
GDPR and automated email marketing - nynno
https://www.gdprhq.io/post/the-new-european-general-data-protection-regulations-and-automated-mail-marketing
======
wpietri
As somebody who has hated spam for years, I can only wish that I were in the
EU.

There is a whole swathe of companies that is somewhere between casual and
negligent with email addresses, and it would be my distinct pleasure to have a
stick like GDPR to beat them with.

~~~
closeparen
Spammers don’t tend to operate from first-world jurisdictions. (When they do,
CAN-SPAM is decent about requiring working unsubscribe buttons). Spam is not a
problem you can solve with regulation.

~~~
atomwaffel
Sure, I don’t expect to stop receiving invitations to enlarge my genitals in
my spam folder because of GDPR, but I’ll be happy enough if it discourages
dodgy online shops and growth-hacky startups from automatically signing me up
to their mailing list because I made a one-off transaction and “consented” to
receive their special offers for all eternity on page 25 of their terms and
conditions.

------
Agnosco
I'm really curious whether or not this will have an effect and to what extent.

I have been using the last 6 months documenting all of our company's processes
that handle customer interaction and data (which is basically all our
processes), created flowcharts of how data moves between us, third part
providers and customers as well as creating a document for each of these
flowcharts that pinpoint exactly how we are complying with GDPR for every sub-
process.

If for nothing else, we now have a total overview of what we do and how we do
it - in an easily shareable collection of visualisations and documentational
material.

~~~
BjoernKW
Same here. My company is a lot smaller (at least from the sound of it) but
GDPR made me review my processes as well.

There were still a few processes that I could simplify and automate.

~~~
mkw5053
Would you be interested in a compliant user data management service? What
specifically would you look for in one?

------
stinky613
> Part of this opt-in verification process must include clear documented proof
> that the person opted in with a full understanding of what they were signing
> up to.

Does anyone have any idea how to actually do that? How do I _prove_ that a
given user actively checked a box?

~~~
canadianwriter
Would something like a verification email asking them to double verify answer
that? They click the box, then they have to open an email and click a link
also verifying it?

~~~
Silhouette
But is that sufficient under GDPR? Although a double opt-in has generally been
considered good practice for a long time, it only demonstrates that a
recipient has agreed to receive mail for _some_ purpose, not for any
_specific_ purpose.

Even if you've been building up your mailing list for years, following
generally accepted good practices, and only signing up genuinely interested
recipients, it seems you could now to be in a position where either:

(a) when you signed people up, you provided sufficient information about what
you would be sending to them _and_ you can still produce evidence of that
today;

(b) you need to contact everyone on your list to obtain explicit, specific
consent for whatever you actually send to your list; or

(c) you have to remove anyone who isn't covered by (a) or (b) above (or delete
your whole list).

As with so much about the GDPR, what will be accepted as reasonable evidence
of informed consent for earlier subscribers to a mailing list is ambiguous,
and the consequences of either doing too much or not doing enough are
undesirable.

------
whitepoplar
As someone who's tinkering on an app to send marketing email, I constantly
struggle with the field. On one hand, I really think it helps small/niche
businesses survive, which I think is critically important nowadays. On the
other, nobody thinks their shit stinks, and man does it stink.

I'm curious--what emails do you actually appreciate getting? Would you
subscribe to marketing email with restraints? (e.g. only email me when items
in my size are on sale). If you could change how email marketing works, how
would you do it?

~~~
bad_user
I only appreciate emails with special offers for complementaries of products
and services I’m already using.

And whenever I receive marketing emails that I never subscribed for, I flag it
directly as spam, although sometimes I ask the sender, just for fun, the
source of my address. They rarely reply :-)

I keep my Inbox clean because otherwise I’m missing important messages. If
it’s not important, it doesn’t belong in my Inbox. If I don’t know the sender
and it tries to sell me something, it’s spam. If I don’t remember subscribing,
it’s spam.

------
_o_
Unclear regulation? I am encountering this over and over again. Lets clear the
unclearity...

If you have my data, you will handle them in same manner as you would handle
yours. You are not selling yours to get higher prices when buying something
online? You are not selling your email account to spammers to get a lot of
worthless emails to your email account each day? ... Now you wont do it withy
my data either. It is so simple, you don't need any clarification. No special
law or directive, no studying of GDPR... it just works. Oh you want me to
receive unsolicited emails for your profit? You want me to get tracked? ... I
will personally take care you will get a punishment and/or sue you personally.

What is so complicated here? Act in best interest of you customers, regarding
the personal data, and you are safe, over whole EU. I don't understand what is
the problem unless you are NOT ACTING IN THEIR BEST INTEREST, then it becomes
vague (you need a way to circumvent GDPR, but you can't as it is not an IRS
list but a conceptual law). Anyone having a problem with GDPR already knows
the answer that solves the "problem". But wants to continue his habits.

Just state your problem and I will answer to you with advice where you wont
get punished for breaking GDPR, just ask. But you wont, right? You know the
answer, but you need a way to avoid it. Wont work.

~~~
SahAssar
I fully agree with you, but there are many technical services/platforms that
assume things that are not compatible with that thinking. Those will have to
change, but they are still not up to speed.

Let me preface my question with the statement that I mostly love the GDPR, and
I think it greatly improves privacy and digital rights and I will exercise
some of those rights come May 25:th against companies that I feel have
needlessly collected data on me.

That said I (as a data controller) think that in many cases that the
guidelines are very weak or undefined on subjects like logs or backups. I (as
a private individual) think that any deletion request should automatically
apply to logs and backups, but also I (as a data controller and...) as a
operator of a service see it as a problem to have backups be mutable and have
large swaths of data need to be deleted from backups and logs.

Is there any way to reconcile these ideas?

~~~
_o_
Sorry for late reply. For old data, the easyest way is to burn the tapes and
make new backups. Now about new backups, here it becomes nasty as typically
they aren't organized granulary enough (but you also need this for exporting
the data on user request, so you just need to do it). Instead of backuping the
whole databases, backup each users data separately, maybe database
partitioning, table inheritance (postgres) or something else, hard to be
specific here. Once you did that, backup the data by encrypting them with
random key (long enough, we are using 32 bytes of random garbage) for each
user while storing those keys on simply modifiable storage, cloud, whatever in
triplets. Once the user requests data deletition, just destroy the key. We did
it this way and it is great solution (and we DID burn the tapes literaly,
luckly we have business data separated physically from everything else from
the start).

Logs are destroyed each week and the customer will be notified. Also we
anonymize ips and reverse lookups by hashing them, while we still can identify
the same visitor.

I hope I was helpful :)

~~~
tatersolid
If You’re really destroying your logs each week you’re not meeting a lot of
regulatory requirements, such as PCI if you accept credit cards.

Most security-oriented regulations, and indeed so-called “best practice”,
requires keeping logs for security auditing purposes for at least a year if
not longer. They’re often the only tool you have to detect when and how a
breach began.

------
joering2
I hope this stops Sparkpost. Most of spam I receive is traceable back to them.
Sure I forward it to abuse@ and few times I received open ticket receipt. They
followed up few times then completely ignored my further request for info or
status updates. These days I don't even receive new ticket or any kind of
confirmation. I started forwarding those to FBI and FCC, but I'm sure they too
busy.

It seems that yahoo really loves Sparkpost spam that goes straight to my
mailbox even when sender domain is no-existent, not to mention any DKIM or SPF
records; gmail is much better at catching those.

This is my experience for the last 2 years.

------
canadianwriter
As someone who doesn't deal with Europe much... CASL here in Canada seems to
have similar rules. Would following CASL automatically mean it follows GDPR?

~~~
throwawayReply
The UK has had data protection laws for years, people aren't scared of GDPR
because it finally provides laws, they're scared because they actually look
enforceable.

~~~
merinowool
I think people are scared because legislation is unclear.

------
DanBC
This is a frustrating article.

The regulation in GDPR is not new! It's a refinement of long existing law (in
England this is the DPA, and PECR).

If it's illegal under GDPR it was probably already illegal under PECR.

All this stuff about "ZOMG we need informed consent before we send email"? You
already need that.

------
return1
This is going to be fun when election times come in europe. Here we get a lot
of unsolicited email from candidate MPs , and i m certain most of them
bought/found the addresses from dubious/illegal sources.

~~~
krrrh
The Canadian anti-spam legislation goes so far as to have a specific carve-out
for political emails that solicit money [1]. I joined each of the big 3
parties during their leadership campaigns and they all have a practice of
ignoring unsubscribe requests, and passing your email address around
internally or signing you up to new lists. It’s pretty gross.

[1]
[https://crtc.gc.ca/eng/com500/faq500.htm](https://crtc.gc.ca/eng/com500/faq500.htm)

------
hackbinary
Isn't the simple way to get around GDPR is to send the email marketing from a
foreign email company (in a non GDPR jusisdiction) asking if you are
interested in being referred to a type of product or service?

------
joering2
VERIFIED OPT-IN parts opens up beautiful opportunity to destroy your
competitor for $5.

1\. Open DigitalOcean hosting for $5. With prepaid card they will let you do
it, however port 25 will be blocked.

2\. You don't need port 25 anyways. Download few lists of emails from online
search and setup php_curl every 30 seconds to your competitor's landing page
subscription ajax call.

3\. Wait few months for them being slammed with $4MM fines as there will be
unable to prove how they got that traffic in the first place :)

