| This is legal[1] in Europe if you consented to receive marketing emails from "partners" of a website you subscribed to (through an opt-in, not an opt-out checkbox). You subscribe to website X, you opt-in to offers from third-parties, and this allows X to share your e-mail address with Criteo. Then Criteo sends you marketing e-mails for the account of Sears (but they surely don't share any PII with Sears - the e-mail is sent by Criteo). The logic isn't that "browsing Sears is considered as having a preexisting business relationship with them". It's because users opted-in to third-party communications from a website they may have signed up with, back in 2008. Other similar use cases include sending you an e-mail for website X when you browse website Y because they know you are in front of a computer/phone and this increases chances of opening e-mails. Doesn't make it more or less "right" though and it's surely very surprising for users, myself included. (On a tangent, what still looks like a legal gray area to me are the Data Management Platforms (DMP) - everyone shares user data in a big bucket/database provided by a common partner, all users are identified with IDs but not directly with PII, how much data can companies push/pull legally?) [1] Not a lawyer but worked with legal teams on these topics. Laws still differ slightly depending on the European country you're talking about, but the GDPR will soon be unifying data privacy regulations. Right now the French and German Data Privacy regulations are some of the most restrictive ones. |
I'd much rather lawyers just kept of the internet entirely.