Many Of Those Desperate GDPR Emails You've Been Getting Are Violating A Different EU Regulation
from the not-to-mention-unnecessary dept
As we careen wildly into a post-GDPR world at the end of this week, you’ve probably already been inundated with tons upon tons of emails from various companies where you either have an account or have been signed up for their mailing list. Some of these emails likely note that they want you to confirm that you want to remain on their list because of the GDPR. Others pretend they’re just checking in with you for the hell of it. According to an expert in EU regulation, many of these emails probably violate another EU regulation, one designed to make spamming illegal. As for the others? They’re almost certainly not necessary under the GDPR and appear to be people misunderstanding the GDPR “out of an abundance of caution.”
In short, if a service already has proper permission from you, then it doesn’t need to get it again. If it doesn’t, it’s violating EU spam regulations by asking you to give your consent to receive such messages.
Vitale said, if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.
?In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.?
And, yes, EU regulators are aware of all of this:
?We?ve heard stories of email inboxes bursting with long emails from organisations asking people if they?re still happy to hear from them,? Steve Wood, the deputy information commissioner, wrote in guidance for businesses. ?So think about whether you actually need to refresh consent before you send that email, and don?t forget to put in place mechanisms for people to withdraw their consent easily.?
Like Vitale, Wood emphasised that asking for marketing consent from people who had not given it initially could be illegal. ?It?s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act,? he said.
Depending on how you look at this, it’s either the most European of European regulation situations — in which efforts to comply with a new set of convoluted regulations means violating existing convoluted EU regulations — or just another example of how ridiculous companies act. Still, it does seem fairly clear that the whole GDPR situation is an utter mess, with tons of companies having no idea what they actually need to do, or how to actually comply with the law.
Whether you think the GDPR is a wonderful innovation in protecting our privacy, or you think it’s a giant clusterfuck of bureaucratic virtue signaling, it does seem like it could be something of a general problem if basically every internet company everywhere has no idea how to actually be in compliance.
Filed Under: data protection, email, eu, gdpr, opt-in, permission, privacy, spam
Comments on “Many Of Those Desperate GDPR Emails You've Been Getting Are Violating A Different EU Regulation”
Selective enforcement anyone?
Re: "Selective enforcement anyone?"
Short answer: No
Long answer: Hell, no!
If a law requires selective enforcement to keep it from ruining lives and freedoms it is a law that should never have been passed in the first place.
Re: Re:
Interestingly enough: Less than half the countries in EU have designated the enforcement agencies and many of those that have already stated that they will be very lenient at this point.
To the point: EU is leaving enforcement to the specific countries and the specific countries are basically saying, “If you designate a person as responsible for data, we will try to help you as best we can!”
they don't care
I don’t think they care, unless they can make money off of fines. Just keep looking forward to receiving them.
tons of companies having no idea what they actually need to do
Mike I get it, 1st amendment and all, but this is tech, these impact BIG companies that have track records of being untrustworthy and/or not actually following through on commitments to legislative bodies.
The EU rules are a high bar sure, but in my view, better to have strict rules, get through a few election cycles and when government representatives come into office that understand tech, they can lower the bar as appropriate.
On a side note
Got a notice from Microsoft, checked the link. Page after page of opt out buttons, delete data buttons, download any data Microsoft has on the user buttons. Was surprised that they had very little data at all to begin with.
Microsoft is compliant with the new EU rulings across all country borders. This seems the easiest way to deal with these privacy rulings, adopt them, let simmer, wait…
Re: tons of companies having no idea what they actually need to do
Sure, it affects the Facebooks and the Googles and the Microsofts. And it affects the small US-based nonprofit that runs a forum that has members in .eu. And there’s no clear guidance as yet as to what the latter is supposed to do when a user comes and says, “give me a copy of all my personal information and everything I’ve ever posted in a portable format, then delete it.”
Re: Re: tons of companies having no idea what they actually need to do
That’s not a thing.
Your user can ask for all personal data held on him, posts are unlikley to fall under that.
You’d have to give them their bio and any data you store about them.
Re: Re: tons of companies having no idea what they actually need to do
Must be some translation problem, or is there some part of “give me a copy of all my personal information and everything I’ve ever posted in a portable format, then delete it.” that is not clear enough for you to understand.
It is absolutely clear, whether “right” or “wrong” is another thing altogether. Perhaps your view of that is what you meant to express?
Re: Re: Re: tons of companies having no idea what they actually need to do
???
No, my point was GDPR doesn’t cover your posts. It covers personal data defined as data about a subject that identifies them. It’s a stretch to say any of your posts fit that definition.
Re: Re: Re:2 tons of companies having no idea what they actually need to do
It covers any personal data tied to personal identifiers, including (ugh) IP addresses. So if there is a way to tie your ‘anonymous’ comment to your (then) IP address, that may count in. But it’s a huge fluffy area which will probably take some litigation to clarify, unfortunately.
FTFY
“… it does seem like it could be something of a general problem if basically every internet company everywhere…” is made up of people.
Since, as a group, virtually all people are idiots, expect idiotic results.
Oh come on, this is exactly what you’d expect, regardless of any specific law. CEO to legal dept.: “Tell me we DO NOT need to ask for consent from our existing customers! We don’t, right? …do we?” Every single lawyer everywhere: “Well…”
Mixing spam
Lets see…
You get lots of emails, then get a request to Verify an email site or other information..
HOW many people will “PUSH THE BUTTON”, and have there Browser send Their data upon connection??
AND if they have programmed it properly, as you SAID “YES” by clicking the button, it can GRAB other data, DIRECT form your browser..
YES many of us have a TON of protection on our browsers, but MORE persons DONT, and DONT KNOW about this.
To be “fair”, the vast majority of the emails I’ve received so far weren’t because of GDPR. It was just the companies feeling that privacy protections are good for everyone, so they wanted to extend that to everyone, not just EU residents. It’s just an overabundance of kindness! The fact that roughly 100% of all of them say it the exact same way and conveniently happen to be right before the enactment of those rules is just a coincidence.
Re: Re:
Yeah, if any fuck were given, data protection would be done the other way around: collecting as less as possible and letting people opt in to more advanced collections.
Re: Re: Re:
Companies are just a group of people that are trying to make a living. You seem like you think companies are these evil organizations that are looking to fuck you in any way possible.
It really is just people trying to earn a living. I guess you don’t have to worry about that, right? Must be nice.
As a marketer, I don’t want to send messages to someone that doesn’t want to receive it, because that is just a waste of my time. Opt in or out, whatever, but people are just trying to live their life.
Re: Re: Re: Re:
“It really is just people trying to earn a living”
Most of them yes. Unfortunately, some people either don’t care if they make the lives of other people more difficult, or in some cases will seek to actively cause them harm, if it means more for their bottom line. Hence the need for laws and regulation.
“I guess you don’t have to worry about that, right? Must be nice.”
That’s right, people who don’t care for predatory tactics must be free of any bills or other concerns in life. It can’t be because there’s more important things than money, such as the welfare of human beings?
“As a marketer”
Oh. OK, that explains a lot.
Re: Re: Re:2 Re:
Like I said, I don’t want to send something to someone that doesn’t want to receive it, because it is a waste of time.
I actually don’t have a problem with GDPR, first because I am in the US, and second, because of the above.
Here is the joke though, from the US, I look at GDPR as a screen or window dressing for politicians. The NSA collects information. Phone companies sell location data, governments still invade our privacy.
GDPR is nice, but won’t do much, but anything that reduces the amount of data stored on people is a good thing.
From Inside A Company Who Is Not Prepared
I work for a hosting company. I’m not sure I’m allowed to say which but we’re big enough to be traded on the NASDAQ. We are not prepared.
We’ve pushed out many and multiple emails to as many affected customers. Some saying we comply with GDPR, some asking for re-consent to data collection, some FAQs. Honestly though it’s hard to figure out how far we should go. We’re not ready and I doubt many of our peers are.
If any of these GDPR rules get enforced it’s going to be terrifying.
Re: From Inside A Company Who Is Not Prepared
The GDPR legislation was passed 2 years ago with a ‘start date’ set 2 years after passage.
Your company has had 2 years to get ready.
If they aren’t ready, it’s their own fault.
Re: From Inside A Company Who Is Not Prepared
Most EU companies aren’t remotely ready either. But as long as you can show you are working towards being compliant that covers a lot of initial problems.
GDPR Nighmare Scenario #634
Dear Techdirt,
I want a record of all my posts along with those that I posted as an Anonymous Coward. I also want you to delete them. I also want all sub-threads and other mentions of my avatar name, Anonymous Coward, and real name (which I will not give you) deleted as well because, GDPR
Have fun complying!
K thx bye!
P.S. please don’t really do that… i’d be sad.
Re: GDPR Nighmare Scenario #634
…and sadly, things not too far from this are actually happening. And it’s not even close to clear what the GDPR requires the site operator to do in such cases.
Re: GDPR Nighmare Scenario #634
Easy, there is nothing about you that is personally identifiable, so GDPR does not apply to you.
Re: GDPR Nighmare Scenario #634
Not how the law works. It has to be personal data.
"emails probably violate another EU regulation" Then PROSECUTE!
All violations will stop if corporations are prosecuted. Guaranteed. Just toss the officers into jail and set bail at ten times their yearly income as they do poor people. Makes examples of the half dozen most egregious, and suddenly all other execs will learn and implement GPDR.
Mainly though, this is another of Masnick’s rants in which HE’S got it all figured out, but no one in Europe does. No one outdoes Masnick for arrogance and chutzpah.
Re: Re:
When the RIAA is prosecuted you let me know, blue. If you’re not reduced to a blubbering, crying wreck when it happens.
It really isn’t that difficult, but it all revolves around contact that has been agreed upon. You can send a customer a bill, but do you have consent to send them marketing material?
Companies have to follow the law and be able to prove they are following the law. That means being able to prove that they have consent or have a legitimate interest.
Yeah, companies databases will be whacked, but that is a good thing. Does it make it harder for companies to market their products/services? Sure, but that is what the law is all about.
Thoughts on small business
re: Small companies will be hit hardest at first.
It doesn’t matter the size. Size of a company should not determine that that company doesn’t have to comply. It’s like saying small deli’s don’t have to be inspected or be concerned about customer safety or health. If the company is doing business on the internet, it’s subject and should be.
Small business will find new offerings popping up from vendors much like small business tax packages or small biz human resources that provide self installed software programs or even hire consulting services to customize something.
Costs sure, these are new rules so there will be costs. Those get added in the business ledger and are part of the ‘cost of doing business’.
– —
In the end, this is all on the advertisers.
Re: Thoughts on small business
IANAL, but I don’t believe GDPR is limited to electronic (internet) systems.
If you are an old-fashioned mail-order house and only accept and send communications via snail-mail then I believe you would still have to comply.
Re: Re: Thoughts on small business
Nope. GDPR covers “personal data” it doesn’t make a distinction over the format of it.
Makes sense, why should files left in a briefcase not be punished on the same level as files left on an unprotected server?
Over-reaction much....
The ICO (the UK’s supervisory authority) is one of the largest and most active SA’s in the EU. If you actually take note of what they are saying, their focus is on helping people comply not punishing non-compliance. If you can get BBC iPlayer, check out Click – there’s an interview with senior representative from the ICO.
They have stated they will only use fines for the the most negligent or careless cases and for repeat offenders.
If you look at their track record under the Data Protection Act, this is what they have done in the past. Most of their findings and “penalties” have been administrative – tighten up your policies & procedures, train your staff better and don’t do it again.
And if you aren’t able to comply with the intent of the GDPR, or simply can’t be arsed then you’re probably not a fit person to be holding people’s personal data. Too many organisations have proved too often that they can’t be trusted to secure PII without additional incentives. We are now in a situation where leaks of personal data can have a significant effect on real peoples lives.
“They’re almost certainly not necessary under the GDPR and appear to be people misunderstanding the GDPR “out of an abundance of caution.””
I was at a seminar last year regarding the GDPR. It was from an IT/systems POV, but my takeaway was that there were a lot of companies who not only hadn’t organised a real plan for it, for some it was the first they heard of some of the requirements.
I absolutely guarantee that, whichever marketing departments are responsible for a lot of these emails, they don’t know the rules for either spam or the GDPR itself. They just reacted when it hit the mainstream press recently, probably at the behest of some manager who panicked when they read some headlines. Also probably over the heads of whichever IT department will get blamed for letting them send the email if some anti-spam enforcement comes back that way.