Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy United Kingdom

Most GDPR Emails Unnecessary and Some Illegal, Say Experts (theguardian.com) 91

The vast majority of emails flooding inboxes across Europe from companies asking for consent to keep recipients on their mailing list are unnecessary and some may be illegal, privacy experts have said, as new rules over data privacy come into force at the end of this week. From a report: Many companies, acting based on poor legal advice, a fear of fines of up to $23.5 million and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing. But Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, said many of those requests would be needless paperwork, and some that were not would be illegal.
This discussion has been archived. No new comments can be posted.

Most GDPR Emails Unnecessary and Some Illegal, Say Experts

Comments Filter:
  • $23.50 seems like a pretty insignificant penalty.

    I had previously read that the fines were "crippling".

    Did someone miss a zero (or several)?

    • $23.50 seems like a pretty insignificant penalty.

      I had previously read that the fines were "crippling".

      Did someone miss a zero (or several)?

      I think they missed the "M". The potential penalties are big enough to put all but the biggest players out of business.

      We're simply going to block all of the EU, because the consequences for even an inadvertent misstep could be catastrophic.

      • Re:Only $23.50? (Score:5, Insightful)

        by dotancohen ( 1015143 ) on Monday May 21, 2018 @02:21PM (#56648826) Homepage

        We're simply going to block all of the EU, because the consequences for even an inadvertent misstep could be catastrophic.

        Please block my IP address as well: 192.117.111.61, because the consequences for even an inadvertent misstep by you could be catastrophic for me.

        • by Anonymous Coward

          How will OP blocking email from the EU be catastrophic for your Israeli ISP business?

        • by Anonymous Coward

          Well shit... My big black rubber dildo wholesaler just lost its biggest customer!

      • by AmiMoJo ( 196126 )

        Do you operate in the EU? If not, how would you be fined? And if so are you just closing your EU business entirely?

        • by mjwx ( 966435 )

          Do you operate in the EU? If not, how would you be fined? And if so are you just closing your EU business entirely?

          This is one of the biggest problems with the GDPR, it only applies to businesses in the EU... Then again, most marketing email I get from American companies ends up in my Spam folder already (even the stuff I want to get).

      • We're simply going to block all of the EU, because the consequences for even an inadvertent misstep could be catastrophic.

        Why? Do you do business in the EU? Do you advertise to EU customers, or have EU offices?

        If you answered yes to any of the above then blocking the EU probably isn't in your interest. If you answered no to all of them, they maybe you learn how the GDPR works and applies.

  • Best Practice (Score:5, Interesting)

    by Going_Digital ( 1485615 ) on Monday May 21, 2018 @02:27PM (#56648854)
    Companies wouldn't have to go through this nonsense if they had set-out treating people properly in the first place. If their email list was created from an explicit opt-in process with clear information on how the customer's email is to be used then it they would not have to go through this re-subscribe nonsense. They all thought they were clever by auto-opting in and buying mailing lists and other questionable ways of subscribing people. Now 90% of their 'customers' will not re-subscribe so they are stuffed.
    • That's not quite true. As an example, GDPR requires that before getting consent, you must inform the user whether you will or won't do certain things with the data. Before GDPR, a lot of companies didn't bother saying "we won't ..." where it wouldn't even make sense to mention that, of course they don't. Those consents are no longer valid since they didn't comply with irrelevant parts of a law that didn't exist at the time.

      Another is that very often when someone subscribes to a mailing list, they g

      • So you're saying that GDPR is retroactive? It might be shonky in many ways, but that isn't one of them.

        • In order to have a person be a part of the discussion group TOMORROW, we will need to have consent records that comply with GDPR. In order to be GDPR compliant, there consent (sign up) must come after they've been informed of how to unsubscribe, the fact that you don't sell their email address to marketers, etc.

          Here it is in programmatic form:

          Are you sending them an email? (No: Goto Ok)
          Do you have their consent? (No: Goto jail)
          Is it informed consent? Meaning they saw GDPR disclosures before consenting. (No

  • I am getting a lot of those and quite frankly, most of them I reallly don’t care if they delete me if I don’t accept because hey are not relevant for me anymore. :)

  • Ironically enough, as I was reading this thread I received an email about opting in/out of emails due to GPDR. Gave me a nice chance to unsubscribe for a mailing list I didn't even care about or was even aware I was on.
  • by imidan ( 559239 ) on Monday May 21, 2018 @02:49PM (#56649000)

    The government has passed a law that provides for fines on the order of $23 million (or more, if the business is large). Businesses that are requesting new opt-ins are doing it so they can demonstrate that they have explained what they do with customer data and have obtained explicit permission to do so.

    Yeah, it would have been great if these businesses had been doing that all along, but there was no legal requirement for them to do so. They may not have kept records that would allow them to demonstrate compliance. Why would it be a surprise to anybody that businesses are trying to cover their asses to avoid paying fines that could destroy them? This is a completely foreseeable result.

    • The government has passed a law that provides for fines on the order of $23 million (or more, if the business is large). Businesses that are requesting new opt-ins are doing it so they can demonstrate that they have explained what they do with customer data and have obtained explicit permission to do so.

      Yeah, it would have been great if these businesses had been doing that all along, but there was no legal requirement for them to do so. They may not have kept records that would allow them to demonstrate compliance. Why would it be a surprise to anybody that businesses are trying to cover their asses to avoid paying fines that could destroy them? This is a completely foreseeable result.

      It's an annoying week of emails, but I'm ok with it. Atleast from now on we will be in a state where companies have to care about how they deal with me. It's kindof revelatory how many companies have come out of the woodwork that have my details, rather glad that I can now fail to confirm that they can keep it.

    • by Xest ( 935314 )

      Actually in a lot of cases depending on what data they were storing there was a legal requirement to show consent.

      Since the European Data Protection Directive in 1995 went into law in around 1998 in most EU countries it was always necessary to gain explicit consent to hold someone's personal data (unless you had a law enforcement exemption or similar).

      So many companies if they held your name or address along with your mailing list subscription were already breaking the law if they did not do so with explici

    • by AmiMoJo ( 196126 )

      It's this actually a problem? All I've seen is a reduction in spam and better privacy.

      I really can't see any down side to this.

  • Some ass used one of my domains to sign up for literally hundreds of Google accounts. Now, Google is spamming all those accounts with GDPR emails. It got so bad I had to blacklist all of Google. Google also totally ignores the reject code from the email server, if I send 'em a 554 they'll just keep trying and trying, so now I kill 'em with a 421, but they still don't give up.

    $ grep google /var/log/maillog | grep NOQUEUE | wc -l
    11763

    $ grep google /var/log/maillog | grep NOQUEUE
    May 16 17:35:46 aurora po

  • The EU should create laws in such a way that we are spared from the spam.

    Was it difficult to include a clause in the law forbidding mass sending of e-mails?
    • by Cederic ( 9623 )

      Well, yes. There are numerous legitimate reasons to mass send emails, not least of which is "I want to subscribe to your mailing list".

  • by ledow ( 319597 ) on Monday May 21, 2018 @04:00PM (#56649432) Homepage

    Ironically, in the last few months I have received several dozen pieces of unsolicited commercial email to an unadvertised address, without consent, concerning "How to get ready for GDPR", GDPR conferences, GDPR auditors, and even people claiming to help me form my own GDPR policies.

    I find it absolutely hilarious - who on Earth is going to touch the GDPR companies that can't even follow the rules themselves?

    That said, it's just a return to common sense. Did I ask you to email me? Specifically YOU? No? Then why are you emailing me?

    GDPR lets me give the same response as I would to someone knocking on my door. Do I know you? Do you have legitimate business that required you to wake me up?
      No? Then fuck off, and never darken my door again.

    Dealing with from the IT end has also been enlightening. We hired a member of staff just to get us through GDPR. They went through all my systems and processes. Pretty much, it doesn't affect us.

    Explicit consent before sending email? Check.
    People able to stop such email on demand? Check.
    People able to request the data that we have on them? Check.
    Data being held only as long as necessary? Check.

    Because most of this stuff was just obviously what the Data Protection Act required anyway. And being a good business.

    All the changes that have happened are to do with things like paper records (nothing to do with IT), etc. and databases that are outside IT control (e.g. our alumni list was hand-managed on paper, they've since digitised it because GDPR doesn't distinguish how you store it, so there's no longer any advantage to avoiding the DPA because you're not storing it on computer), and formalising policies that were already in place.

    Actual IT changes necessitated? None. I've updated a bunch of software which now have GDPR deletion/anonymisation features (but we won't use those for a long time because pretty much we only store what's necessary and stuff which we need to keep anyway) and things like "obtaining and recording explicit consent" features.

    GDPR = DPA + case law. If you've been keeping up over the years, GDPR is no shock. If you haven't.... well, you've been at risk for quite a while whether you think so or not. It only needed one stroppy customer to take you to court to expose practices that judges have been saying you MUST do (to be classed as "reasonably protecting the data" even under the previous DPA) but that just weren't codified in an actual law.

    About the biggest pain in GDPR? Gathering all the GDPR compliance statements from everyone else we deal with. (Hey, Apple! Are you done yet?!).

  • Some companies waited until after the last date for asking their customers to re-consent, then sent requests that were, you guessed it, SPAM!

Duct tape is like the force. It has a light side, and a dark side, and it holds the universe together ... -- Carl Zwanzig

Working...