Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most GDPR Emails Unnecessary and Some Illegal, Say Experts (theguardian.com)

Posted by msmash on from the closer-look dept.

The vast majority of emails flooding inboxes across Europe from companies asking for consent to keep recipients on their mailing list are unnecessary and some may be illegal, privacy experts have said, as new rules over data privacy come into force at the end of this week. From a report: Many companies, acting based on poor legal advice, a fear of fines of up to $23.5 million and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing. But Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, said many of those requests would be needless paperwork, and some that were not would be illegal.

8 of 91 comments (clear)

  1. Only $23.50? by innocent_white_lamb · · Score: 2

    $23.50 seems like a pretty insignificant penalty.

    I had previously read that the fines were "crippling".

    Did someone miss a zero (or several)?

    --
    If you're a zombie and you know it, bite your friend!
    1. Re:Only $23.50? by Northdot · · Score: 2

      $23.50 seems like a pretty insignificant penalty.

      I had previously read that the fines were "crippling".

      Did someone miss a zero (or several)?

      I think they missed the "M". The potential penalties are big enough to put all but the biggest players out of business.

      We're simply going to block all of the EU, because the consequences for even an inadvertent misstep could be catastrophic.

    2. Re:Only $23.50? by dotancohen · · Score: 4, Insightful

      We're simply going to block all of the EU, because the consequences for even an inadvertent misstep could be catastrophic.

      Please block my IP address as well: 192.117.111.61, because the consequences for even an inadvertent misstep by you could be catastrophic for me.

      --
      It is dangerous to be right when the government is wrong.
  2. Best Practice by Going_Digital · · Score: 4, Interesting

    Companies wouldn't have to go through this nonsense if they had set-out treating people properly in the first place. If their email list was created from an explicit opt-in process with clear information on how the customer's email is to be used then it they would not have to go through this re-subscribe nonsense. They all thought they were clever by auto-opting in and buying mailing lists and other questionable ways of subscribing people. Now 90% of their 'customers' will not re-subscribe so they are stuffed.

    1. Re:Best Practice by Zocalo · · Score: 3, Interesting

      Confirmed Opt-In, or COI, has been touted as a best practice for mailing lists for many years now. You didn't need to be psychic and predict the future to anticipate GDPR; you just needed to be above-board about what you were doing with the sign-up process and follow well published best practice. If you'd done that, and retained a copy of all of your opt-in confirmations, then all your end-user interaction for GDPR compliance would have required would have been a simple rider on a regular marketing email reminding your subscribers of where they could view your GDPR policies, contact you if required, and to change their communications preferences if they wished. No further end-user action required.

      Sadly, even amongst those lists that have been using COI for years, this point seems to have escaped most mailing list maintainers.

      --
      UNIX? They're not even circumcised! Savages!
    2. Re:Best Practice by Cederic · · Score: 2

      Oh, nice propaganda. But tell me, do you have any factual information regarding GDPR or just the bullshit you spouted here?

      GDPR is fucking trivial to comply with unless you're someone like Equifax with a plethora of acquisitions that all have disparate data and processes. In which case you have the resources to comply anyway.

      Logging personally identifiable information was never good practice in the first place.

  3. What are they supposed to do? by imidan · · Score: 4, Insightful

    The government has passed a law that provides for fines on the order of $23 million (or more, if the business is large). Businesses that are requesting new opt-ins are doing it so they can demonstrate that they have explained what they do with customer data and have obtained explicit permission to do so.

    Yeah, it would have been great if these businesses had been doing that all along, but there was no legal requirement for them to do so. They may not have kept records that would allow them to demonstrate compliance. Why would it be a surprise to anybody that businesses are trying to cover their asses to avoid paying fines that could destroy them? This is a completely foreseeable result.

  4. GDPR by ledow · · Score: 2

    Ironically, in the last few months I have received several dozen pieces of unsolicited commercial email to an unadvertised address, without consent, concerning "How to get ready for GDPR", GDPR conferences, GDPR auditors, and even people claiming to help me form my own GDPR policies.

    I find it absolutely hilarious - who on Earth is going to touch the GDPR companies that can't even follow the rules themselves?

    That said, it's just a return to common sense. Did I ask you to email me? Specifically YOU? No? Then why are you emailing me?

    GDPR lets me give the same response as I would to someone knocking on my door. Do I know you? Do you have legitimate business that required you to wake me up?
      No? Then fuck off, and never darken my door again.

    Dealing with from the IT end has also been enlightening. We hired a member of staff just to get us through GDPR. They went through all my systems and processes. Pretty much, it doesn't affect us.

    Explicit consent before sending email? Check.
    People able to stop such email on demand? Check.
    People able to request the data that we have on them? Check.
    Data being held only as long as necessary? Check.

    Because most of this stuff was just obviously what the Data Protection Act required anyway. And being a good business.

    All the changes that have happened are to do with things like paper records (nothing to do with IT), etc. and databases that are outside IT control (e.g. our alumni list was hand-managed on paper, they've since digitised it because GDPR doesn't distinguish how you store it, so there's no longer any advantage to avoiding the DPA because you're not storing it on computer), and formalising policies that were already in place.

    Actual IT changes necessitated? None. I've updated a bunch of software which now have GDPR deletion/anonymisation features (but we won't use those for a long time because pretty much we only store what's necessary and stuff which we need to keep anyway) and things like "obtaining and recording explicit consent" features.

    GDPR = DPA + case law. If you've been keeping up over the years, GDPR is no shock. If you haven't.... well, you've been at risk for quite a while whether you think so or not. It only needed one stroppy customer to take you to court to expose practices that judges have been saying you MUST do (to be classed as "reasonably protecting the data" even under the previous DPA) but that just weren't codified in an actual law.

    About the biggest pain in GDPR? Gathering all the GDPR compliance statements from everyone else we deal with. (Hey, Apple! Are you done yet?!).