As somebody who has hated spam for years, I can only wish that I were in the EU.
There is a whole swathe of companies that is somewhere between casual and negligent with email addresses, and it would be my distinct pleasure to have a stick like GDPR to beat them with.
The good news is there's going to be at least some echo effect here. I work for a US based company, although the vast majority of our users are in Asia. We're implementing GDPR for everyone. It won't affect the companies that exist solely to spam you much, but for most companies the technical issues of ONLY implementing this in the EU are simply too great.
So everyone will get at least some benefit. But ya, it'd be great if other governments took this as seriously.
I feel like it's also the case for many companies that they'd like to implement GDPR-like tools for users, but as long no one is paying them to do so it's a waste of time. GDPR is a nice excuse to build that functionality and roll it out to all your users.
Spammers don’t tend to operate from first-world jurisdictions. (When they do, CAN-SPAM is decent about requiring working unsubscribe buttons). Spam is not a problem you can solve with regulation.
Sure, I don’t expect to stop receiving invitations to enlarge my genitals in my spam folder because of GDPR, but I’ll be happy enough if it discourages dodgy online shops and growth-hacky startups from automatically signing me up to their mailing list because I made a one-off transaction and “consented” to receive their special offers for all eternity on page 25 of their terms and conditions.
Oh, I wouldn't expect it to solve the spam problem. But as I said, there are a lot of US-based companies that are at best sloppy with address management. Those are also the ones most likely to make it past my existing filters, because they are semi-legitimate. Being able to turn up the heat on them would be a pleasure.
Mostly true, but I would say that - while regulation certainly shouldn't be the primary tool used to fight spam, it can help discourage bad behavior within a jurisdiction, and can reduce spam load a bit. Mostly by secondary effects (e.g., an email service provider says to their customers, "here's the legal standard, we need you to adhere to this").
No, that annoys me the most, that I have to go and click the unsubscribe button and wait for the page to load and then click another button. They should have not sent me the email in the first place.
Most of promotional email I get is from local businesses operating in my own town. And each time I unsubscribe it feels like my email gets handed over to the next mailing list of a similar business. Recurring topic is "art galleries" and "event venues". I'm pretty sure GDPR can help with that. And, also, possibly related to GDPR: I already got couple emails asking to confirm I want to continue receiving emails. Chances are this is related to building the verified opt-in list this article mentions.
The first is already illegal, and yes, it's difficult to fight and comes from first world jurisdictions.
But the second is operated by well known companies, most of the time through well known service providers (Salesforce, Adobe...). And these companies do put a lot of personal information in their databases (what did you buy, did you click on a specific link, did you open a specific email, etc).
GDPR has much higher punishments for breaking it than previous EU privacy laws. Many companies are taking the legislation seriously due to this. I expect GDPR to be actually useful in moving the line for privacy.
For these kinds of violations, fines can be "up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher"
That's why people only start caring now, at the very last minute. There's a difference between a law on paper, and a law with attached consequences, so I still expect meaningful change after May 25th.
Which authority specifically? My experience is with two Portuguese regulators (one of Data Protection, other of Telecommunications). The first was pretty good, the second required a bit of insistence to prevent them from closing the matter after the company sent a reply that said nothing, but both worked out with nothing more than a few emails.
The CAN-SPAM Act of 2003 is a fine stick, easy to handle, and packs an up to ~$40,000 punch for EACH violation.
I happily reference the FTC documentation of this act whenever I see spam coming in after having unsubscribed. Funny, I can’t seem to recall any instance where the spam then continued...
> We've added new features to Azure! Read this advertisement!
> ...
> This message from Microsoft is an important part of a program, service, or product that you or your company purchased or participates in. Microsoft respects your privacy.
The three dots you omitted actually have this relevant text:
To customize what's included in this email, who gets it, or to unsubscribe, set your Message center preferences. If you are receiving this email because your Admin added you as a recipient, please contact your Admin to unsubscribe.
Microsoft respects your privacy. To learn more, please read our Privacy Statement.
> Note: As an Azure customer, you are receiving this email because we are required to notify you of product changes that may affect your subscription. This is the only communication that you will receive directly from Microsoft regarding these product changes.
>This message from Microsoft is an important part of a program, service, or product that you or your company purchased or participates in. Microsoft respects your privacy. Please read our Privacy Statement.
Speaking in the larger context, this stick you feel you've been given comes at a high price. Unfortunately, it's only a matter of time before the powers that be will fashion a stick with which to beat you, too.
I'm really curious whether or not this will have an effect and to what extent.
I have been using the last 6 months documenting all of our company's processes that handle customer interaction and data (which is basically all our processes), created flowcharts of how data moves between us, third part providers and customers as well as creating a document for each of these flowcharts that pinpoint exactly how we are complying with GDPR for every sub-process.
If for nothing else, we now have a total overview of what we do and how we do it - in an easily shareable collection of visualisations and documentational material.
> Part of this opt-in verification process must include clear documented proof that the person opted in with a full understanding of what they were signing up to.
Does anyone have any idea how to actually do that? How do I prove that a given user actively checked a box?
The hard part here is not recording the check on the box--any email service provider will handle that. The hard part is the "full understanding." Historically lots of us have
a) been willfully unclear about what it means to subscribe to a list
b) changed what our mailings are like over time.
We can stop doing (a), with effort, but I don't see how (b) will ever go away. So this is going to be continuous, active effort with subscribers. I would like to think that very easy, reliable, one-click unsubscribe will be sufficient.
The article uses "beyond reasonable doubt" which is obviously a misapplication of the legal term of art. This being civil law, not criminal, the 50:50 proof, i. e. "preponderance of the evidence" should suffice.
In reality, I doubt there will be a practical difference to how it has been handled in the past here in Germany, where similar law has long been practice.
That means: your sign-up page needs a checkbox, that cannot be pre-checked, and that clearly states that it's an opt-in to receive these mails. This needs to be separate from any acceptance of ToS or anything else that is necessary for the transaction in question.
To verify the form submitter's identity, send a verification to their e-mail address (if you haven't already). Make sure the verification email does not already contain any advertisement itself.
Would something like a verification email asking them to double verify answer that? They click the box, then they have to open an email and click a link also verifying it?
But is that sufficient under GDPR? Although a double opt-in has generally been considered good practice for a long time, it only demonstrates that a recipient has agreed to receive mail for some purpose, not for any specific purpose.
Even if you've been building up your mailing list for years, following generally accepted good practices, and only signing up genuinely interested recipients, it seems you could now to be in a position where either:
(a) when you signed people up, you provided sufficient information about what you would be sending to them and you can still produce evidence of that today;
(b) you need to contact everyone on your list to obtain explicit, specific consent for whatever you actually send to your list; or
(c) you have to remove anyone who isn't covered by (a) or (b) above (or delete your whole list).
As with so much about the GDPR, what will be accepted as reasonable evidence of informed consent for earlier subscribers to a mailing list is ambiguous, and the consequences of either doing too much or not doing enough are undesirable.
You can't prove it, but you can persuade a reasonable person that they probably did. You could do this by showing them your processes, the UI as the user would saw it, the code that ends up storing that in the database. Also, if your complaint rates are low, they will probably assume that the issue is not on your side.
Short of quizzing the user, you can't prove that they understood. But our lawyers and compliance officers seem to think it's enough to make it so that a decision not to understand is intentionally made by the user.
Like T&Cs, everybody knows that most people don't read them. Nobody's going to start quizzing their user, so what's a reasonable compromise? Forcing the user to at least scroll through some (or all) of it before agreeing. You make it clear that the intention is for you to read it, and that you're agreeing to something you should have read.
I would really like to see that challenged in a court. A company cannot reasonably expect their users to read and understand tens or hundreds of pages of T&C legalize. No one reads them. That's the fact.
Usually you'd save the users opt in time, and tie it back to their user account. You would need to make sure the opt in clearly explains what it's for. You would also save the context of the opt in - was it during account registration, when they visited a blog post, etc.
Obviously make sure to otherwise comply with the GDPR as you do this.
All you have to do to comply with it is be clear and direct when collecting personal data, and make a record of the permission granted.
It appears that you also need to have been all of those things, as far back as you've been collecting personal data, even if no such requirements existed at the time. Organisations might not be in that position even if they followed accepted good practices when signing people up to their lists, so the GDPR may have unintended consequences here.
Please stop spreading misinformation. Things are changing with the GDPR.
In particular, the consent requirements are significantly stronger under GDPR than under either the 1995 directive itself (95/46/EC) or the implementations of that directive in various member states.
Organisations that followed reasonable and honest practices at the time of collecting personal data, for example when setting up a mailing list, could still find themselves out of compliance under the new rules.
It has only changed for people who were playing stupid games with what consent means, like interpreting scrolling past an already checked checkbox as consent when it was clearly nothing of the sort. If you were being clear and direct with users about what they were signing up for, then you have nothing to fear from GDPR. I don't have any sympathy for business who were complying with the letter of the law while finding any excuse they could to subvert the spirit of the law.
Totally speculating, but "documented proof" seems to indicate that they would be satisfied by some sort of document? A screenshot would probably help? "Here is the screen where the user agreed to this" seems like it would be somewhat convincing. (If it's a screenshot then it will survive UI redesigns.)
Of course, from a security standpoint where the attacker is assumed to be totally untrustworthy, this is all nonsense since it would be trivial to fake. It does require a certain amount of trust that the company that will not stoop to faking documents.
I guess you could continue the charade by putting timestamped screenshots on a blockchain :-)
As someone who's tinkering on an app to send marketing email, I constantly struggle with the field. On one hand, I really think it helps small/niche businesses survive, which I think is critically important nowadays. On the other, nobody thinks their shit stinks, and man does it stink.
I'm curious--what emails do you actually appreciate getting? Would you subscribe to marketing email with restraints? (e.g. only email me when items in my size are on sale). If you could change how email marketing works, how would you do it?
I only appreciate emails with special offers for complementaries of products and services I’m already using.
And whenever I receive marketing emails that I never subscribed for, I flag it directly as spam, although sometimes I ask the sender, just for fun, the source of my address. They rarely reply :-)
I keep my Inbox clean because otherwise I’m missing important messages. If it’s not important, it doesn’t belong in my Inbox. If I don’t know the sender and it tries to sell me something, it’s spam. If I don’t remember subscribing, it’s spam.
Unclear regulation? I am encountering this over and over again. Lets clear the unclearity...
If you have my data, you will handle them in same manner as you would handle yours. You are not selling yours to get higher prices when buying something online? You are not selling your email account to spammers to get a lot of worthless emails to your email account each day? ... Now you wont do it withy my data either. It is so simple, you don't need any clarification. No special law or directive, no studying of GDPR... it just works. Oh you want me to receive unsolicited emails for your profit? You want me to get tracked? ... I will personally take care you will get a punishment and/or sue you personally.
What is so complicated here? Act in best interest of you customers, regarding the personal data, and you are safe, over whole EU. I don't understand what is the problem unless you are NOT ACTING IN THEIR BEST INTEREST, then it becomes vague (you need a way to circumvent GDPR, but you can't as it is not an IRS list but a conceptual law). Anyone having a problem with GDPR already knows the answer that solves the "problem". But wants to continue his habits.
Just state your problem and I will answer to you with advice where you wont get punished for breaking GDPR, just ask. But you wont, right? You know the answer, but you need a way to avoid it. Wont work.
I fully agree with you, but there are many technical services/platforms that assume things that are not compatible with that thinking. Those will have to change, but they are still not up to speed.
Let me preface my question with the statement that I mostly love the GDPR, and I think it greatly improves privacy and digital rights and I will exercise some of those rights come May 25:th against companies that I feel have needlessly collected data on me.
That said I (as a data controller) think that in many cases that the guidelines are very weak or undefined on subjects like logs or backups. I (as a private individual) think that any deletion request should automatically apply to logs and backups, but also I (as a data controller and...) as a operator of a service see it as a problem to have backups be mutable and have large swaths of data need to be deleted from backups and logs.
Sorry for late reply. For old data, the easyest way is to burn the tapes and make new backups. Now about new backups, here it becomes nasty as typically they aren't organized granulary enough (but you also need this for exporting the data on user request, so you just need to do it). Instead of backuping the whole databases, backup each users data separately, maybe database partitioning, table inheritance (postgres) or something else, hard to be specific here. Once you did that, backup the data by encrypting them with random key (long enough, we are using 32 bytes of random garbage) for each user while storing those keys on simply modifiable storage, cloud, whatever in triplets. Once the user requests data deletition, just destroy the key. We did it this way and it is great solution (and we DID burn the tapes literaly, luckly we have business data separated physically from everything else from the start).
Logs are destroyed each week and the customer will be notified. Also we anonymize ips and reverse lookups by hashing them, while we still can identify the same visitor.
If You’re really destroying your logs each week you’re not meeting a lot of regulatory requirements, such as PCI if you accept credit cards.
Most security-oriented regulations, and indeed so-called “best practice”, requires keeping logs for security auditing purposes for at least a year if not longer. They’re often the only tool you have to detect when and how a breach began.
I hope this stops Sparkpost. Most of spam I receive is traceable back to them. Sure I forward it to abuse@ and few times I received open ticket receipt. They followed up few times then completely ignored my further request for info or status updates. These days I don't even receive new ticket or any kind of confirmation. I started forwarding those to FBI and FCC, but I'm sure they too busy.
It seems that yahoo really loves Sparkpost spam that goes straight to my mailbox even when sender domain is no-existent, not to mention any DKIM or SPF records; gmail is much better at catching those.
As someone who doesn't deal with Europe much... CASL here in Canada seems to have similar rules. Would following CASL automatically mean it follows GDPR?
The UK has had data protection laws for years, people aren't scared of GDPR because it finally provides laws, they're scared because they actually look enforceable.
This is going to be fun when election times come in europe. Here we get a lot of unsolicited email from candidate MPs , and i m certain most of them bought/found the addresses from dubious/illegal sources.
The Canadian anti-spam legislation goes so far as to have a specific carve-out for political emails that solicit money [1]. I joined each of the big 3 parties during their leadership campaigns and they all have a practice of ignoring unsubscribe requests, and passing your email address around internally or signing you up to new lists. It’s pretty gross.
Isn't the simple way to get around GDPR is to send the email marketing from a foreign email company (in a non GDPR jusisdiction) asking if you are interested in being referred to a type of product or service?
VERIFIED OPT-IN parts opens up beautiful opportunity to destroy your competitor for $5.
1. Open DigitalOcean hosting for $5. With prepaid card they will let you do it, however port 25 will be blocked.
2. You don't need port 25 anyways. Download few lists of emails from online search and setup php_curl every 30 seconds to your competitor's landing page subscription ajax call.
3. Wait few months for them being slammed with $4MM fines as there will be unable to prove how they got that traffic in the first place :)
There is a whole swathe of companies that is somewhere between casual and negligent with email addresses, and it would be my distinct pleasure to have a stick like GDPR to beat them with.