There is a whole swathe of companies that is somewhere between casual and negligent with email addresses, and it would be my distinct pleasure to have a stick like GDPR to beat them with.
So everyone will get at least some benefit. But ya, it'd be great if other governments took this as seriously.
* Nigerian scam type spam
* ads/commercial spam
The first is already illegal, and yes, it's difficult to fight and comes from first world jurisdictions.
But the second is operated by well known companies, most of the time through well known service providers (Salesforce, Adobe...). And these companies do put a lot of personal information in their databases (what did you buy, did you click on a specific link, did you open a specific email, etc).
But the government probably wouldn't like that very much.
Laws like this are broad and overreaching, but they are rarely enforced.
I happily reference the FTC documentation of this act whenever I see spam coming in after having unsubscribed. Funny, I can’t seem to recall any instance where the spam then continued...
> We've added new features to Azure! Read this advertisement!
> ...
> This message from Microsoft is an important part of a program, service, or product that you or your company purchased or participates in. Microsoft respects your privacy.
> [Lack of unsubscribe intensifies]
I have been using the last 6 months documenting all of our company's processes that handle customer interaction and data (which is basically all our processes), created flowcharts of how data moves between us, third part providers and customers as well as creating a document for each of these flowcharts that pinpoint exactly how we are complying with GDPR for every sub-process.
If for nothing else, we now have a total overview of what we do and how we do it - in an easily shareable collection of visualisations and documentational material.
There were still a few processes that I could simplify and automate.
Does anyone have any idea how to actually do that? How do I prove that a given user actively checked a box?
a) been willfully unclear about what it means to subscribe to a list
b) changed what our mailings are like over time.
We can stop doing (a), with effort, but I don't see how (b) will ever go away. So this is going to be continuous, active effort with subscribers. I would like to think that very easy, reliable, one-click unsubscribe will be sufficient.
In reality, I doubt there will be a practical difference to how it has been handled in the past here in Germany, where similar law has long been practice.
That means: your sign-up page needs a checkbox, that cannot be pre-checked, and that clearly states that it's an opt-in to receive these mails. This needs to be separate from any acceptance of ToS or anything else that is necessary for the transaction in question.
To verify the form submitter's identity, send a verification to their e-mail address (if you haven't already). Make sure the verification email does not already contain any advertisement itself.
Even if you've been building up your mailing list for years, following generally accepted good practices, and only signing up genuinely interested recipients, it seems you could now to be in a position where either:
(a) when you signed people up, you provided sufficient information about what you would be sending to them and you can still produce evidence of that today;
(b) you need to contact everyone on your list to obtain explicit, specific consent for whatever you actually send to your list; or
(c) you have to remove anyone who isn't covered by (a) or (b) above (or delete your whole list).
As with so much about the GDPR, what will be accepted as reasonable evidence of informed consent for earlier subscribers to a mailing list is ambiguous, and the consequences of either doing too much or not doing enough are undesirable.
Like T&Cs, everybody knows that most people don't read them. Nobody's going to start quizzing their user, so what's a reasonable compromise? Forcing the user to at least scroll through some (or all) of it before agreeing. You make it clear that the intention is for you to read it, and that you're agreeing to something you should have read.
Obviously make sure to otherwise comply with the GDPR as you do this.
All you have to do to comply with it is be clear and direct when collecting personal data, and make a record of the permission granted.
Things like proper confirmed opt-in help.
It appears that you also need to have been all of those things, as far back as you've been collecting personal data, even if no such requirements existed at the time. Organisations might not be in that position even if they followed accepted good practices when signing people up to their lists, so the GDPR may have unintended consequences here.
Of course, from a security standpoint where the attacker is assumed to be totally untrustworthy, this is all nonsense since it would be trivial to fake. It does require a certain amount of trust that the company that will not stoop to faking documents.
I guess you could continue the charade by putting timestamped screenshots on a blockchain :-)
I'm curious--what emails do you actually appreciate getting? Would you subscribe to marketing email with restraints? (e.g. only email me when items in my size are on sale). If you could change how email marketing works, how would you do it?
And whenever I receive marketing emails that I never subscribed for, I flag it directly as spam, although sometimes I ask the sender, just for fun, the source of my address. They rarely reply :-)
I keep my Inbox clean because otherwise I’m missing important messages. If it’s not important, it doesn’t belong in my Inbox. If I don’t know the sender and it tries to sell me something, it’s spam. If I don’t remember subscribing, it’s spam.
If you have my data, you will handle them in same manner as you would handle yours. You are not selling yours to get higher prices when buying something online? You are not selling your email account to spammers to get a lot of worthless emails to your email account each day? ... Now you wont do it withy my data either. It is so simple, you don't need any clarification. No special law or directive, no studying of GDPR... it just works. Oh you want me to receive unsolicited emails for your profit? You want me to get tracked? ... I will personally take care you will get a punishment and/or sue you personally.
What is so complicated here? Act in best interest of you customers, regarding the personal data, and you are safe, over whole EU. I don't understand what is the problem unless you are NOT ACTING IN THEIR BEST INTEREST, then it becomes vague (you need a way to circumvent GDPR, but you can't as it is not an IRS list but a conceptual law). Anyone having a problem with GDPR already knows the answer that solves the "problem". But wants to continue his habits.
Just state your problem and I will answer to you with advice where you wont get punished for breaking GDPR, just ask. But you wont, right? You know the answer, but you need a way to avoid it. Wont work.
Let me preface my question with the statement that I mostly love the GDPR, and I think it greatly improves privacy and digital rights and I will exercise some of those rights come May 25:th against companies that I feel have needlessly collected data on me.
That said I (as a data controller) think that in many cases that the guidelines are very weak or undefined on subjects like logs or backups. I (as a private individual) think that any deletion request should automatically apply to logs and backups, but also I (as a data controller and...) as a operator of a service see it as a problem to have backups be mutable and have large swaths of data need to be deleted from backups and logs.
Is there any way to reconcile these ideas?
Logs are destroyed each week and the customer will be notified. Also we anonymize ips and reverse lookups by hashing them, while we still can identify the same visitor.
I hope I was helpful :)
It seems that yahoo really loves Sparkpost spam that goes straight to my mailbox even when sender domain is no-existent, not to mention any DKIM or SPF records; gmail is much better at catching those.
This is my experience for the last 2 years.
The regulation in GDPR is not new! It's a refinement of long existing law (in England this is the DPA, and PECR).
If it's illegal under GDPR it was probably already illegal under PECR.
All this stuff about "ZOMG we need informed consent before we send email"? You already need that.
1. Open DigitalOcean hosting for $5. With prepaid card they will let you do it, however port 25 will be blocked.
2. You don't need port 25 anyways. Download few lists of emails from online search and setup php_curl every 30 seconds to your competitor's landing page subscription ajax call.
3. Wait few months for them being slammed with $4MM fines as there will be unable to prove how they got that traffic in the first place :)
