
Dear Email Industry, We’ve Got a GDPR Problem - iamacyborg
https://www.jacquescorbytuech.com/writing/gdpr-email-tracking.html
======
isostatic
"This stressed out a lot of email marketers, who quite rightly realised that
the new regulations would have a significant effect on their ability to
acquire and market to customers via their email address"

"The overwhelming majority of commercial email sent today contains tracking
pixels and tracking links, these are used to uniquely identify individuals so
that opens and clicks can be correctly attributed to them"

Good.

While spammers may have a problem, people don't.

If I want your tracking pixels and emails then I'll opt in.

~~~
giancarlostoro
> While spammers may have a problem, people don't.

Marketing spammers maybe, but now scammers and malware spammers have the floor
instead. Laws only stop the law abiding citizens from doing their thing, it
sure doesn't stop the criminals from.... being criminals.

~~~
satanspastaroll
Not having marketing spammers is still better than having spammers and
scammers

~~~
giancarlostoro
There's usually an unsubscribe button for marketing spam, and if there isn't I
usually block their email. You can't do that with scammers / illegal spam.

~~~
martin_a
Have you ever clicked one of those? I've never been sure if that wouldn't have
worsened the situation by giving feedback that this is an active mail address
managed by somebody.

~~~
ses1984
If it's from a legitimate company in American jurisdiction they are legally
obligated to stop sending emails if you click unsubscribe. I suppose that
piece of information has some nonzero value that you are giving up in exchange
to not be contacted by that company.

If you filter just a single address that address can change. If you filter
their domain you might lose legitimate correspondence.

~~~
danaris
I’ve had several groupings of unsolicited marketing emails over the years
where I’ve clicked Unsubscribe and ended up on what’s very clearly a Totally
Not That Email List, Honest...but it’s advertising the same things, in the
same way, just from a slightly different email and possibly different company
name. They have all been American in origin.

~~~
ses1984
You can complain under the CAN-SPAM Act.

~~~
guitarbill
It's so asymmetrical though. The amount of effort it takes to spam someone is
vastly lower than a complaint.

What would be great is a third-party site where you can somehow document/log
unsubscribe requests. Then, if the company still spams you, document that. A
few hundred users is pretty good proof, and the company can't just argue a
glitch. It'd pay for that.

------
addicted
Since the headline misled me, this is about the email marketing industry and
their use of tracking pixels, as opposed to issues with generic emails.

~~~
libertine
This isn't bound to email marketing, unless you put all commercial
communication dealt via email as email marketing.

~~~
gnud
I think any email that uses tracking pixels could be classified as either spam
or marketing, or possibly both.

If you use tracking pixels in your receipts, I think you're doing it wrong.

~~~
seelmobile
What about mandatory service announcements where you want to know if you
reached clients before breaking them?

~~~
gnud
Have them click a link to acknowledge receipt.

A tracking pixel hit only means that that the email was received and loaded in
some email client, not that it was read (in detail, or at all), understood, or
acted on.

~~~
TeMPOraL
Moreover, a lack of tracking pixel hit doesn't mean the e-mail wasn't loaded,
much less that it wasn't read, understood or acted on.

------
jmarbach
Browsing the web in Europe is like experiencing the rebirth of the pop-up ads
era. It has lead to compulsory acceptance. This too shall pass.

There is a reasonable expectation that when you submit your email to a company
in exchange for their service, they will email you communications relating to
their products and services.

~~~
seszett
> _There is a reasonable expectation that when you submit your email to a
> company in exchange for their service, they will email you communications
> relating to their products and services_

Certainly not. If I didn't check a box saying "I want to receive commercial
emails related to your products and services" I expect not to receive those. I
might unsubscribe from the whole thing if I don't have any other means of
avoiding those useless commercial emails.

~~~
Macha
I generally report such "you bought something and so we signed you up to the
mailing list" activity as spam in Gmail, and if the unsubscribe button links
me to a third party vendor, list "I never signed up for this list" as the
reason.

------
aiCeivi9
There is the Email Industry - that is the problem.

~~~
ericb
Just because you associate emails with spam doesn't solve the problem of every
charity, business, church, school and group needing to communicate with large
numbers of email subscribers. Like anything, bad actors make it worse.

~~~
criddell
Somehow all those groups managed to get by without email in the past. I'm sure
they would be fine today as well.

~~~
ericb
Just because you don't want to hear from anyone via email doesn't mean _I_
don't.

~~~
criddell
That's fair. I'm guessing those groups can all manage to communicate with you
without spying on you.

------
JonAtkinson
Off-topic: I absolutely love the design choices made by the author of this
site. It's the basic browser stylesheet with some nice refinements. A real
triumph of minimalism and incredibly readable.

~~~
srbby
Font is too big.

~~~
pteraspidomorph
It's very pleasant on QHD. I agree that they probably should have a different
sheet for lower resolutions.

~~~
barrkel
In principle, using resolution-independent units like points should be fine;
it's using px instead of pt that leads to problems.

(And the site is using px; it shouldn't.)

~~~
chrismorgan
You are incorrect. All CSS units are defined in a resolution-dependent way. (I
think there has only every been one exception to this, an experimental unit
`mozmm`, now discontinued, that attempted to be resolution-independent,
representing one physical millimetre.) On screen, the px unit is king, being
defined however the device chooses to define it—most commonly one or two
device pixels. All other units are defined in terms of it: 1in = 96px = 72pt,
_& c._ On print, the ratios are the same, but physical length units actually
have _meaning_ now, corresponding to physical measurements—well, _maybe_ they
do; in practice browsers play fast and loose with it all, second-guessing the
website’s stylesheets all over the place, which is normally a good thing for
users because few websites take care for print stylesheets, but is utterly
debilitating if you actually care and want precision.

Now the question of what the root font-size is (a unit I like to call “browser
em” or “bem”—I’ve never heard anyone else give it a proper name)— _that’s_ a
much more interesting question. It’s almost always 16px (I have no stats ready
to hand, but I’d suggest >99% of page views), but there are devices out there
that have other values, mostly between 13px and 19px, and you can change the
value in some browsers also. However, website layouts commonly break if the
value is not 16px, if the font sizes are based in bems and media queries in
px, or font sizes in px and media queries in bems, and the developers have
assumed 16px (which is completely normal). The ideal situation is to use
either px everywhere or bem everywhere.

In theory, using relative units everywhere is potentially nicer. In practice,
you’re fine using pixel units everywhere.

But 24px is still way too big.

~~~
barrkel
I'm sure you're right - I am only ever a front end CSS dev in an emergency,
and then only for desktop. That said, when I see a relative discrepancy
between sizes on different media, px vs pt is where I'd look. That is, two
things that might e.g. look the same size on a desktop browser but look
different sizes on mobile.

------
mnm1
It's been over a year now and so many sites are not in compliance. I'm
surprised the EU doesn't start collecting fines from companies like Yahoo and
TechCrunch (and all oath sites). Just two that come to mind that are blatantly
violating the gdpr with absolutely no way to not consent to their tracking.
Mass email spammers are another issue. Why isn't the EU collecting this money
from these large orgs that are clearly in violation? It could do a lot to help
the people here.

------
jakobegger
I think the GDPR is a good opportunity to reflect how much tracking we really
need.

Tracking has become so ubiquitous, it's become the default to put Google
Analytics on a site, to put a tracking pixel into every email, to personalize
every link we send out...

But so much of that tracking isn't really necessary. I've stopped tracking
website visitors and stopped including tracking pixels in emails a few years
ago, and nothing has really changed.

So, I guess I won't know if 10% open my marketing emails or 50%. But who
cares? I wouldn't even know what to do with the information anyway. I'd rather
focus on making my product better.

~~~
buboard
GDPR wants 0 tracking. That's wrong too, the internet can't work that way,
even governments can't work that way. EU wants advertising to go back to the
popup / animated gifs & flash / interstitial era to maximize clickthroughs in
the off-chance one of them is actually interested in your ads. That's
regression

~~~
TeMPOraL
GDPR wants 0 tracking _without explicit, informed consent_. That's the key
thing in this regulation: informed consent. Dealing with people fairly.

> _EU wants advertising to go back to the popup / animated gifs & flash /
> interstitial era to maximize clickthroughs in the off-chance one of them is
> actually interested in your ads._

Not true, unfortunately. EU wants the ads to not track people without their
explicit, informed consent. GDPR isn't an anti-advertising law, it's a data
protection law (says so literally in the name).

> _That 's regression_

No. That's _remission_.

~~~
buboard
\- users could always install an adblocker if they dont consent.

\- users could consent once for each tracker if thats what the law cared for.
Consenting for each tracker x for each website is purposeful obstruction in
order to make advertising optional

~~~
icebraining
> \- users could always install an adblocker if they dont consent.

\- To consent, one must be informed, so the sites would have to advertise
adblockers, why they exist and how can they be used.

\- Current adblockers rely on volunteers compiling lists of ads, and sites
trying to evade those lists. That's not a reasonable way to ensure a legal
right, so sites / networks would have to publish those lists themselves.

\- The GDPR is about way more than website access tracking, so you'd still
need all the same rules about the rest of the use of personal information.
Seems like a duplication of effort and complexity.

> \- users could consent once for each tracker if thats what the law cared
> for.

Just because I'm OK with a network knowing I visit nytimes.com doesn't mean
I'm OK with them knowing (and using the information) that I visit pornhub.com.
Consent per site is crucial.

------
richardwhiuk
I thought GDPR required tracking to be opt in? I can't see how tracking pixels
on emails comply at all.

------
reilly3000
While conducting a GDPR review I discovered that our email service provider
(Campaign Monitor) was logging IP addresses of our list members associated
with each email open. My jaw dropped when I noticed that they were doing geo-
ip enrichment, so that I could drill into any subscriber, see a history of
their opening of our newsletters, and a map of their approximate location. I
could see if "Bruce" was in Melborne or Petaluma on April 23rd. That kind of
data is straight up dangerous and would be very hard to justify on a
Legitimate Interest Assessment. That said, I haven't found a way to disable or
purge that data thus far, and have been having a hard time finding an ESP that
doesn't log IPs for its open tracking. We legitimately need open tracking, but
certainly not with non-hashed IPs exposed. Realistically, just overall open
rate reporting would suffice for our use case, not tracking of individual list
member's activity.

------
really3452
Personal opinion: Pictures and HTML have no place in email. Full stop.

------
Nazzareno
True that the European user should be able to opt-out just from tracking. Our
platform MailUp (ESP) is handling this in the preference center (that can be
customized). Here is a sample:
[https://updates.mailup.com/frontend/preferencecenter/363734/...](https://updates.mailup.com/frontend/preferencecenter/363734/5533444f-58b9-46f6-9913-9097dbd8b62c/98/13414/)

~~~
Angostura
By default the European user should be opted _out_ of tracking

~~~
martin_a
This and only this is a valid, legal solution according to the GDPR.

Especially all the "by continuing to use our site, you'll agree to getting the
shit tracked out of you"-messages are highly illegal, because the GDPR
requires explicit consent.

Sadly there have been no big legal cases up till now. But the time will come.

------
chrismorgan
> This might be one of the very few instances in which I’d recommend SFMC

What is SFMC?

------
0xfaded
GPDR missed a massive opportunity to standardize encrypted email. Instead
we're now stuck with crappy 3rd party "secure mail" systems.

I have a startup in Denmark, and the incubator we're part of applied for an EU
funding scheme. The bureaucracy for these programs is out of control, and
there are claims out there that 90% of state innovation funding is blown on
administration.

Long story short, I had to fill out some timesheets, and because of GDPR print
out the sheets filling in everything except the personally identifying
information, and then fill the rest of them out with a PEN.

------
thiccly
My friends in IM told me I was stupid for not "building an email list" for my
high traffic website.

Still see no good reason to do it.

------
buboard
GDPR is europe's problem, not of the entire "email industry"

~~~
hjanssen
It is a problem when you are targeting users from Europe, which you are doing
almost certainly.

~~~
buboard
We already have more than enough cookie popups and "heads up" emails whenever
a company changes a comma in their ToS. GDPR is a bureaucratic madness and not
something to be imitated.

Want to educate users about privacy? do it with extensive educational
campaigns, not by ruining everyone's experience on the web

~~~
deif
It's not GDPR's fault that websites have awful user experience. If they really
cared about privacy then they wouldn't use popups that required multiple
clicks to remove tracking cookies.

~~~
hvidgaard
If you have to untick boxes they're not in compliance with GDPR. If the button
to not have tracking is gray and "accept all" is green, you're not in
compliance. Many websites deliberately try to make it harder to opt-out, which
is directly against the GDPR.

