Many Of Those Desperate GDPR Emails You've Been Getting Are Violating A Different EU Regulation
from the not-to-mention-unnecessary dept
As we careen wildly into a post-GDPR world at the end of this week, you've probably already been inundated with tons upon tons of emails from various companies where you either have an account or have been signed up for their mailing list. Some of these emails likely note that they want you to confirm that you want to remain on their list because of the GDPR. Others pretend they're just checking in with you for the hell of it. According to an expert in EU regulation, many of these emails probably violate another EU regulation, one designed to make spamming illegal. As for the others? They're almost certainly not necessary under the GDPR and appear to be people misunderstanding the GDPR "out of an abundance of caution."
In short, if a service already has proper permission from you, then it doesn't need to get it again. If it doesn't, it's violating EU spam regulations by asking you to give your consent to receive such messages.
Vitale said, if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.
“In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.”
And, yes, EU regulators are aware of all of this:
“We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them,” Steve Wood, the deputy information commissioner, wrote in guidance for businesses. “So think about whether you actually need to refresh consent before you send that email, and don’t forget to put in place mechanisms for people to withdraw their consent easily.”
Like Vitale, Wood emphasised that asking for marketing consent from people who had not given it initially could be illegal. “It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act,” he said.
Depending on how you look at this, it's either the most European of European regulation situations -- in which efforts to comply with a new set of convoluted regulations means violating existing convoluted EU regulations -- or just another example of how ridiculous companies act. Still, it does seem fairly clear that the whole GDPR situation is an utter mess, with tons of companies having no idea what they actually need to do, or how to actually comply with the law.
Whether you think the GDPR is a wonderful innovation in protecting our privacy, or you think it's a giant clusterfuck of bureaucratic virtue signaling, it does seem like it could be something of a general problem if basically every internet company everywhere has no idea how to actually be in compliance.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data protection, email, eu, gdpr, opt-in, permission, privacy, spam
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re: "Selective enforcement anyone?"
Long answer: Hell, no!
If a law requires selective enforcement to keep it from ruining lives and freedoms it is a law that should never have been passed in the first place.
[ link to this | view in chronology ]
Re:
To the point: EU is leaving enforcement to the specific countries and the specific countries are basically saying, "If you designate a person as responsible for data, we will try to help you as best we can!"
[ link to this | view in chronology ]
they don't care
[ link to this | view in chronology ]
tons of companies having no idea what they actually need to do
The EU rules are a high bar sure, but in my view, better to have strict rules, get through a few election cycles and when government representatives come into office that understand tech, they can lower the bar as appropriate.
On a side note
Got a notice from Microsoft, checked the link. Page after page of opt out buttons, delete data buttons, download any data Microsoft has on the user buttons. Was surprised that they had very little data at all to begin with.
Microsoft is compliant with the new EU rulings across all country borders. This seems the easiest way to deal with these privacy rulings, adopt them, let simmer, wait...
[ link to this | view in chronology ]
Re: tons of companies having no idea what they actually need to do
[ link to this | view in chronology ]
Re: Re: tons of companies having no idea what they actually need to do
Your user can ask for all *personal data* held on him, posts are unlikley to fall under that.
You'd have to give them their bio and any data you store *about* them.
[ link to this | view in chronology ]
Re: Re: tons of companies having no idea what they actually need to do
It is absolutely clear, whether "right" or "wrong" is another thing altogether. Perhaps your view of that is what you meant to express?
[ link to this | view in chronology ]
Re: Re: Re: tons of companies having no idea what they actually need to do
No, my point was GDPR doesn't cover your posts. It covers personal data defined as data about a subject that identifies them. It's a stretch to say any of your posts fit that definition.
[ link to this | view in chronology ]
Re: Re: Re: Re: tons of companies having no idea what they actually need to do
[ link to this | view in chronology ]
FTFY
Since, as a group, virtually all people are idiots, expect idiotic results.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Mixing spam
You get lots of emails, then get a request to Verify an email site or other information..
HOW many people will "PUSH THE BUTTON", and have there Browser send Their data upon connection??
AND if they have programmed it properly, as you SAID "YES" by clicking the button, it can GRAB other data, DIRECT form your browser..
YES many of us have a TON of protection on our browsers, but MORE persons DONT, and DONT KNOW about this.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
It really is just people trying to earn a living. I guess you don't have to worry about that, right? Must be nice.
As a marketer, I don't want to send messages to someone that doesn't want to receive it, because that is just a waste of my time. Opt in or out, whatever, but people are just trying to live their life.
[ link to this | view in chronology ]
Re: Re: Re:
Most of them yes. Unfortunately, some people either don't care if they make the lives of other people more difficult, or in some cases will seek to actively cause them harm, if it means more for their bottom line. Hence the need for laws and regulation.
"I guess you don't have to worry about that, right? Must be nice."
That's right, people who don't care for predatory tactics must be free of any bills or other concerns in life. It can't be because there's more important things than money, such as the welfare of human beings?
"As a marketer"
Oh. OK, that explains a lot.
[ link to this | view in chronology ]
Re: Re: Re: Re:
I actually don't have a problem with GDPR, first because I am in the US, and second, because of the above.
Here is the joke though, from the US, I look at GDPR as a screen or window dressing for politicians. The NSA collects information. Phone companies sell location data, governments still invade our privacy.
GDPR is nice, but won't do much, but anything that reduces the amount of data stored on people is a good thing.
[ link to this | view in chronology ]
From Inside A Company Who Is Not Prepared
We've pushed out many and multiple emails to as many affected customers. Some saying we comply with GDPR, some asking for re-consent to data collection, some FAQs. Honestly though it's hard to figure out how far we should go. We're not ready and I doubt many of our peers are.
If any of these GDPR rules get enforced it's going to be terrifying.
[ link to this | view in chronology ]
Re: From Inside A Company Who Is Not Prepared
The GDPR legislation was passed 2 years ago with a 'start date' set 2 years after passage.
Your company has had 2 years to get ready.
If they aren't ready, it's their own fault.
[ link to this | view in chronology ]
Re: From Inside A Company Who Is Not Prepared
[ link to this | view in chronology ]
GDPR Nighmare Scenario #634
I want a record of all my posts along with those that I posted as an Anonymous Coward. I also want you to delete them. I also want all sub-threads and other mentions of my avatar name, Anonymous Coward, and real name (which I will not give you) deleted as well because, GDPR
Have fun complying!
K thx bye!
P.S. please don't really do that... i'd be sad.
[ link to this | view in chronology ]
Re: GDPR Nighmare Scenario #634
[ link to this | view in chronology ]
Re: GDPR Nighmare Scenario #634
[ link to this | view in chronology ]
Re: GDPR Nighmare Scenario #634
[ link to this | view in chronology ]
"emails probably violate another EU regulation" Then PROSECUTE!
Mainly though, this is another of Masnick's rants in which HE'S got it all figured out, but no one in Europe does. No one outdoes Masnick for arrogance and chutzpah.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Companies have to follow the law and be able to prove they are following the law. That means being able to prove that they have consent or have a legitimate interest.
Yeah, companies databases will be whacked, but that is a good thing. Does it make it harder for companies to market their products/services? Sure, but that is what the law is all about.
[ link to this | view in chronology ]
Thoughts on small business
It doesn't matter the size. Size of a company should not determine that that company doesn't have to comply. It's like saying small deli's don't have to be inspected or be concerned about customer safety or health. If the company is doing business on the internet, it's subject and should be.
Small business will find new offerings popping up from vendors much like small business tax packages or small biz human resources that provide self installed software programs or even hire consulting services to customize something.
Costs sure, these are new rules so there will be costs. Those get added in the business ledger and are part of the 'cost of doing business'.
- ---
In the end, this is all on the advertisers.
[ link to this | view in chronology ]
Re: Thoughts on small business
IANAL, but I don't believe GDPR is limited to electronic (internet) systems.
If you are an old-fashioned mail-order house and only accept and send communications via snail-mail then I believe you would still have to comply.
[ link to this | view in chronology ]
Re: Re: Thoughts on small business
Makes sense, why should files left in a briefcase not be punished on the same level as files left on an unprotected server?
[ link to this | view in chronology ]
Over-reaction much....
They have stated they will only use fines for the the most negligent or careless cases and for repeat offenders.
If you look at their track record under the Data Protection Act, this is what they have done in the past. Most of their findings and "penalties" have been administrative - tighten up your policies & procedures, train your staff better and don't do it again.
And if you aren't able to comply with the intent of the GDPR, or simply can't be arsed then you're probably not a fit person to be holding people's personal data. Too many organisations have proved too often that they can't be trusted to secure PII without additional incentives. We are now in a situation where leaks of personal data can have a significant effect on real peoples lives.
[ link to this | view in chronology ]
I was at a seminar last year regarding the GDPR. It was from an IT/systems POV, but my takeaway was that there were a lot of companies who not only hadn't organised a real plan for it, for some it was the first they heard of some of the requirements.
I absolutely guarantee that, whichever marketing departments are responsible for a lot of these emails, they don't know the rules for either spam or the GDPR itself. They just reacted when it hit the mainstream press recently, probably at the behest of some manager who panicked when they read some headlines. Also probably over the heads of whichever IT department will get blamed for letting them send the email if some anti-spam enforcement comes back that way.
[ link to this | view in chronology ]