22 May 2018

The Guardian: “Most GDPR emails unnecessary and some illegal, say experts”

Many companies, acting based on poor legal advice, a fear of fines of up to €20m (£17.5m) and a lack of good examples to follow, have taken what they see as the safest option for hewing to the General Data Protection Regulation (GDPR): asking customers to renew their consent for marketing communications and data processing.

But Toni Vitale, the head of regulation, data and information at the law firm Winckworth Sherwood, said many of those requests would be needless paperwork, and some that were not would be illegal.

Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR, Vitale said. The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.

Alex Hern

I’ve seen a lot of confusion around this. I think most companies still mishandle it pretty badly because they simply don’t grasp the privacy principle underlying the regulation: businesses can collect and process data from customers (as they need to do for any business transaction), as long as they don’t share this data with third parties. It’s only at this point that they should start thinking about getting consent and additional controls. An email newsletter is perfectly fine as long as you don’t use the subscriber data for other purposes – for example selling the database to other companies for their own marketing and targeting.

I’ve seen my share of dubious GDPR-related emails, but today I received one of the worse offenders so far, from a local seller of photographic equipment. They literally threatened to remove my account, including my loyalty points, if I didn’t give my consent! A very hostile language, not to mention the fact that they sent the mail only 3 days before the deadline. Now I’m seriously considering never buying from this company again.

f64 GDPR email consent or remove account

I wonder what happens with people who are out of the country without internet access for the week, or if the mail accidentally lands in spam; will the company go through with this policy of removing accounts? How will they handle the complaints as people realize they’ve been forcibly locked out? No doubt they will (wrongly) blame the EU regulation for their own incompetence.

Post a Comment