Many Of Those Desperate GDPR Emails You've Been Getting Are Violating A Different EU Regulation

from the not-to-mention-unnecessary dept

As we careen wildly into a post-GDPR world at the end of this week, you’ve probably already been inundated with tons upon tons of emails from various companies where you either have an account or have been signed up for their mailing list. Some of these emails likely note that they want you to confirm that you want to remain on their list because of the GDPR. Others pretend they’re just checking in with you for the hell of it. According to an expert in EU regulation, many of these emails probably violate another EU regulation, one designed to make spamming illegal. As for the others? They’re almost certainly not necessary under the GDPR and appear to be people misunderstanding the GDPR “out of an abundance of caution.”

In short, if a service already has proper permission from you, then it doesn’t need to get it again. If it doesn’t, it’s violating EU spam regulations by asking you to give your consent to receive such messages.

Vitale said, if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.

?In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.?

And, yes, EU regulators are aware of all of this:

?We?ve heard stories of email inboxes bursting with long emails from organisations asking people if they?re still happy to hear from them,? Steve Wood, the deputy information commissioner, wrote in guidance for businesses. ?So think about whether you actually need to refresh consent before you send that email, and don?t forget to put in place mechanisms for people to withdraw their consent easily.?

Like Vitale, Wood emphasised that asking for marketing consent from people who had not given it initially could be illegal. ?It?s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act,? he said.

Depending on how you look at this, it’s either the most European of European regulation situations — in which efforts to comply with a new set of convoluted regulations means violating existing convoluted EU regulations — or just another example of how ridiculous companies act. Still, it does seem fairly clear that the whole GDPR situation is an utter mess, with tons of companies having no idea what they actually need to do, or how to actually comply with the law.

Whether you think the GDPR is a wonderful innovation in protecting our privacy, or you think it’s a giant clusterfuck of bureaucratic virtue signaling, it does seem like it could be something of a general problem if basically every internet company everywhere has no idea how to actually be in compliance.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Many Of Those Desperate GDPR Emails You've Been Getting Are Violating A Different EU Regulation”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

Interestingly enough: Less than half the countries in EU have designated the enforcement agencies and many of those that have already stated that they will be very lenient at this point.

To the point: EU is leaving enforcement to the specific countries and the specific countries are basically saying, “If you designate a person as responsible for data, we will try to help you as best we can!”

HighBarSimmerWait says:

tons of companies having no idea what they actually need to do

Mike I get it, 1st amendment and all, but this is tech, these impact BIG companies that have track records of being untrustworthy and/or not actually following through on commitments to legislative bodies.

The EU rules are a high bar sure, but in my view, better to have strict rules, get through a few election cycles and when government representatives come into office that understand tech, they can lower the bar as appropriate.

On a side note
Got a notice from Microsoft, checked the link. Page after page of opt out buttons, delete data buttons, download any data Microsoft has on the user buttons. Was surprised that they had very little data at all to begin with.

Microsoft is compliant with the new EU rulings across all country borders. This seems the easiest way to deal with these privacy rulings, adopt them, let simmer, wait…

Dan (profile) says:

Re: tons of companies having no idea what they actually need to do

Sure, it affects the Facebooks and the Googles and the Microsofts. And it affects the small US-based nonprofit that runs a forum that has members in .eu. And there’s no clear guidance as yet as to what the latter is supposed to do when a user comes and says, “give me a copy of all my personal information and everything I’ve ever posted in a portable format, then delete it.”

dondoo (profile) says:

Re: Re: tons of companies having no idea what they actually need to do

Must be some translation problem, or is there some part of “give me a copy of all my personal information and everything I’ve ever posted in a portable format, then delete it.” that is not clear enough for you to understand.

It is absolutely clear, whether “right” or “wrong” is another thing altogether. Perhaps your view of that is what you meant to express?

Talmyr (profile) says:

Re: Re: Re:2 tons of companies having no idea what they actually need to do

It covers any personal data tied to personal identifiers, including (ugh) IP addresses. So if there is a way to tie your ‘anonymous’ comment to your (then) IP address, that may count in. But it’s a huge fluffy area which will probably take some litigation to clarify, unfortunately.

ECA (profile) says:

Mixing spam

Lets see…
You get lots of emails, then get a request to Verify an email site or other information..

HOW many people will “PUSH THE BUTTON”, and have there Browser send Their data upon connection??
AND if they have programmed it properly, as you SAID “YES” by clicking the button, it can GRAB other data, DIRECT form your browser..

YES many of us have a TON of protection on our browsers, but MORE persons DONT, and DONT KNOW about this.

John Roddy (profile) says:

To be “fair”, the vast majority of the emails I’ve received so far weren’t because of GDPR. It was just the companies feeling that privacy protections are good for everyone, so they wanted to extend that to everyone, not just EU residents. It’s just an overabundance of kindness! The fact that roughly 100% of all of them say it the exact same way and conveniently happen to be right before the enactment of those rules is just a coincidence.

Anonymous Coward says:

Re: Re: Re:

Companies are just a group of people that are trying to make a living. You seem like you think companies are these evil organizations that are looking to fuck you in any way possible.

It really is just people trying to earn a living. I guess you don’t have to worry about that, right? Must be nice.

As a marketer, I don’t want to send messages to someone that doesn’t want to receive it, because that is just a waste of my time. Opt in or out, whatever, but people are just trying to live their life.

PaulT (profile) says:

Re: Re: Re: Re:

“It really is just people trying to earn a living”

Most of them yes. Unfortunately, some people either don’t care if they make the lives of other people more difficult, or in some cases will seek to actively cause them harm, if it means more for their bottom line. Hence the need for laws and regulation.

“I guess you don’t have to worry about that, right? Must be nice.”

That’s right, people who don’t care for predatory tactics must be free of any bills or other concerns in life. It can’t be because there’s more important things than money, such as the welfare of human beings?

“As a marketer”

Oh. OK, that explains a lot.

Anonymous Coward says:

Re: Re: Re:2 Re:

Like I said, I don’t want to send something to someone that doesn’t want to receive it, because it is a waste of time.

I actually don’t have a problem with GDPR, first because I am in the US, and second, because of the above.

Here is the joke though, from the US, I look at GDPR as a screen or window dressing for politicians. The NSA collects information. Phone companies sell location data, governments still invade our privacy.

GDPR is nice, but won’t do much, but anything that reduces the amount of data stored on people is a good thing.

Anonymous Coward says:

From Inside A Company Who Is Not Prepared

I work for a hosting company. I’m not sure I’m allowed to say which but we’re big enough to be traded on the NASDAQ. We are not prepared.

We’ve pushed out many and multiple emails to as many affected customers. Some saying we comply with GDPR, some asking for re-consent to data collection, some FAQs. Honestly though it’s hard to figure out how far we should go. We’re not ready and I doubt many of our peers are.

If any of these GDPR rules get enforced it’s going to be terrifying.

aerinai (profile) says:

GDPR Nighmare Scenario #634

Dear Techdirt,

I want a record of all my posts along with those that I posted as an Anonymous Coward. I also want you to delete them. I also want all sub-threads and other mentions of my avatar name, Anonymous Coward, and real name (which I will not give you) deleted as well because, GDPR

Have fun complying!

K thx bye!

P.S. please don’t really do that… i’d be sad.

Anonymous Coward says:

"emails probably violate another EU regulation" Then PROSECUTE!

All violations will stop if corporations are prosecuted. Guaranteed. Just toss the officers into jail and set bail at ten times their yearly income as they do poor people. Makes examples of the half dozen most egregious, and suddenly all other execs will learn and implement GPDR.

Mainly though, this is another of Masnick’s rants in which HE’S got it all figured out, but no one in Europe does. No one outdoes Masnick for arrogance and chutzpah.

Anonymous Coward says:

It really isn’t that difficult, but it all revolves around contact that has been agreed upon. You can send a customer a bill, but do you have consent to send them marketing material?

Companies have to follow the law and be able to prove they are following the law. That means being able to prove that they have consent or have a legitimate interest.

Yeah, companies databases will be whacked, but that is a good thing. Does it make it harder for companies to market their products/services? Sure, but that is what the law is all about.

Perspective says:

Thoughts on small business

re: Small companies will be hit hardest at first.

It doesn’t matter the size. Size of a company should not determine that that company doesn’t have to comply. It’s like saying small deli’s don’t have to be inspected or be concerned about customer safety or health. If the company is doing business on the internet, it’s subject and should be.

Small business will find new offerings popping up from vendors much like small business tax packages or small biz human resources that provide self installed software programs or even hire consulting services to customize something.

Costs sure, these are new rules so there will be costs. Those get added in the business ledger and are part of the ‘cost of doing business’.

– —
In the end, this is all on the advertisers.

Eldakka (profile) says:

Re: Thoughts on small business

If the company is doing business on the internet, it’s subject and should be.

IANAL, but I don’t believe GDPR is limited to electronic (internet) systems.

If you are an old-fashioned mail-order house and only accept and send communications via snail-mail then I believe you would still have to comply.

Flint (profile) says:

Over-reaction much....

The ICO (the UK’s supervisory authority) is one of the largest and most active SA’s in the EU. If you actually take note of what they are saying, their focus is on helping people comply not punishing non-compliance. If you can get BBC iPlayer, check out Click – there’s an interview with senior representative from the ICO.

They have stated they will only use fines for the the most negligent or careless cases and for repeat offenders.

If you look at their track record under the Data Protection Act, this is what they have done in the past. Most of their findings and “penalties” have been administrative – tighten up your policies & procedures, train your staff better and don’t do it again.

And if you aren’t able to comply with the intent of the GDPR, or simply can’t be arsed then you’re probably not a fit person to be holding people’s personal data. Too many organisations have proved too often that they can’t be trusted to secure PII without additional incentives. We are now in a situation where leaks of personal data can have a significant effect on real peoples lives.

PaulT (profile) says:

“They’re almost certainly not necessary under the GDPR and appear to be people misunderstanding the GDPR “out of an abundance of caution.””

I was at a seminar last year regarding the GDPR. It was from an IT/systems POV, but my takeaway was that there were a lot of companies who not only hadn’t organised a real plan for it, for some it was the first they heard of some of the requirements.

I absolutely guarantee that, whichever marketing departments are responsible for a lot of these emails, they don’t know the rules for either spam or the GDPR itself. They just reacted when it hit the mainstream press recently, probably at the behest of some manager who panicked when they read some headlines. Also probably over the heads of whichever IT department will get blamed for letting them send the email if some anti-spam enforcement comes back that way.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...