Slashdot Mirror
Most GDPR Emails Unnecessary and Some Illegal, Say Experts (theguardian.com)
The vast majority of emails flooding inboxes across Europe from companies asking for consent to keep recipients on their mailing list are unnecessary and some may be illegal, privacy experts have said, as new rules over data privacy come into force at the end of this week. From a report: Many companies, acting based on poor legal advice, a fear of fines of up to $23.5 million and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing. But Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, said many of those requests would be needless paperwork, and some that were not would be illegal.
$23.50 seems like a pretty insignificant penalty.
I had previously read that the fines were "crippling".
Did someone miss a zero (or several)?
If you're a zombie and you know it, bite your friend!
From various junk mail companies who want my "consent" to keep junking me.
Still a rapist. Where have I seen this before?
Companies wouldn't have to go through this nonsense if they had set-out treating people properly in the first place. If their email list was created from an explicit opt-in process with clear information on how the customer's email is to be used then it they would not have to go through this re-subscribe nonsense. They all thought they were clever by auto-opting in and buying mailing lists and other questionable ways of subscribing people. Now 90% of their 'customers' will not re-subscribe so they are stuffed.
I unsubscribed from SUSE's mailing list over ten years ago after Novell bought them and their product went to shit. Now, they email me:
We've noticed that we haven't heard from you in awhile -- are you still interested in hearing about SUSE events, products, and whitepapers? We have so many great things going on from SUSE Expert Days to data explosions!
No, I don't want to hear from you. It's been ten years.
I am getting a lot of those and quite frankly, most of them I reallly don’t care if they delete me if I don’t accept because hey are not relevant for me anymore. :)
L'Idiot
Ironically enough, as I was reading this thread I received an email about opting in/out of emails due to GPDR. Gave me a nice chance to unsubscribe for a mailing list I didn't even care about or was even aware I was on.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
But if you are travelling thru Europe and are in a european airport and do something on the web, are you not covered for that period?
Likewise, if you are using a VPN that exits from Europe, does it not appear that you there and hence covered - how is business supposed to know which is which?
I heard that the Jews somehow were able to get in to the World Trade Center prior to 9/11 and rig the buildings with demolition explosives. Is this true?
The government has passed a law that provides for fines on the order of $23 million (or more, if the business is large). Businesses that are requesting new opt-ins are doing it so they can demonstrate that they have explained what they do with customer data and have obtained explicit permission to do so.
Yeah, it would have been great if these businesses had been doing that all along, but there was no legal requirement for them to do so. They may not have kept records that would allow them to demonstrate compliance. Why would it be a surprise to anybody that businesses are trying to cover their asses to avoid paying fines that could destroy them? This is a completely foreseeable result.
That's not quite true. As an example, GDPR requires that before getting consent, you must inform the user whether you will or won't do certain things with the data. Before GDPR, a lot of companies didn't bother saying "we won't ..." where it wouldn't even make sense to mention that, of course they don't. Those consents are no longer valid since they didn't comply with irrelevant parts of a law that didn't exist at the time.
Another is that very often when someone subscribes to a mailing list, they get an email telling them how they can unsubscribe, and the bottom of every email sent to the list has an unsubscribe link. People who joined such discussion lists have to be removed because they weren't told how to unsubscribe BEFORE they joined. Telling them after they join doesn't comply with GDPR. If you didn't give them the unsubscribe info BEFORE they signed up, legally they never signed up.
Some ass used one of my domains to sign up for literally hundreds of Google accounts. Now, Google is spamming all those accounts with GDPR emails. It got so bad I had to blacklist all of Google. Google also totally ignores the reject code from the email server, if I send 'em a 554 they'll just keep trying and trying, so now I kill 'em with a 421, but they still don't give up.
The EU should create laws in such a way that we are spared from the spam.
Was it difficult to include a clause in the law forbidding mass sending of e-mails?
Ironically, in the last few months I have received several dozen pieces of unsolicited commercial email to an unadvertised address, without consent, concerning "How to get ready for GDPR", GDPR conferences, GDPR auditors, and even people claiming to help me form my own GDPR policies.
I find it absolutely hilarious - who on Earth is going to touch the GDPR companies that can't even follow the rules themselves?
That said, it's just a return to common sense. Did I ask you to email me? Specifically YOU? No? Then why are you emailing me?
GDPR lets me give the same response as I would to someone knocking on my door. Do I know you? Do you have legitimate business that required you to wake me up?
No? Then fuck off, and never darken my door again.
Dealing with from the IT end has also been enlightening. We hired a member of staff just to get us through GDPR. They went through all my systems and processes. Pretty much, it doesn't affect us.
Explicit consent before sending email? Check.
People able to stop such email on demand? Check.
People able to request the data that we have on them? Check.
Data being held only as long as necessary? Check.
Because most of this stuff was just obviously what the Data Protection Act required anyway. And being a good business.
All the changes that have happened are to do with things like paper records (nothing to do with IT), etc. and databases that are outside IT control (e.g. our alumni list was hand-managed on paper, they've since digitised it because GDPR doesn't distinguish how you store it, so there's no longer any advantage to avoiding the DPA because you're not storing it on computer), and formalising policies that were already in place.
Actual IT changes necessitated? None. I've updated a bunch of software which now have GDPR deletion/anonymisation features (but we won't use those for a long time because pretty much we only store what's necessary and stuff which we need to keep anyway) and things like "obtaining and recording explicit consent" features.
GDPR = DPA + case law. If you've been keeping up over the years, GDPR is no shock. If you haven't.... well, you've been at risk for quite a while whether you think so or not. It only needed one stroppy customer to take you to court to expose practices that judges have been saying you MUST do (to be classed as "reasonably protecting the data" even under the previous DPA) but that just weren't codified in an actual law.
About the biggest pain in GDPR? Gathering all the GDPR compliance statements from everyone else we deal with. (Hey, Apple! Are you done yet?!).
Nope GDPR is what happens when good-intentions become laws.
Basically everyone who deals with "Cookies" for websites are having a heart attack right now because the GDPR makes it illegal to store cookies for EU citizens, and there's no fucking way to tell if someone is a EU citizen from ip address alone.
I love how I keep seeing that the GDPR applies to any company with a website even if the company has no presence in the EU because people in the EU can access the website. Pretty sure we decided way back in 1776 that laws from across the pond don't apply to us. Good luck enforcing your GDPR over here.
Some companies waited until after the last date for asking their customers to re-consent, then sent requests that were, you guessed it, SPAM!
davecb@spamcop.net
Yeah, because I trust the current Hard-Brexiteer-pandering UK government who think "AI" will magically be able to spot and take down offensive social media posts and intend- from this position of ignorance- to compel social media networks to make that work *so* much more.
(Not that I have any liking for the social media companies either, but my enemy's enemy is *not* my friend here).
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
I used to work in a state gov't department that was responsible for making sure organizations were in compliance with HIPPA when it first started so I had more than the average bear's knowledge of the area and over the years I have personally seen medical professional invoke HIPPA for scenarios that have nothing to do with it.
The most egregious, one friend was taken to the Emergency Room by another. The receiving nurse tried to claim that if the sick friend did not immediately sign a HIPPA release, the other friend had to leave the ER.
The reality was that the non-sick friend was raising a stink because he felt like the sick friend wasn't getting the attention he needed. They felt like trying to force someone writhing in agony to sign a legal document wouldn't happen so they would be able to get rid of the nuisance party.
Others were obviously more just obsessive CYA scenarios. So I'm sure we'll have years of these three things applied to GDPR:
1) false claims for deliberate scams
2) false claims because they're trying to bamboozle people into compliance with their wishes
3) false claims out of pure ignorance/an over abundance of caution
Yeah why would anyone want their private personal data handled properly? What a waste of time.
You can hand over your personal data to identity thieves via Equifax or TalkTalk if you like - I prefer it to be handled properly myself.
This is just plain funny. /.
So-called expert gets hacked then can't stop it. Then he complains to
Like anyone really gives a shit.
In order to have a person be a part of the discussion group TOMORROW, we will need to have consent records that comply with GDPR. In order to be GDPR compliant, there consent (sign up) must come after they've been informed of how to unsubscribe, the fact that you don't sell their email address to marketers, etc.
Here it is in programmatic form:
Are you sending them an email? (No: Goto Ok)
Do you have their consent? (No: Goto jail)
Is it informed consent? Meaning they saw GDPR disclosures before consenting. (No: Goto jail)
You need "informed consent". It's not sufficient under GDPR to inform them afterwards, "informed consent" under GDPR requires that they have the information BEFORE they sign up. Therefore you don't have GDPR-compliant informed consent from people who signed up prior to changing your site to be GDPR-compliant, including listing things you don't do.
It's not informed consent under GDPR if you didn't give them the GDPR info before they consented. Therefore you can't use their information after GDPR is in effect. Basically they either have to sign up again after receiving the GDPR disclosures, or you have to delete them because you don't have informed consent.
Pity for you that the GDPR will continue to be in UK law after Brexit.
The road to hell is paved with good intentions. Big websites can circumvent this rubbish whereas smaller websites are petrified by the scope of the law, and unlikely to want to risk the hefty fines. It's not just about cookies, every user has the right to know everything you know about them, and the right to have all that deleted.
I didn't trust any of them. I wanted to leave the EU after right to be forgotten smelled too much of 1984 and the removal of our collective right to remember what has happened and who by. The EU is not democratic, the people who make the EU laws are not elected, therefore the EU is technically an oligarchy.
I don't like big companies either. The government is far more destructive than any company. Handing over power to them just because they seem benevolent is never a good idea. Tomorrow an elected government could use these tools and others to benefit its members and supporters to the detriment of dissenters. This would mean the end of democracy and the installation of a dictatorship, and it would all done with our consent.
Pity for you too. We are all victims here. This EU law was not created by a democratic body. Tomorrow, when you may want to start an internet business of your own, you will have to take all of this into consideration, and you may decide that it is too expensive to comply from the beginning. Your venture may die before it begins because of this law and others like it.
How would you force companies to give a shit about protecting users' private information? Taking my business elsewhere is meaningless if my details have already been exposed, and the case of Equifax i can't do that anyway because I'm not the customer.
Equifax and companies like it, exist because of government intervention. Pointless bureaucratic nonsense brought in in the name of protecting people, but ultimately leading to their detriment. Thomas Jefferson said the best government governs least (or words to that effect.)
I believe that it's government intervention that makes monopolies exist by hurting the prospects of smaller competing companies that can't afford to comply with the measures imposed on them. Facebook already dedicates a huge budget on compliance, who can afford to spend that kind of money from the outset? The more rules and regulations we impose, the less likely that a competitor will take hold, and the more likely that a small group of established companies will rise to dominance and power. Power which they in turn can abuse. Abuse which persuades people to support more rules and regulations.
I found it insanely interesting and tantalising.
Your drivel, however, has numbed my mind and you should feel bad.
Yes. Not *MY* private personal data. I'm not european. I'm not protected by those laws. Why do I care?
What government intervention created Equifax? You still haven't answered my point though. How will the market make businesses give a shit about protecting their customers' data given that the market has totally failed to punish offenders thus far?
Who up-voted your comment? Are you so insecure that you up-vote your own comments? Did you down-vote my comment? Is this the spirit of enlightened discussion you aspire to?
No I didn't. Are you going to answer my question?
Equifax exists in order for banks to judge you when you ask them for a loan. If the government wasn't intervening in the free capitalist market, banks and ratings companies such as Equifax would be much smaller due to healthy competition. GDPR will make it harder for a competitor to take Equifax down a notch due to high cost of employing compliance lawyers and the additional cost of compliance itself. A large established company can afford to do this, a small company will struggle with this. Does this answer your question? Do you see how government intervention makes big companies bigger and hence more dangerous, and small companies bankrupt? We are adding layers of bureaucracy in order to correct distortions in the market caused by previous layers of bureaucracy.
How will the market make businesses give a shit about protecting their customers' data given that the market has totally failed to punish offenders thus far?
Are you referring to data breaches? You want to punish companies for data breaches? That's like calling the police after you've been burgled and being fined for 'letting' the burglars in. That's stupid! No wonder you keep up-voting your own comments!
Yes I do want companies that are cavalier about protecting my personal data to be punished. Most of the serious data breaches have been due to the business in question not being prepared to spend the time and money to ensure their customers are adequately protected. That is what GDPR is for, to force organisations to give a shit about the people they are supposed to be serving. Unless of course you're happy for your personal data like credit card or social security numbers to be stored unencrypted on unpatched servers that is.
This is my only account. I have no interest in karma since it's already maxed out. How about you answer my question instead of giving me a load of guff about how my data would be safer if there were 10000 banks and 100 credit agencies. It wouldn't because security is a cost that a lot of organisations don't care about. I can start posting examples of data breaches in markets that have a lot of competition if that will focus your mind.
No system is perfect, there is no absolute vault of data. Data breaches will continue. GDPR is about what information companies are permitted to collect about you, what they can do with that information and giving you the right to view and delete this information. You have to grow up and accept that there is no privacy any more. Your information will be freely available. The laws are there to stop people abusing this information, not to stop the information from existing.
I never said your data would be safer with 10000 banks. Pay attention!
GDPR won't stop data breaches and was never designed to do so. The criminal is not the person who stores your credit card information, it is the person to takes it and uses it without your permission. My credit card is not encrypted, anyone who looks at it has the information. I hand it over at restaurants and shops to people who could easily copy that information. If you still haven't understood my point of view, maybe you should ask an adult to draw you a picture.
GDPR is absolutely about the secure handling of personal information, hence the colossal fines. Perhaps you should go away and read it. It won't prevent a determined attacker but what it will do is force organisations to have proper policies in place to make it less likely. I work for an organisation that is currently going through GDPR compliance and we are hardening our systems, tightening up who has access to them and ensuring that everything is up to date. What do you know about GDPR? Very little judging by your comments. I'm still waiting for you to tell me how the market will force organisations to take proper care of people's private information.
I'm still waiting for you to tell me...
Do your shoes have Velcro?
So tell me all knowing wise guy, what are all the emails about? Why do I have to confirm that they can keep in touch? Who gives a crap about cookies anyway? Why do messaging apps on my phone ask me to confirm my date of birth? How is any of this to do with breaches of data? Why is giving them extra data going to prevent my data from leaking? Are they hoping that by telling criminals when I was born, that they will miraculously choose not to steal my data? Why is everyone talking about GDPR data requests? You say less likely, so do you accept that all of these lost work hours are futile and that data will still leak? After all, it only needs to leak once. You say colossal fines, so even after all your hard work and diligence, you may still be wiped out by the actions of some criminals. Is that correct? Is that the right way to go about things? Beat the victim of a crime over the head with colossal fines? You work for an organisation pouring resources (time and money) into compliance, do you think that a smaller organisation would be able to dedicate the same amount of resources as yours? Do you think that you are lucky to work for a large organisation, because or course some people will loose their jobs in the smaller ones that will close as a result of GDPR and the high cost of compliance? Have you read GDPR?
Here is the GDPR in pdf:
http://data.consilium.europa.eu/doc/document/ST-9565-2015-INIT/en/pdf
Have you read all 201 pages? Did you understand them all? Did you have to lookup some of the big words? Am I wasting my time talking to you?
I think someone needs their nappy changed
Off you go then.