[justkez]

I recently purchased something from the official UK Nintendo Store [1]. I did not opt-in, and was not asked to opt-in, to marketing emails.

Several days after purchase I received a marketing email with an Unsubscribe link.

I submitted a GDPR enquiry and after a few weeks I get:

  Having investigated this matter fully, we can see that you were opted in as a result of a small technical difficulty which we are now fixing. We have taken action to set your marketing permissions to "no" as requested.

I think we're so far past the GDPR "start date" that there's an apathy to it from companies and they're pushing the limits again. How Nintendo can have such a formalised GDPR enquiry process but such sloppy controls is beyond me. I will formally complain to ICO (UK data regulator) but I doubt it'll effect much.

[1]: https://store.nintendo.co.uk/

[GlitchMr]

I have a different issue myself. Despite having opted-in to marketing e-mails I never have obtained a marketing e-mail from Nintendo since then. Nintendo's website shows that I have agreed to "receive promotional e-mails". At one point I did in fact unsubscribe, but later I resubscribed. I think that there is a bug that sometimes causes promotional e-mail setting to not be updated in newsletter database (maybe the server was down when I tried to change the setting, and Nintendo Account website quietly ignored the error).

[bombcar]

Main bulk mailing companies (iContact, Sendgrid) will make a blocklist for you of anyone who has unsubscribed - and if you're not careful about it once on you'll NEVER get off - and it prevents send to those addresses even if you later re-add them to your list.

[wojciii]

I complained about tv2.dk (I used to be a customer) sending me a e-mail after I deleted my user and told them not the send me e-mail. This was a really bad experience where their support attempted to make me login to the site which I refused to do since I removed my user previously.

Then I sent them a GDPR request to remove all my info and complained to the Danish Data Protection Agency.

I stopped receiving e-mail but got nowhere with my complaint. The agency wrote me that they didn't want to pursue this. Based on this .. I don't think that anyone is taking GDPR seriously and no one is trying to defend the small people (me!).

[mrweasel]

Sad, I get that it might be to small a case to actually deal with, but most cases will be. Only in aggregate will complaints as your ever get anywhere.

On a positive note, I have noticed that deleting accounts have become much easier after the introduction of the GDPR, and more and more I see tracking opt-in/out forms where opt-out is just as easy as opt-in. So something is working.

[wojciii]

This is actually a really good idea. A Trust Pilot type of site which is owned by a non profit or some such with no monetary interest in contrast to TP where GDPR issues toward companies can be created, shared on social media and executed automatically when a number of people agreed to complain about the same issue.

[icod]

I agree, had similar experience. Idk why this is downvoted.

[switch007]

This is absolutely /rife/ in my experience.

[lmkg]

Having seen how other companies make the sausage, I can take a guess.

To Nintendo, marketing is not a "core" business function, so when the company was sorting out GDPR, no one invited them to the room and they didn't ask to be invited. When companies think about "what data do I have" they tend to get tunnel vision to their main business operations. I bet Nintendo has robust processes for their online gaming services. No one ever seems to think about the twenty dozen Google Analytics accounts they're all running, and a good fraction of them don't even think about their CRM systems.

[Nextgrid]

In the UK, there's another law called the PECR in place that may supersede the GDPR in this case.

I've had multiple merchants get back to me after such a complaint claiming that under the PECR they're allowed to send further marketing solicitations following a purchase.

I haven't pushed it further so no idea if this is actually legal or if the GDPR supersedes it.

[_jxdz]

The Privacy and Electronic Communications Regulations (PECR)[1] do not supersede GDPR as such, they sit alongside it.

Section 22 is the relevant section they are hoping to rely on, specifically section 22(3) which allows them to:

----------

(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—

(a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

(b) the direct marketing is in respect of that person’s similar products and services only; and

(c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

----------

So in this case, they are obliged to let you withdraw your consent every time they email you. It is not a blank cheque for them to keep emailing you simply because you've purchased something; it is consent-based and therefore uses the same consent processes as the GDPR.

--

[1] https://www.legislation.gov.uk/uksi/2003/2426

[shadowgovt]

> How Nintendo can have such a formalised GDPR enquiry process but such sloppy controls is beyond me.

Probably because only 1% of 1% of their customers even bother to notice. I'd be willing to bet money that you were the first person to discover this implementation error.

[vMPQonVtAjLWmr]

Is the UK still subject to the GDPR now after Brexit?

[lmkg]

Yes, part of the Brexit agreement was the UK "domesticating" some parts of EU law by passing them as UK legislation. There is now a law called UK-GDPR, which is literally a copy-paste of GDPR, with names of EU institutions find-and-replaced with their UK equivalents.

There are still some operational differences, around the fact that the UK regulators will not participate the cooperation mechanisms that the other regulators will. This ends up mattering for businesses: a significant aspect of GDPR was that a company only ever had to deal with one regulator, but now they need to interface with one for the EU and a second for the UK.

[Nextgrid]

I believe GDPR is supposed to be implemented in every participating country's legislation, so the GDPR was implemented in UK law and this remains the case even after Brexit. Nothing prevents them from amending that law and repealing the GDPR's effects on it though.

[anoncake]

No, regulations are directly applicable. Directives have to be implemented by each country.