Slashdot Mirror
Most GDPR Emails Unnecessary and Some Illegal, Say Experts (theguardian.com)
The vast majority of emails flooding inboxes across Europe from companies asking for consent to keep recipients on their mailing list are unnecessary and some may be illegal, privacy experts have said, as new rules over data privacy come into force at the end of this week. From a report: Many companies, acting based on poor legal advice, a fear of fines of up to $23.5 million and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing. But Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, said many of those requests would be needless paperwork, and some that were not would be illegal.
$23.50 seems like a pretty insignificant penalty.
I had previously read that the fines were "crippling".
Did someone miss a zero (or several)?
If you're a zombie and you know it, bite your friend!
Companies wouldn't have to go through this nonsense if they had set-out treating people properly in the first place. If their email list was created from an explicit opt-in process with clear information on how the customer's email is to be used then it they would not have to go through this re-subscribe nonsense. They all thought they were clever by auto-opting in and buying mailing lists and other questionable ways of subscribing people. Now 90% of their 'customers' will not re-subscribe so they are stuffed.
I am getting a lot of those and quite frankly, most of them I reallly don’t care if they delete me if I don’t accept because hey are not relevant for me anymore. :)
L'Idiot
Ironically enough, as I was reading this thread I received an email about opting in/out of emails due to GPDR. Gave me a nice chance to unsubscribe for a mailing list I didn't even care about or was even aware I was on.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
The government has passed a law that provides for fines on the order of $23 million (or more, if the business is large). Businesses that are requesting new opt-ins are doing it so they can demonstrate that they have explained what they do with customer data and have obtained explicit permission to do so.
Yeah, it would have been great if these businesses had been doing that all along, but there was no legal requirement for them to do so. They may not have kept records that would allow them to demonstrate compliance. Why would it be a surprise to anybody that businesses are trying to cover their asses to avoid paying fines that could destroy them? This is a completely foreseeable result.
That's not quite true. As an example, GDPR requires that before getting consent, you must inform the user whether you will or won't do certain things with the data. Before GDPR, a lot of companies didn't bother saying "we won't ..." where it wouldn't even make sense to mention that, of course they don't. Those consents are no longer valid since they didn't comply with irrelevant parts of a law that didn't exist at the time.
Another is that very often when someone subscribes to a mailing list, they get an email telling them how they can unsubscribe, and the bottom of every email sent to the list has an unsubscribe link. People who joined such discussion lists have to be removed because they weren't told how to unsubscribe BEFORE they joined. Telling them after they join doesn't comply with GDPR. If you didn't give them the unsubscribe info BEFORE they signed up, legally they never signed up.
Some ass used one of my domains to sign up for literally hundreds of Google accounts. Now, Google is spamming all those accounts with GDPR emails. It got so bad I had to blacklist all of Google. Google also totally ignores the reject code from the email server, if I send 'em a 554 they'll just keep trying and trying, so now I kill 'em with a 421, but they still don't give up.
The EU should create laws in such a way that we are spared from the spam.
Was it difficult to include a clause in the law forbidding mass sending of e-mails?
Ironically, in the last few months I have received several dozen pieces of unsolicited commercial email to an unadvertised address, without consent, concerning "How to get ready for GDPR", GDPR conferences, GDPR auditors, and even people claiming to help me form my own GDPR policies.
I find it absolutely hilarious - who on Earth is going to touch the GDPR companies that can't even follow the rules themselves?
That said, it's just a return to common sense. Did I ask you to email me? Specifically YOU? No? Then why are you emailing me?
GDPR lets me give the same response as I would to someone knocking on my door. Do I know you? Do you have legitimate business that required you to wake me up?
No? Then fuck off, and never darken my door again.
Dealing with from the IT end has also been enlightening. We hired a member of staff just to get us through GDPR. They went through all my systems and processes. Pretty much, it doesn't affect us.
Explicit consent before sending email? Check.
People able to stop such email on demand? Check.
People able to request the data that we have on them? Check.
Data being held only as long as necessary? Check.
Because most of this stuff was just obviously what the Data Protection Act required anyway. And being a good business.
All the changes that have happened are to do with things like paper records (nothing to do with IT), etc. and databases that are outside IT control (e.g. our alumni list was hand-managed on paper, they've since digitised it because GDPR doesn't distinguish how you store it, so there's no longer any advantage to avoiding the DPA because you're not storing it on computer), and formalising policies that were already in place.
Actual IT changes necessitated? None. I've updated a bunch of software which now have GDPR deletion/anonymisation features (but we won't use those for a long time because pretty much we only store what's necessary and stuff which we need to keep anyway) and things like "obtaining and recording explicit consent" features.
GDPR = DPA + case law. If you've been keeping up over the years, GDPR is no shock. If you haven't.... well, you've been at risk for quite a while whether you think so or not. It only needed one stroppy customer to take you to court to expose practices that judges have been saying you MUST do (to be classed as "reasonably protecting the data" even under the previous DPA) but that just weren't codified in an actual law.
About the biggest pain in GDPR? Gathering all the GDPR compliance statements from everyone else we deal with. (Hey, Apple! Are you done yet?!).
Some companies waited until after the last date for asking their customers to re-consent, then sent requests that were, you guessed it, SPAM!
davecb@spamcop.net
Yeah, because I trust the current Hard-Brexiteer-pandering UK government who think "AI" will magically be able to spot and take down offensive social media posts and intend- from this position of ignorance- to compel social media networks to make that work *so* much more.
(Not that I have any liking for the social media companies either, but my enemy's enemy is *not* my friend here).
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
Yeah why would anyone want their private personal data handled properly? What a waste of time.
You can hand over your personal data to identity thieves via Equifax or TalkTalk if you like - I prefer it to be handled properly myself.
In order to have a person be a part of the discussion group TOMORROW, we will need to have consent records that comply with GDPR. In order to be GDPR compliant, there consent (sign up) must come after they've been informed of how to unsubscribe, the fact that you don't sell their email address to marketers, etc.
Here it is in programmatic form:
Are you sending them an email? (No: Goto Ok)
Do you have their consent? (No: Goto jail)
Is it informed consent? Meaning they saw GDPR disclosures before consenting. (No: Goto jail)
You need "informed consent". It's not sufficient under GDPR to inform them afterwards, "informed consent" under GDPR requires that they have the information BEFORE they sign up. Therefore you don't have GDPR-compliant informed consent from people who signed up prior to changing your site to be GDPR-compliant, including listing things you don't do.
It's not informed consent under GDPR if you didn't give them the GDPR info before they consented. Therefore you can't use their information after GDPR is in effect. Basically they either have to sign up again after receiving the GDPR disclosures, or you have to delete them because you don't have informed consent.
How would you force companies to give a shit about protecting users' private information? Taking my business elsewhere is meaningless if my details have already been exposed, and the case of Equifax i can't do that anyway because I'm not the customer.
I find that most of the paranoia about things like HIPAA comes from people that can't even fucking spell it.
Yes. Not *MY* private personal data. I'm not european. I'm not protected by those laws. Why do I care?
What government intervention created Equifax? You still haven't answered my point though. How will the market make businesses give a shit about protecting their customers' data given that the market has totally failed to punish offenders thus far?
No I didn't. Are you going to answer my question?
How will the market make businesses give a shit about protecting their customers' data given that the market has totally failed to punish offenders thus far?
Yes I do want companies that are cavalier about protecting my personal data to be punished. Most of the serious data breaches have been due to the business in question not being prepared to spend the time and money to ensure their customers are adequately protected. That is what GDPR is for, to force organisations to give a shit about the people they are supposed to be serving. Unless of course you're happy for your personal data like credit card or social security numbers to be stored unencrypted on unpatched servers that is.
This is my only account. I have no interest in karma since it's already maxed out. How about you answer my question instead of giving me a load of guff about how my data would be safer if there were 10000 banks and 100 credit agencies. It wouldn't because security is a cost that a lot of organisations don't care about. I can start posting examples of data breaches in markets that have a lot of competition if that will focus your mind.
GDPR is absolutely about the secure handling of personal information, hence the colossal fines. Perhaps you should go away and read it. It won't prevent a determined attacker but what it will do is force organisations to have proper policies in place to make it less likely. I work for an organisation that is currently going through GDPR compliance and we are hardening our systems, tightening up who has access to them and ensuring that everything is up to date. What do you know about GDPR? Very little judging by your comments. I'm still waiting for you to tell me how the market will force organisations to take proper care of people's private information.
I think someone needs their nappy changed