instances where the business is not required to maintain the data. Implementing a sustainable data deletion program can help American Express reinforce its standards and governance for data deletion, meet regulatory requirements, reduce the risk of data breaches, and improve data hygiene overall.¹⁵ Since American Express already complies with data deletion requirements under California and Virginia law, applying deletion rights nationwide could be a feasible and cost-effective mitigation measure to the problems raised identified in the Proposal. In fact, other financial institutions like Mastercard and PayPal have expanded deletion rights to consumers nationwide.¹⁶

2. Stronger data privacy protections could reduce risks associated with the Company’s data handling practices in the wake of newly-enacted abortion laws

As the New York Times reports, “[t]he data collected by the vast majority of products people use every day isn’t regulated.”¹⁷ In most states, companies can use, share, or sell most data they collect about consumers without notifying them that the company is doing so. There is no federal law standardizing when (or if) a company must notify consumers if their data is breached or exposed to unauthorized parties. If a company shares certain consumer data – including sensitive information such as an individual’s location – with third parties (e.g., advertisers or data brokers), those third parties can often sell the data or share it without notifying the affected consumers.

_____________________________

¹⁴ https://oag.ca.gov/privacy/ccpa (California); https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/ (Virginia); https://gdpr-info.eu/art-17-gdpr/ (European Union)

¹⁵ https://www.grantthornton.com/insights/articles/advisory/2020/how-data-deletion-empowers-data-protection

¹⁶ https://tinyurl.com/yck8twbp (Mastercard); https://www.paypal.com/us/legalhub/privacy-full (PayPal).

¹⁷ https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/

As a result of this lax regulatory environment, many businesses have implemented firmer privacy practices that more fully protect consumers from nefarious data uses and increase brand trust. One such practice is abiding by the principle of “data minimization,” in which companies only collect personal data that is strictly necessary for delivering the service a user is expecting to receive, and use it for only that purpose.¹⁸ Data minimization is already a legal requirement for certain companies doing business in the European Union.¹⁹ As a result of data minimization, companies amass less information that may be subject to law enforcement information requests or shared with third parties seeking to participate in the enforcement of abortion-restrictive laws. Notably, data minimization would also reduce the Company’s liability, reputational risk exposure, and storage costs.²⁰ American Express has nonetheless failed to disclose in its various privacy policies whether it abides by this principle.

Privacy experts further recommend that in order to protect consumers from being targets of abortion-related prosecutions, companies should employ data security measures such as data encryption, de-identification, and anonymization.²¹ Encryption is the process of converting information or data into a code, especially to prevent unauthorized access. De-identification entails segregating personally identifiable data like names and addresses from sensitive data that the company stores. Anonymization protects private or sensitive information by erasing identifiers that connect an individual to stored data. It is unclear whether these measures could be applied to consumer information contemplated in the Proposal such as data collected in the American Express website. The requested report would advise investors whether such measures indeed provide material benefits to the Company.

In sum, we believe that implementing the requested report will help ensure that American Express does more to monitor its data handling practices so that they do not expose consumers to serious risks stemming from abortion-related criminal prosecutions, thereby eroding shareholder value by diminishing the Company’s reputation, consumer loyalty, brand, and values.

Vote “Yes” on Shareholder Item No. 6.

For questions, please contact shareholder.advocacy@change-finance.com.

The foregoing information should not be construed as investment advice.

_____________________________

¹⁸ https://pirg.org/articles/do-you-know-where-your-data-is-because-facebook-doesnt/

¹⁹ https://www.business.com/articles/how-to-apply-data-minimization/

²⁰ https://tinyurl.com/2p92fr8t

²¹ https://www.securitymagazine.com/articles/98414-privacy-and-data-protection-in-the-wake-of-dobbs

ADDENDUM A:

Examples of harms from companies sharing reproductive health-related data with third parties without consumer consent

Facebook data used to prosecute Nebraska mother, daughter after alleged abortion

Aaron Sanderford for the Nebraska Examiner (Aug. 10, 2022), https://tinyurl.com/2etavr8t

In 2022, Meta complied with a data request from a local Nebraska police department for private Facebook messages between a mother and daughter, who were both subsequently charged with felony crimes related to the alleged illegal termination of the daughter’s pregnancy.

Surveilling the Digital Abortion Diary, by Cynthia Conti-Cook

University of Baltimore Law Review (Oct. 2020), https://tinyurl.com/49wcm5uy

In 2017, a woman in Mississippi experienced an at-home pregnancy loss. A grand jury later indicted her for second-degree murder, based in part on her online search history, which recorded that she had looked up how to induce a miscarriage.

Is your pregnancy app sharing your intimate data with your boss?

Drew Harwell for The Washington Post (Apr. 10, 2019), https://tinyurl.com/57mrfs3n

A 2019 report revealed that pregnancy app Ovia Health sold user health data to their employers, without user consent.

Patel v State of Indiana, 60 N.E.3d 1041 (2016)

https://www.leagle.com/decision/ininco20160722184

In 2013, a woman was sentenced to twenty years in prison for “neglect of a dependent and feticide” after taking abortion pills she purchased online. Evidence presented against her at trial included online research she conducted, the email confirmation she received from internationaldrugmart.com, and unencrypted text messages to a friend about her relationship, becoming pregnant, and the pills she purchased.

These Companies Know When You're Pregnant—And They're Not Keeping It Secret

Shoshana Wodinsky & Kyle Barr for Gizmodo (Jul. 30, 2022), https://tinyurl.com/mthv8jzc

In 2022, Gizmodo identified 32 brokers selling data on 2.9 billion profiles of U.S. residents pegged as "actively pregnant" or "shopping for maternity products."

Websites Selling Abortion Pills Are Sharing Sensitive Data With Google

Jennifer Gollan for ProPublica (Jan. 18, 2023), https://tinyurl.com/3ty8cb45

A 2023 investigation by ProPublica found online pharmacies that sell abortion medication such as mifepristone and misoprostol are sharing sensitive data, including users' web addresses, relative location, and search data, with Google and other third-party sites — which allows the data to be recoverable through law-enforcement requests.

Federal Trade Commission v Kochava, Inc. (Aug. 29, 2022), https://tinyurl.com/ywbffb4b

In 2022, the Federal Trade Commission sued Kochava – a data analysis platform primarily used by companies for marketing purposes – for selling data that tracks people at reproductive health clinics, places of worship, and other sensitive locations.

THE FOREGOING INFORMATION MAY BE DISSEMINATED TO SHAREHOLDERS VIA TELEPHONE, U.S. MAIL, E-MAIL, CERTAIN WEBSITES AND CERTAIN SOCIAL MEDIA VENUES, AND SHOULD NOT BE CONSTRUED AS INVESTMENT ADVICE OR AS A SOLICITATION OF AUTHORITY TO VOTE YOUR PROXY. THE COST OF DISSEMINATING THE FOREGOING INFORMATION TO SHAREHOLDERS IS BEING BORNE ENTIRELY BY THE FILER OF THIS SOLICITATION. PROXY CARDS WILL NOT BE ACCEPTED. PLEASE DO NOT SEND YOUR PROXY TO TARA HEALTH FOUNDATION. TO VOTE YOUR PROXY, PLEASE FOLLOW THE INSTRUCTIONS ON YOUR PROXY CARD.