GDPR and automated email marketing
gdprhq.ioAs somebody who has hated spam for years, I can only wish that I were in the EU.
There is a whole swathe of companies that is somewhere between casual and negligent with email addresses, and it would be my distinct pleasure to have a stick like GDPR to beat them with.
The good news is there's going to be at least some echo effect here. I work for a US based company, although the vast majority of our users are in Asia. We're implementing GDPR for everyone. It won't affect the companies that exist solely to spam you much, but for most companies the technical issues of ONLY implementing this in the EU are simply too great.
So everyone will get at least some benefit. But ya, it'd be great if other governments took this as seriously.
I feel like it's also the case for many companies that they'd like to implement GDPR-like tools for users, but as long no one is paying them to do so it's a waste of time. GDPR is a nice excuse to build that functionality and roll it out to all your users.
Spammers don’t tend to operate from first-world jurisdictions. (When they do, CAN-SPAM is decent about requiring working unsubscribe buttons). Spam is not a problem you can solve with regulation.
Sure, I don’t expect to stop receiving invitations to enlarge my genitals in my spam folder because of GDPR, but I’ll be happy enough if it discourages dodgy online shops and growth-hacky startups from automatically signing me up to their mailing list because I made a one-off transaction and “consented” to receive their special offers for all eternity on page 25 of their terms and conditions.
Oh, I wouldn't expect it to solve the spam problem. But as I said, there are a lot of US-based companies that are at best sloppy with address management. Those are also the ones most likely to make it past my existing filters, because they are semi-legitimate. Being able to turn up the heat on them would be a pleasure.
Mostly true, but I would say that - while regulation certainly shouldn't be the primary tool used to fight spam, it can help discourage bad behavior within a jurisdiction, and can reduce spam load a bit. Mostly by secondary effects (e.g., an email service provider says to their customers, "here's the legal standard, we need you to adhere to this").
No, that annoys me the most, that I have to go and click the unsubscribe button and wait for the page to load and then click another button. They should have not sent me the email in the first place.
If the spammers are pushing some product that is sold online or sold in the "first world," they certainly could be attacked with regulation.
Most of promotional email I get is from local businesses operating in my own town. And each time I unsubscribe it feels like my email gets handed over to the next mailing list of a similar business. Recurring topic is "art galleries" and "event venues". I'm pretty sure GDPR can help with that. And, also, possibly related to GDPR: I already got couple emails asking to confirm I want to continue receiving emails. Chances are this is related to building the verified opt-in list this article mentions.
There are 2 kinds of spam:
* Nigerian scam type spam
* ads/commercial spam
The first is already illegal, and yes, it's difficult to fight and comes from first world jurisdictions.
But the second is operated by well known companies, most of the time through well known service providers (Salesforce, Adobe...). And these companies do put a lot of personal information in their databases (what did you buy, did you click on a specific link, did you open a specific email, etc).
Spam is a problem that can only be fixed by Tony Soprano types.
But the government probably wouldn't like that very much.
Sorry to break it to you, but having live both in EU, and now in the US, I still got more email spam from France.
Laws like this are broad and overreaching, but they are rarely enforced.
GDPR has much higher punishments for breaking it than previous EU privacy laws. Many companies are taking the legislation seriously due to this. I expect GDPR to be actually useful in moving the line for privacy.
For these kinds of violations, fines can be "up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher"
The GDPR won't be implemented for another month and a half.
GDPR is active now. It has been for almost two years.
It is just now becoming enforced (with all its sanctions), after the two-year transition period.
That's why people only start caring now, at the very last minute. There's a difference between a law on paper, and a law with attached consequences, so I still expect meaningful change after May 25th.
Yes, the EU regulation, but the actual laws are not active.
Have you complained to the regulator? I'm not in France, but it has generally worked for me.
Today, I requested assistance from the authority for the first time.
And I’m eager to see how my request will be handled.
Do you have any suggestion? You seem pretty accustomed to it.
Which authority specifically? My experience is with two Portuguese regulators (one of Data Protection, other of Telecommunications). The first was pretty good, the second required a bit of insistence to prevent them from closing the matter after the company sent a reply that said nothing, but both worked out with nothing more than a few emails.
With the Italian Data Protection authority. http://gpdp.it
I wanted to know if emails are enough, but you already answered that. I'll need to test how numerically "a few" is.
My fear is that the process will take too much effort, it would be useless if rules were not enforced.
The CAN-SPAM Act of 2003 is a fine stick, easy to handle, and packs an up to ~$40,000 punch for EACH violation.
I happily reference the FTC documentation of this act whenever I see spam coming in after having unsubscribed. Funny, I can’t seem to recall any instance where the spam then continued...
You must not get Azure emails.
> We've added new features to Azure! Read this advertisement!
> ...
> This message from Microsoft is an important part of a program, service, or product that you or your company purchased or participates in. Microsoft respects your privacy.
> [Lack of unsubscribe intensifies]
The three dots you omitted actually have this relevant text:
To customize what's included in this email, who gets it, or to unsubscribe, set your Message center preferences. If you are receiving this email because your Admin added you as a recipient, please contact your Admin to unsubscribe.
Microsoft respects your privacy. To learn more, please read our Privacy Statement.
No, they don't. The closest thing is:
> Note: As an Azure customer, you are receiving this email because we are required to notify you of product changes that may affect your subscription. This is the only communication that you will receive directly from Microsoft regarding these product changes.
Seems like they're required by law to spam you. Of course they're going to at least use it for something worthwhile at the same time.
It's actually
>This message from Microsoft is an important part of a program, service, or product that you or your company purchased or participates in. Microsoft respects your privacy. Please read our Privacy Statement.
with no option to unsubscribe
Weird. The above is quote from the Office 365 Message. I only have very old Azure messages as I have unsubscribed from the mail.
Just to make it clear - I'm not working for Microsoft or anything like that.
Is there a direct link to the relevant part of their website to actually do that? If not, then it's not good enough.
Yes, there is. The words "set your Message center preferences" are a link.
they dont. Unsuscribe link behind a login wall suck.
Speaking in the larger context, this stick you feel you've been given comes at a high price. Unfortunately, it's only a matter of time before the powers that be will fashion a stick with which to beat you, too.
What is that price? That I can't be cavalier with user data? I'm just fine with that.
I'm really curious whether or not this will have an effect and to what extent.
I have been using the last 6 months documenting all of our company's processes that handle customer interaction and data (which is basically all our processes), created flowcharts of how data moves between us, third part providers and customers as well as creating a document for each of these flowcharts that pinpoint exactly how we are complying with GDPR for every sub-process.
If for nothing else, we now have a total overview of what we do and how we do it - in an easily shareable collection of visualisations and documentational material.
Same here. My company is a lot smaller (at least from the sound of it) but GDPR made me review my processes as well.
There were still a few processes that I could simplify and automate.
Would you be interested in a compliant user data management service? What specifically would you look for in one?
> Part of this opt-in verification process must include clear documented proof that the person opted in with a full understanding of what they were signing up to.
Does anyone have any idea how to actually do that? How do I prove that a given user actively checked a box?
The hard part here is not recording the check on the box--any email service provider will handle that. The hard part is the "full understanding." Historically lots of us have
a) been willfully unclear about what it means to subscribe to a list
b) changed what our mailings are like over time.
We can stop doing (a), with effort, but I don't see how (b) will ever go away. So this is going to be continuous, active effort with subscribers. I would like to think that very easy, reliable, one-click unsubscribe will be sufficient.
Make them take a quiz! That will help opt-in rates.
The article uses "beyond reasonable doubt" which is obviously a misapplication of the legal term of art. This being civil law, not criminal, the 50:50 proof, i. e. "preponderance of the evidence" should suffice.
In reality, I doubt there will be a practical difference to how it has been handled in the past here in Germany, where similar law has long been practice.
That means: your sign-up page needs a checkbox, that cannot be pre-checked, and that clearly states that it's an opt-in to receive these mails. This needs to be separate from any acceptance of ToS or anything else that is necessary for the transaction in question.
To verify the form submitter's identity, send a verification to their e-mail address (if you haven't already). Make sure the verification email does not already contain any advertisement itself.
Would something like a verification email asking them to double verify answer that? They click the box, then they have to open an email and click a link also verifying it?
But is that sufficient under GDPR? Although a double opt-in has generally been considered good practice for a long time, it only demonstrates that a recipient has agreed to receive mail for some purpose, not for any specific purpose.
Even if you've been building up your mailing list for years, following generally accepted good practices, and only signing up genuinely interested recipients, it seems you could now to be in a position where either:
(a) when you signed people up, you provided sufficient information about what you would be sending to them and you can still produce evidence of that today;
(b) you need to contact everyone on your list to obtain explicit, specific consent for whatever you actually send to your list; or
(c) you have to remove anyone who isn't covered by (a) or (b) above (or delete your whole list).
As with so much about the GDPR, what will be accepted as reasonable evidence of informed consent for earlier subscribers to a mailing list is ambiguous, and the consequences of either doing too much or not doing enough are undesirable.
Yes, this is the way that is recommended the most.
You can't prove it, but you can persuade a reasonable person that they probably did. You could do this by showing them your processes, the UI as the user would saw it, the code that ends up storing that in the database. Also, if your complaint rates are low, they will probably assume that the issue is not on your side.
Short of quizzing the user, you can't prove that they understood. But our lawyers and compliance officers seem to think it's enough to make it so that a decision not to understand is intentionally made by the user.
Like T&Cs, everybody knows that most people don't read them. Nobody's going to start quizzing their user, so what's a reasonable compromise? Forcing the user to at least scroll through some (or all) of it before agreeing. You make it clear that the intention is for you to read it, and that you're agreeing to something you should have read.
I would really like to see that challenged in a court. A company cannot reasonably expect their users to read and understand tens or hundreds of pages of T&C legalize. No one reads them. That's the fact.
Usually you'd save the users opt in time, and tie it back to their user account. You would need to make sure the opt in clearly explains what it's for. You would also save the context of the opt in - was it during account registration, when they visited a blog post, etc.
Obviously make sure to otherwise comply with the GDPR as you do this.
This regulation is aimed at stopping the hidden checkbox, or the hidden clause in a ToS.
All you have to do to comply with it is be clear and direct when collecting personal data, and make a record of the permission granted.
Things like proper confirmed opt-in help.
All you have to do to comply with it is be clear and direct when collecting personal data, and make a record of the permission granted.
It appears that you also need to have been all of those things, as far back as you've been collecting personal data, even if no such requirements existed at the time. Organisations might not be in that position even if they followed accepted good practices when signing people up to their lists, so the GDPR may have unintended consequences here.
That requirment has existed in the EU since 1995.
Please stop spreading misinformation. Things are changing with the GDPR.
In particular, the consent requirements are significantly stronger under GDPR than under either the 1995 directive itself (95/46/EC) or the implementations of that directive in various member states.
Organisations that followed reasonable and honest practices at the time of collecting personal data, for example when setting up a mailing list, could still find themselves out of compliance under the new rules.
It has only changed for people who were playing stupid games with what consent means, like interpreting scrolling past an already checked checkbox as consent when it was clearly nothing of the sort. If you were being clear and direct with users about what they were signing up for, then you have nothing to fear from GDPR. I don't have any sympathy for business who were complying with the letter of the law while finding any excuse they could to subvert the spirit of the law.
I don't have any sympathy for business who were complying with the letter of the law while finding any excuse they could to subvert the spirit of the law.
Neither do I. It's the organisations who were complying with the letter of the law, the spirit of the law, and generally accepted good practices at the time and still won't be compliant under GDPR that I'm worried about.
As a concrete example, every single charity that I support regularly has written to me at some point over the past few months, in order to get the kind of explicit consent they apparently believe they need to continue communicating with their supporters exactly as they have been for years before.
Now, there are really only two possibilities here. One is that all of those charities have this wrong, despite their resources and surely having taken professional legal advice on their particular situations. The other is that the usual HN suspects who maintain that the GDPR isn't a big deal and doesn't change much in practice are underestimating the concerns the GDPR raises for these legitimate organisations wanting to send legitimate communications to people who have previously been happy to receive them.
Since those exercises mean my donations are being wasted on red tape instead of their intended purposes like literally helping to cure cancer, I think it's fair that I have a problem with that.
You're leaving out the possibility that the charities, like most other marketers, didn't bother to get affirmative consent originally. If they had been following the spirit of the law instead of just what they could get away with, then they would have gotten affirmative consent previously. They are not immune from committing bad marketing behavior just because they are charities.
You're leaving out the possibility that the charities, like most other marketers, didn't bother to get affirmative consent originally.
But equally, you're leaving out the possibility that charities really were clear and honest about what they would like to send and really did provide a genuine choice, yet would fall foul of one of the technical requirements under GDPR that wasn't in force at the time. This is probably the case for most if not all of the charities I support myself, so absent evidence to the contrary I have to assume it was widespread practice.
People keep talking about the "spirit of the law", but there's a danger that this becomes a euphemism for "what I wish the law had said, even though it didn't". Usually when people contrast the spirit of the law with the letter of the law, they are making a point about avoiding the obvious purpose of legislation by relying on legal technicalities or subtle implications that most people wouldn't pick up.
In this sort of case, I don't see how it's against even the spirit of previous data protection law if a charity clearly and honestly stated that it would like to send information to donors about how their money was being used, which probably many donors would indeed like to receive, but for example they checked the box by default. There was an explicit provision for businesses to send marketing mail to previous customers or prospects without requiring consent at all, as long as it related to products or services similar to what the recipient had been interested in before and as long as some reasonable requirements about opting out were met, so clearly this isn't some absurd idea just dreamed up by charity fundraisers.
Checking the box by default is a dark pattern designed explicitly to trick people into signing up without realizing it. People who did that knew what they were doing. I don't have any sympathy that they now have to go back and ask for real consent.
Checking the box by default is a dark pattern designed explicitly to trick people into signing up without realizing it.
There was no trickery involved. Not even slightly, not in even one case where I was choosing to be a supporter. The indications of what would or wouldn't be sent were invariably perfectly clear, and the only things that ever have been sent were in line with what was stated.
Again, "dark pattern" is too often used as a euphemism for "something I don't like". If you have a genuine option that is clearly shown, that's not a dark pattern. And if most of the people filling in the form are going to choose to turn on that option, I fail to see how having it turned on as the default is unreasonable either.
We're not talking about something presented deceptively in the middle of a long and complicated page full of other options to add some unwanted but chargeable extra on your holiday booking here. We're talking about charities doing important work wanting to show their supporters that the money they're donating is making a difference, and showing an immediately clear and readily understood option that is part of a short, simple form for supporters to fill in. They did ask for real consent. You just don't like how they did it, and I'm not sure why your personal opinion should outweigh widely established practice that was doing no real harm.
It is well established that checking the box by default results in much, much higher conversion rates than leaving it unchecked. That clearly indicates that people are not really making a decision to consent when they leave it checked. That is exactly why the practice was disallowed by GDPR.
Maybe so, but that was still standard practice. If there was nothing deceptive or misleading about how the choice was presented, and if it genuinely was a choice that someone could easily turn off if that was their preference, I think it's quite a stretch to attach labels like "dark pattern" or claim that organisations weren't "following the spirit of the law".
There are going to be organisations wasting time and money on reconfirmation exercises for mailing lists they've been building up for a long time because despite using double opt-ins, only sending relevant messages to people who genuinely want to receive them, and providing readily accessible options to opt out again, they didn't record exactly what the wording said on their web site on 13 April 2008 when someone signed up to that list.
Clearly the GDPR sets out different requirements now, but my original comment stands: things are changing, and this is going to introduce significant burdens even on a lot of organisations that were following reasonable and honest practices when they collected personal data before.
It's interesting that you mention charities, because as we know in the UK many of them were breaking the law and there has been considerable regulatory action to bring them back into compliance with the existing PECR and DPA.
The fact that they're all contacting people saying "We need to re-gain permission under GDPR" just means that a bunch of organisations were, and still are, clueless about data protection. This, combined with the lack of fines, should be somewhat reassuring to the GDPR sceptics. The laws are widely broken; the regulator hasn't been seeking fines; this is unlikely to change in future under GDPR.
I had a different impression from the charity contacts I have, but let's assume you're right for this discussion. Doesn't that mean the only practical effect of the GDPR on these organisations is that instead of funding research to help people who had a stroke or providing water to villages in Africa or whatever other desirable work they would normally be supporting, they're spending time and money on legal technicalities that aren't going to make any meaningful difference to anyone? I still don't see how that's a good thing.
As someone supporting these charities and whose personal data is being used to send the updates on what they're doing, I (and others in a similar position) am the person who is supposedly being exploited undesirably and in need of protection here. And yet, as I wrote before, I was quite clear about what I was expecting to happen when I filled in each form, and none of the charities I deal with regularly has ever done anything I would consider abusive or beyond what I knowingly agreed to. I really would prefer it if they didn't have to waste their resources on this and instead spent them on whatever good work they would normally do, but since every single one of them has contacted me anyway, I have to assume that something about the GDPR-related changes is preventing that from happening.
Totally speculating, but "documented proof" seems to indicate that they would be satisfied by some sort of document? A screenshot would probably help? "Here is the screen where the user agreed to this" seems like it would be somewhat convincing. (If it's a screenshot then it will survive UI redesigns.)
Of course, from a security standpoint where the attacker is assumed to be totally untrustworthy, this is all nonsense since it would be trivial to fake. It does require a certain amount of trust that the company that will not stoop to faking documents.
I guess you could continue the charade by putting timestamped screenshots on a blockchain :-)
As someone who's tinkering on an app to send marketing email, I constantly struggle with the field. On one hand, I really think it helps small/niche businesses survive, which I think is critically important nowadays. On the other, nobody thinks their shit stinks, and man does it stink.
I'm curious--what emails do you actually appreciate getting? Would you subscribe to marketing email with restraints? (e.g. only email me when items in my size are on sale). If you could change how email marketing works, how would you do it?
I only appreciate emails with special offers for complementaries of products and services I’m already using.
And whenever I receive marketing emails that I never subscribed for, I flag it directly as spam, although sometimes I ask the sender, just for fun, the source of my address. They rarely reply :-)
I keep my Inbox clean because otherwise I’m missing important messages. If it’s not important, it doesn’t belong in my Inbox. If I don’t know the sender and it tries to sell me something, it’s spam. If I don’t remember subscribing, it’s spam.
Unclear regulation? I am encountering this over and over again. Lets clear the unclearity...
If you have my data, you will handle them in same manner as you would handle yours. You are not selling yours to get higher prices when buying something online? You are not selling your email account to spammers to get a lot of worthless emails to your email account each day? ... Now you wont do it withy my data either. It is so simple, you don't need any clarification. No special law or directive, no studying of GDPR... it just works. Oh you want me to receive unsolicited emails for your profit? You want me to get tracked? ... I will personally take care you will get a punishment and/or sue you personally.
What is so complicated here? Act in best interest of you customers, regarding the personal data, and you are safe, over whole EU. I don't understand what is the problem unless you are NOT ACTING IN THEIR BEST INTEREST, then it becomes vague (you need a way to circumvent GDPR, but you can't as it is not an IRS list but a conceptual law). Anyone having a problem with GDPR already knows the answer that solves the "problem". But wants to continue his habits.
Just state your problem and I will answer to you with advice where you wont get punished for breaking GDPR, just ask. But you wont, right? You know the answer, but you need a way to avoid it. Wont work.
I fully agree with you, but there are many technical services/platforms that assume things that are not compatible with that thinking. Those will have to change, but they are still not up to speed.
Let me preface my question with the statement that I mostly love the GDPR, and I think it greatly improves privacy and digital rights and I will exercise some of those rights come May 25:th against companies that I feel have needlessly collected data on me.
That said I (as a data controller) think that in many cases that the guidelines are very weak or undefined on subjects like logs or backups. I (as a private individual) think that any deletion request should automatically apply to logs and backups, but also I (as a data controller and...) as a operator of a service see it as a problem to have backups be mutable and have large swaths of data need to be deleted from backups and logs.
Is there any way to reconcile these ideas?
Sorry for late reply. For old data, the easyest way is to burn the tapes and make new backups. Now about new backups, here it becomes nasty as typically they aren't organized granulary enough (but you also need this for exporting the data on user request, so you just need to do it). Instead of backuping the whole databases, backup each users data separately, maybe database partitioning, table inheritance (postgres) or something else, hard to be specific here. Once you did that, backup the data by encrypting them with random key (long enough, we are using 32 bytes of random garbage) for each user while storing those keys on simply modifiable storage, cloud, whatever in triplets. Once the user requests data deletition, just destroy the key. We did it this way and it is great solution (and we DID burn the tapes literaly, luckly we have business data separated physically from everything else from the start).
Logs are destroyed each week and the customer will be notified. Also we anonymize ips and reverse lookups by hashing them, while we still can identify the same visitor.
I hope I was helpful :)
If You’re really destroying your logs each week you’re not meeting a lot of regulatory requirements, such as PCI if you accept credit cards.
Most security-oriented regulations, and indeed so-called “best practice”, requires keeping logs for security auditing purposes for at least a year if not longer. They’re often the only tool you have to detect when and how a breach began.
I hope this stops Sparkpost. Most of spam I receive is traceable back to them. Sure I forward it to abuse@ and few times I received open ticket receipt. They followed up few times then completely ignored my further request for info or status updates. These days I don't even receive new ticket or any kind of confirmation. I started forwarding those to FBI and FCC, but I'm sure they too busy.
It seems that yahoo really loves Sparkpost spam that goes straight to my mailbox even when sender domain is no-existent, not to mention any DKIM or SPF records; gmail is much better at catching those.
This is my experience for the last 2 years.
As someone who doesn't deal with Europe much... CASL here in Canada seems to have similar rules. Would following CASL automatically mean it follows GDPR?
The UK has had data protection laws for years, people aren't scared of GDPR because it finally provides laws, they're scared because they actually look enforceable.
I think people are scared because legislation is unclear.
People are scared because of the $4M fine for offense
This is a frustrating article.
The regulation in GDPR is not new! It's a refinement of long existing law (in England this is the DPA, and PECR).
If it's illegal under GDPR it was probably already illegal under PECR.
All this stuff about "ZOMG we need informed consent before we send email"? You already need that.
This is going to be fun when election times come in europe. Here we get a lot of unsolicited email from candidate MPs , and i m certain most of them bought/found the addresses from dubious/illegal sources.
The Canadian anti-spam legislation goes so far as to have a specific carve-out for political emails that solicit money [1]. I joined each of the big 3 parties during their leadership campaigns and they all have a practice of ignoring unsubscribe requests, and passing your email address around internally or signing you up to new lists. It’s pretty gross.
Isn't the simple way to get around GDPR is to send the email marketing from a foreign email company (in a non GDPR jusisdiction) asking if you are interested in being referred to a type of product or service?
VERIFIED OPT-IN parts opens up beautiful opportunity to destroy your competitor for $5.
1. Open DigitalOcean hosting for $5. With prepaid card they will let you do it, however port 25 will be blocked.
2. You don't need port 25 anyways. Download few lists of emails from online search and setup php_curl every 30 seconds to your competitor's landing page subscription ajax call.
3. Wait few months for them being slammed with $4MM fines as there will be unable to prove how they got that traffic in the first place :)