Most GDPR Emails Unnecessary and Some Illegal, Say Experts (theguardian.com) 91
The vast majority of emails flooding inboxes across Europe from companies asking for consent to keep recipients on their mailing list are unnecessary and some may be illegal, privacy experts have said, as new rules over data privacy come into force at the end of this week. From a report: Many companies, acting based on poor legal advice, a fear of fines of up to $23.5 million and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing. But Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, said many of those requests would be needless paperwork, and some that were not would be illegal.
Only $23.50? (Score:2)
$23.50 seems like a pretty insignificant penalty.
I had previously read that the fines were "crippling".
Did someone miss a zero (or several)?
Re: (Score:3)
$23.50 seems like a pretty insignificant penalty.
I had previously read that the fines were "crippling".
Did someone miss a zero (or several)?
I think they missed the "M". The potential penalties are big enough to put all but the biggest players out of business.
We're simply going to block all of the EU, because the consequences for even an inadvertent misstep could be catastrophic.
Re:Only $23.50? (Score:5, Insightful)
We're simply going to block all of the EU, because the consequences for even an inadvertent misstep could be catastrophic.
Please block my IP address as well: 192.117.111.61, because the consequences for even an inadvertent misstep by you could be catastrophic for me.
Re: (Score:1)
How will OP blocking email from the EU be catastrophic for your Israeli ISP business?
Re: (Score:1)
He runs an anonymous international spamming proxy, obviously.
Re: Only $23.50? (Score:1)
Well shit... My big black rubber dildo wholesaler just lost its biggest customer!
Re: (Score:2)
Do you operate in the EU? If not, how would you be fined? And if so are you just closing your EU business entirely?
Re: (Score:2)
Do you operate in the EU? If not, how would you be fined? And if so are you just closing your EU business entirely?
This is one of the biggest problems with the GDPR, it only applies to businesses in the EU... Then again, most marketing email I get from American companies ends up in my Spam folder already (even the stuff I want to get).
Re: (Score:2)
We're simply going to block all of the EU, because the consequences for even an inadvertent misstep could be catastrophic.
Why? Do you do business in the EU? Do you advertise to EU customers, or have EU offices?
If you answered yes to any of the above then blocking the EU probably isn't in your interest. If you answered no to all of them, they maybe you learn how the GDPR works and applies.
Re: (Score:1)
In both cases, those penalties are the criminal penalties. Claims for damages are assessed separately and not included in these limits.
Re: (Score:1)
But does that apply to the House of Saxe-Coburg and Gotha (that secretive building next to the EU Parliament), because they've been using every EU citizens data for decades for fraudulent means and no one seems to care.
Re: email filters (Score:2)
Yeah why would anyone want their private personal data handled properly? What a waste of time.
Re: (Score:2)
Yes. Not *MY* private personal data. I'm not european. I'm not protected by those laws. Why do I care?
Re: (Score:2)
(Not that I have any liking for the social media companies either, but my enemy's enemy is *not* my friend here).
Re: Brexit (Score:2)
You can hand over your personal data to identity thieves via Equifax or TalkTalk if you like - I prefer it to be handled properly myself.
Re: Brexit (Score:2)
How would you force companies to give a shit about protecting users' private information? Taking my business elsewhere is meaningless if my details have already been exposed, and the case of Equifax i can't do that anyway because I'm not the customer.
Re: Brexit (Score:2)
What government intervention created Equifax? You still haven't answered my point though. How will the market make businesses give a shit about protecting their customers' data given that the market has totally failed to punish offenders thus far?
Re: Brexit (Score:2)
No I didn't. Are you going to answer my question?
Re: Brexit (Score:2)
How will the market make businesses give a shit about protecting their customers' data given that the market has totally failed to punish offenders thus far?
Re: Brexit (Score:2)
Yes I do want companies that are cavalier about protecting my personal data to be punished. Most of the serious data breaches have been due to the business in question not being prepared to spend the time and money to ensure their customers are adequately protected. That is what GDPR is for, to force organisations to give a shit about the people they are supposed to be serving. Unless of course you're happy for your personal data like credit card or social security numbers to be stored unencrypted on unpat
Re: Brexit (Score:2)
GDPR is absolutely about the secure handling of personal information, hence the colossal fines. Perhaps you should go away and read it. It won't prevent a determined attacker but what it will do is force organisations to have proper policies in place to make it less likely. I work for an organisation that is currently going through GDPR compliance and we are hardening our systems, tightening up who has access to them and ensuring that everything is up to date. What do you know about GDPR? Very little judg
Re: Brexit (Score:2)
I think someone needs their nappy changed
Best Practice (Score:5, Interesting)
Re:Best Practice (Score:4, Interesting)
Sadly, even amongst those lists that have been using COI for years, this point seems to have escaped most mailing list maintainers.
Re: (Score:3)
Oh, nice propaganda. But tell me, do you have any factual information regarding GDPR or just the bullshit you spouted here?
GDPR is fucking trivial to comply with unless you're someone like Equifax with a plethora of acquisitions that all have disparate data and processes. In which case you have the resources to comply anyway.
Logging personally identifiable information was never good practice in the first place.
Re: Best Practice (Score:2)
IP addresses are considered private information. Not just to GDPR but HIPAA too. That's how far reaching these regulations go, everyone in the world can receive or query your IP address.
Re: (Score:2)
GDPR doesn't stop them.
Re: (Score:2)
Confirmed Opt-In, or COI, has been touted as a best practice for mailing lists for many years now. You didn't need to be psychic and predict the future to anticipate GDPR; you just needed to be above-board about what you were doing with the sign-up process and follow well published best practice. If you'd done that, and retained a copy of all of your opt-in confirmations, then all your end-user interaction for GDPR compliance would have required would have been a simple rider on a regular marketing email reminding your subscribers of where they could view your GDPR policies, contact you if required, and to change their communications preferences if they wished. No further end-user action required.
Sadly, even amongst those lists that have been using COI for years, this point seems to have escaped most mailing list maintainers.
I think it's an arse covering exercise. Sadly there's been so much FUD about GDPR, much of it from outside the EU that it's made a lot of people unnecessarily nervous.
Also whilst COI is best practice, its not a widespread practice and a lot of companies, even companies inside the EU practice use unconfirmed opt in (Usually via a box that is checked by default) or sometimes don't even bother asking at all (Looking at you Vodafone). Some businesses are nervous for a good reason.
Re: (Score:2)
No, screw them for being unethical leeches from the get-go.
Not quite. Didn't tell users what we won't do (Score:2)
That's not quite true. As an example, GDPR requires that before getting consent, you must inform the user whether you will or won't do certain things with the data. Before GDPR, a lot of companies didn't bother saying "we won't ..." where it wouldn't even make sense to mention that, of course they don't. Those consents are no longer valid since they didn't comply with irrelevant parts of a law that didn't exist at the time.
Another is that very often when someone subscribes to a mailing list, they g
Re: (Score:1)
So you're saying that GDPR is retroactive? It might be shonky in many ways, but that isn't one of them.
In a way, yea it is (Score:2)
In order to have a person be a part of the discussion group TOMORROW, we will need to have consent records that comply with GDPR. In order to be GDPR compliant, there consent (sign up) must come after they've been informed of how to unsubscribe, the fact that you don't sell their email address to marketers, etc.
Here it is in programmatic form:
Are you sending them an email? (No: Goto Ok)
Do you have their consent? (No: Goto jail)
Is it informed consent? Meaning they saw GDPR disclosures before consenting. (No
Clean up time (Score:1)
I am getting a lot of those and quite frankly, most of them I reallly don’t care if they delete me if I don’t accept because hey are not relevant for me anymore. :)
Irony (Score:2)
What are they supposed to do? (Score:5, Insightful)
The government has passed a law that provides for fines on the order of $23 million (or more, if the business is large). Businesses that are requesting new opt-ins are doing it so they can demonstrate that they have explained what they do with customer data and have obtained explicit permission to do so.
Yeah, it would have been great if these businesses had been doing that all along, but there was no legal requirement for them to do so. They may not have kept records that would allow them to demonstrate compliance. Why would it be a surprise to anybody that businesses are trying to cover their asses to avoid paying fines that could destroy them? This is a completely foreseeable result.
Re: (Score:2)
The government has passed a law that provides for fines on the order of $23 million (or more, if the business is large). Businesses that are requesting new opt-ins are doing it so they can demonstrate that they have explained what they do with customer data and have obtained explicit permission to do so.
Yeah, it would have been great if these businesses had been doing that all along, but there was no legal requirement for them to do so. They may not have kept records that would allow them to demonstrate compliance. Why would it be a surprise to anybody that businesses are trying to cover their asses to avoid paying fines that could destroy them? This is a completely foreseeable result.
It's an annoying week of emails, but I'm ok with it. Atleast from now on we will be in a state where companies have to care about how they deal with me. It's kindof revelatory how many companies have come out of the woodwork that have my details, rather glad that I can now fail to confirm that they can keep it.
Re: (Score:2)
Actually in a lot of cases depending on what data they were storing there was a legal requirement to show consent.
Since the European Data Protection Directive in 1995 went into law in around 1998 in most EU countries it was always necessary to gain explicit consent to hold someone's personal data (unless you had a law enforcement exemption or similar).
So many companies if they held your name or address along with your mailing list subscription were already breaking the law if they did not do so with explici
Re: (Score:2)
It's this actually a problem? All I've seen is a reduction in spam and better privacy.
I really can't see any down side to this.
Some ass used my domain to sign up for google... (Score:2)
Some ass used one of my domains to sign up for literally hundreds of Google accounts. Now, Google is spamming all those accounts with GDPR emails. It got so bad I had to blacklist all of Google. Google also totally ignores the reject code from the email server, if I send 'em a 554 they'll just keep trying and trying, so now I kill 'em with a 421, but they still don't give up.
GDPR spam (Score:2)
Was it difficult to include a clause in the law forbidding mass sending of e-mails?
Re: (Score:2)
Well, yes. There are numerous legitimate reasons to mass send emails, not least of which is "I want to subscribe to your mailing list".
GDPR (Score:3)
Ironically, in the last few months I have received several dozen pieces of unsolicited commercial email to an unadvertised address, without consent, concerning "How to get ready for GDPR", GDPR conferences, GDPR auditors, and even people claiming to help me form my own GDPR policies.
I find it absolutely hilarious - who on Earth is going to touch the GDPR companies that can't even follow the rules themselves?
That said, it's just a return to common sense. Did I ask you to email me? Specifically YOU? No? Then why are you emailing me?
GDPR lets me give the same response as I would to someone knocking on my door. Do I know you? Do you have legitimate business that required you to wake me up?
No? Then fuck off, and never darken my door again.
Dealing with from the IT end has also been enlightening. We hired a member of staff just to get us through GDPR. They went through all my systems and processes. Pretty much, it doesn't affect us.
Explicit consent before sending email? Check.
People able to stop such email on demand? Check.
People able to request the data that we have on them? Check.
Data being held only as long as necessary? Check.
Because most of this stuff was just obviously what the Data Protection Act required anyway. And being a good business.
All the changes that have happened are to do with things like paper records (nothing to do with IT), etc. and databases that are outside IT control (e.g. our alumni list was hand-managed on paper, they've since digitised it because GDPR doesn't distinguish how you store it, so there's no longer any advantage to avoiding the DPA because you're not storing it on computer), and formalising policies that were already in place.
Actual IT changes necessitated? None. I've updated a bunch of software which now have GDPR deletion/anonymisation features (but we won't use those for a long time because pretty much we only store what's necessary and stuff which we need to keep anyway) and things like "obtaining and recording explicit consent" features.
GDPR = DPA + case law. If you've been keeping up over the years, GDPR is no shock. If you haven't.... well, you've been at risk for quite a while whether you think so or not. It only needed one stroppy customer to take you to court to expose practices that judges have been saying you MUST do (to be classed as "reasonably protecting the data" even under the previous DPA) but that just weren't codified in an actual law.
About the biggest pain in GDPR? Gathering all the GDPR compliance statements from everyone else we deal with. (Hey, Apple! Are you done yet?!).
Re: (Score:2)
Well... yes... that's kind of what explicit consent means!
In our case, it's a signed agreement. Before we can send an email.
And about once a month, someone "opts out" by mistake by clicking a link in an email (or via some webmail's Junk function which then asks if you want to visit the unsubscribe link) and I get stroppy enquiries about why they're not getting emails and weren't told they'd unsubscribed.
Why? Because I *can't* email you to tell you that you'd unsubscribed... you'd unsubscribed! And if you
Re: (Score:2)
But they did apply.
If you're handling EU data, they've always applied. To get that data you SHOULD have had to sign the same kind of guarantees / waivers as anyone else.
Ignorance of the law is no excuse, and if you're collecting data on EU citizens, of course it's liable to EU law just the same.
If GDPR doesn't affect you now, the various DPAs never did.
If it does affect you, the various DPAs always did.
We had the same problem with an anti-spam law (Score:2)
Re: (Score:2)
I find that most of the paranoia about things like HIPAA comes from people that can't even fucking spell it.