Many Of Those Desperate GDPR Emails You've Been Getting Are Violating A Different EU Regulation

from the not-to-mention-unnecessary dept

As we careen wildly into a post-GDPR world at the end of this week, you've probably already been inundated with tons upon tons of emails from various companies where you either have an account or have been signed up for their mailing list. Some of these emails likely note that they want you to confirm that you want to remain on their list because of the GDPR. Others pretend they're just checking in with you for the hell of it. According to an expert in EU regulation, many of these emails probably violate another EU regulation, one designed to make spamming illegal. As for the others? They're almost certainly not necessary under the GDPR and appear to be people misunderstanding the GDPR "out of an abundance of caution."

In short, if a service already has proper permission from you, then it doesn't need to get it again. If it doesn't, it's violating EU spam regulations by asking you to give your consent to receive such messages.

Vitale said, if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.

“In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.”

And, yes, EU regulators are aware of all of this:

“We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them,” Steve Wood, the deputy information commissioner, wrote in guidance for businesses. “So think about whether you actually need to refresh consent before you send that email, and don’t forget to put in place mechanisms for people to withdraw their consent easily.”

Like Vitale, Wood emphasised that asking for marketing consent from people who had not given it initially could be illegal. “It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act,” he said.

Depending on how you look at this, it's either the most European of European regulation situations -- in which efforts to comply with a new set of convoluted regulations means violating existing convoluted EU regulations -- or just another example of how ridiculous companies act. Still, it does seem fairly clear that the whole GDPR situation is an utter mess, with tons of companies having no idea what they actually need to do, or how to actually comply with the law.

Whether you think the GDPR is a wonderful innovation in protecting our privacy, or you think it's a giant clusterfuck of bureaucratic virtue signaling, it does seem like it could be something of a general problem if basically every internet company everywhere has no idea how to actually be in compliance.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data protection, email, eu, gdpr, opt-in, permission, privacy, spam


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ninja (profile), 23 May 2018 @ 10:41am

    Selective enforcement anyone?

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 23 May 2018 @ 10:59am

    Re: "Selective enforcement anyone?"

    Short answer: No

    Long answer: Hell, no!

    If a law requires selective enforcement to keep it from ruining lives and freedoms it is a law that should never have been passed in the first place.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 23 May 2018 @ 11:26am

    they don't care

    I don't think they care, unless they can make money off of fines. Just keep looking forward to receiving them.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 23 May 2018 @ 11:37am

    Re:

    Interestingly enough: Less than half the countries in EU have designated the enforcement agencies and many of those that have already stated that they will be very lenient at this point.

    To the point: EU is leaving enforcement to the specific countries and the specific countries are basically saying, "If you designate a person as responsible for data, we will try to help you as best we can!"

    link to this | view in thread ]

  5. identicon
    HighBarSimmerWait, 23 May 2018 @ 11:49am

    tons of companies having no idea what they actually need to do

    Mike I get it, 1st amendment and all, but this is tech, these impact BIG companies that have track records of being untrustworthy and/or not actually following through on commitments to legislative bodies.

    The EU rules are a high bar sure, but in my view, better to have strict rules, get through a few election cycles and when government representatives come into office that understand tech, they can lower the bar as appropriate.

    On a side note
    Got a notice from Microsoft, checked the link. Page after page of opt out buttons, delete data buttons, download any data Microsoft has on the user buttons. Was surprised that they had very little data at all to begin with.

    Microsoft is compliant with the new EU rulings across all country borders. This seems the easiest way to deal with these privacy rulings, adopt them, let simmer, wait...

    link to this | view in thread ]

  6. identicon
    AricTheRed, 23 May 2018 @ 12:26pm

    FTFY

    "... it does seem like it could be something of a general problem if basically every internet company everywhere..." is made up of people.

    Since, as a group, virtually all people are idiots, expect idiotic results.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 23 May 2018 @ 12:34pm

    Oh come on, this is exactly what you'd expect, regardless of any specific law. CEO to legal dept.: "Tell me we DO NOT need to ask for consent from our existing customers! We don't, right? ...do we?" Every single lawyer everywhere: "Well..."

    link to this | view in thread ]

  8. icon
    ECA (profile), 23 May 2018 @ 12:39pm

    Mixing spam

    Lets see...
    You get lots of emails, then get a request to Verify an email site or other information..

    HOW many people will "PUSH THE BUTTON", and have there Browser send Their data upon connection??
    AND if they have programmed it properly, as you SAID "YES" by clicking the button, it can GRAB other data, DIRECT form your browser..

    YES many of us have a TON of protection on our browsers, but MORE persons DONT, and DONT KNOW about this.

    link to this | view in thread ]

  9. icon
    Dan (profile), 23 May 2018 @ 12:54pm

    Re: tons of companies having no idea what they actually need to do

    Sure, it affects the Facebooks and the Googles and the Microsofts. And it affects the small US-based nonprofit that runs a forum that has members in .eu. And there's no clear guidance as yet as to what the latter is supposed to do when a user comes and says, "give me a copy of all my personal information and everything I've ever posted in a portable format, then delete it."

    link to this | view in thread ]

  10. icon
    John Roddy (profile), 23 May 2018 @ 1:22pm

    To be "fair", the vast majority of the emails I've received so far weren't because of GDPR. It was just the companies feeling that privacy protections are good for everyone, so they wanted to extend that to everyone, not just EU residents. It's just an overabundance of kindness! The fact that roughly 100% of all of them say it the exact same way and conveniently happen to be right before the enactment of those rules is just a coincidence.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 23 May 2018 @ 1:43pm

    From Inside A Company Who Is Not Prepared

    I work for a hosting company. I'm not sure I'm allowed to say which but we're big enough to be traded on the NASDAQ. We are not prepared.

    We've pushed out many and multiple emails to as many affected customers. Some saying we comply with GDPR, some asking for re-consent to data collection, some FAQs. Honestly though it's hard to figure out how far we should go. We're not ready and I doubt many of our peers are.

    If any of these GDPR rules get enforced it's going to be terrifying.

    link to this | view in thread ]

  12. icon
    aerinai (profile), 23 May 2018 @ 2:20pm

    GDPR Nighmare Scenario #634

    Dear Techdirt,

    I want a record of all my posts along with those that I posted as an Anonymous Coward. I also want you to delete them. I also want all sub-threads and other mentions of my avatar name, Anonymous Coward, and real name (which I will not give you) deleted as well because, GDPR

    Have fun complying!

    K thx bye!

    P.S. please don't really do that... i'd be sad.

    link to this | view in thread ]

  13. icon
    Dan (profile), 23 May 2018 @ 2:24pm

    Re: GDPR Nighmare Scenario #634

    ...and sadly, things not too far from this are actually happening. And it's not even close to clear what the GDPR requires the site operator to do in such cases.

    link to this | view in thread ]

  14. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 23 May 2018 @ 2:45pm

    "emails probably violate another EU regulation" Then PROSECUTE!

    All violations will stop if corporations are prosecuted. Guaranteed. Just toss the officers into jail and set bail at ten times their yearly income as they do poor people. Makes examples of the half dozen most egregious, and suddenly all other execs will learn and implement GPDR.

    Mainly though, this is another of Masnick's rants in which HE'S got it all figured out, but no one in Europe does. No one outdoes Masnick for arrogance and chutzpah.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 23 May 2018 @ 3:48pm

    It really isn't that difficult, but it all revolves around contact that has been agreed upon. You can send a customer a bill, but do you have consent to send them marketing material?

    Companies have to follow the law and be able to prove they are following the law. That means being able to prove that they have consent or have a legitimate interest.

    Yeah, companies databases will be whacked, but that is a good thing. Does it make it harder for companies to market their products/services? Sure, but that is what the law is all about.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 23 May 2018 @ 3:52pm

    Re: GDPR Nighmare Scenario #634

    Easy, there is nothing about you that is personally identifiable, so GDPR does not apply to you.

    link to this | view in thread ]

  17. identicon
    Perspective, 23 May 2018 @ 7:05pm

    Thoughts on small business

    re: Small companies will be hit hardest at first.

    It doesn't matter the size. Size of a company should not determine that that company doesn't have to comply. It's like saying small deli's don't have to be inspected or be concerned about customer safety or health. If the company is doing business on the internet, it's subject and should be.

    Small business will find new offerings popping up from vendors much like small business tax packages or small biz human resources that provide self installed software programs or even hire consulting services to customize something.

    Costs sure, these are new rules so there will be costs. Those get added in the business ledger and are part of the 'cost of doing business'.

    - ---
    In the end, this is all on the advertisers.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 23 May 2018 @ 10:49pm

    Re: Re: tons of companies having no idea what they actually need to do

    That's not a thing.
    Your user can ask for all *personal data* held on him, posts are unlikley to fall under that.
    You'd have to give them their bio and any data you store *about* them.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 23 May 2018 @ 10:53pm

    Re: GDPR Nighmare Scenario #634

    Not how the law works. It has to be personal data.

    link to this | view in thread ]

  20. identicon
    Flint, 23 May 2018 @ 10:58pm

    Over-reaction much....

    The ICO (the UK's supervisory authority) is one of the largest and most active SA's in the EU. If you actually take note of what they are saying, their focus is on helping people comply not punishing non-compliance. If you can get BBC iPlayer, check out Click - there's an interview with senior representative from the ICO.

    They have stated they will only use fines for the the most negligent or careless cases and for repeat offenders.

    If you look at their track record under the Data Protection Act, this is what they have done in the past. Most of their findings and "penalties" have been administrative - tighten up your policies & procedures, train your staff better and don't do it again.

    And if you aren't able to comply with the intent of the GDPR, or simply can't be arsed then you're probably not a fit person to be holding people's personal data. Too many organisations have proved too often that they can't be trusted to secure PII without additional incentives. We are now in a situation where leaks of personal data can have a significant effect on real peoples lives.

    link to this | view in thread ]

  21. icon
    Eldakka (profile), 23 May 2018 @ 11:38pm

    Re: From Inside A Company Who Is Not Prepared

    We're not ready and I doubt many of our peers are.

    The GDPR legislation was passed 2 years ago with a 'start date' set 2 years after passage.

    Your company has had 2 years to get ready.

    If they aren't ready, it's their own fault.

    link to this | view in thread ]

  22. icon
    Eldakka (profile), 23 May 2018 @ 11:41pm

    Re: Thoughts on small business

    If the company is doing business on the internet, it's subject and should be.

    IANAL, but I don't believe GDPR is limited to electronic (internet) systems.

    If you are an old-fashioned mail-order house and only accept and send communications via snail-mail then I believe you would still have to comply.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 24 May 2018 @ 1:24am

    Re:

    When the RIAA is prosecuted you let me know, blue. If you're not reduced to a blubbering, crying wreck when it happens.

    link to this | view in thread ]

  24. icon
    PaulT (profile), 24 May 2018 @ 1:47am

    "They're almost certainly not necessary under the GDPR and appear to be people misunderstanding the GDPR "out of an abundance of caution.""

    I was at a seminar last year regarding the GDPR. It was from an IT/systems POV, but my takeaway was that there were a lot of companies who not only hadn't organised a real plan for it, for some it was the first they heard of some of the requirements.

    I absolutely guarantee that, whichever marketing departments are responsible for a lot of these emails, they don't know the rules for either spam or the GDPR itself. They just reacted when it hit the mainstream press recently, probably at the behest of some manager who panicked when they read some headlines. Also probably over the heads of whichever IT department will get blamed for letting them send the email if some anti-spam enforcement comes back that way.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 24 May 2018 @ 3:32am

    Re: Re: Thoughts on small business

    Nope. GDPR covers "personal data" it doesn't make a distinction over the format of it.
    Makes sense, why should files left in a briefcase not be punished on the same level as files left on an unprotected server?

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 24 May 2018 @ 10:13am

    Re:

    Yeah, if any fuck were given, data protection would be done the other way around: collecting as less as possible and letting people opt in to more advanced collections.

    link to this | view in thread ]

  27. icon
    dondoo (profile), 24 May 2018 @ 11:10am

    Re: Re: tons of companies having no idea what they actually need to do

    Must be some translation problem, or is there some part of "give me a copy of all my personal information and everything I've ever posted in a portable format, then delete it." that is not clear enough for you to understand.

    It is absolutely clear, whether "right" or "wrong" is another thing altogether. Perhaps your view of that is what you meant to express?

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 24 May 2018 @ 3:03pm

    Re: Re: Re: tons of companies having no idea what they actually need to do

    ???
    No, my point was GDPR doesn't cover your posts. It covers personal data defined as data about a subject that identifies them. It's a stretch to say any of your posts fit that definition.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 25 May 2018 @ 7:19am

    Re: Re:

    Companies are just a group of people that are trying to make a living. You seem like you think companies are these evil organizations that are looking to fuck you in any way possible.

    It really is just people trying to earn a living. I guess you don't have to worry about that, right? Must be nice.

    As a marketer, I don't want to send messages to someone that doesn't want to receive it, because that is just a waste of my time. Opt in or out, whatever, but people are just trying to live their life.

    link to this | view in thread ]

  30. icon
    PaulT (profile), 25 May 2018 @ 8:10am

    Re: Re: Re:

    "It really is just people trying to earn a living"

    Most of them yes. Unfortunately, some people either don't care if they make the lives of other people more difficult, or in some cases will seek to actively cause them harm, if it means more for their bottom line. Hence the need for laws and regulation.

    "I guess you don't have to worry about that, right? Must be nice."

    That's right, people who don't care for predatory tactics must be free of any bills or other concerns in life. It can't be because there's more important things than money, such as the welfare of human beings?

    "As a marketer"

    Oh. OK, that explains a lot.

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 25 May 2018 @ 9:09am

    Re: Re: Re: Re:

    Like I said, I don't want to send something to someone that doesn't want to receive it, because it is a waste of time.

    I actually don't have a problem with GDPR, first because I am in the US, and second, because of the above.

    Here is the joke though, from the US, I look at GDPR as a screen or window dressing for politicians. The NSA collects information. Phone companies sell location data, governments still invade our privacy.

    GDPR is nice, but won't do much, but anything that reduces the amount of data stored on people is a good thing.

    link to this | view in thread ]

  32. icon
    Talmyr (profile), 28 May 2018 @ 8:07am

    Re: Re: Re: Re: tons of companies having no idea what they actually need to do

    It covers any personal data tied to personal identifiers, including (ugh) IP addresses. So if there is a way to tie your 'anonymous' comment to your (then) IP address, that may count in. But it's a huge fluffy area which will probably take some litigation to clarify, unfortunately.

    link to this | view in thread ]

  33. icon
    Talmyr (profile), 28 May 2018 @ 8:10am

    Re: From Inside A Company Who Is Not Prepared

    Most EU companies aren't remotely ready either. But as long as you can show you are working towards being compliant that covers a lot of initial problems.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.