
Ask HN: Is anyone disabling email tracking because of GDPR? - hispanic
I&#x27;m trying to make my personal blog GDPR-compliant. I use a free MailChimp account to send emails when I post a new article. Seems to me that MailChimp&#x27;s tracking of email opens and clicks, which are clearly associated with personally-identifying email addresses, is not GDPR-compliant. Obviously, MailChimp is not alone in offering this functionality. And yet, I don&#x27;t get the sense that anyone is turning off email tracking or, alternatively, requesting my permission to track my interaction with their emails.
======
adulau
Why don't you put a privacy policy explaining this in your blog? As long as
you ensure 'lawfulness, fairness and transparency', you can easily be "GDPR-
compliant". Keep a record of your processing activities (e.g. MailChimp is
data processor and your are the data controller) and a quick note about the
risk associated.

~~~
tibu
It isn't enough anymore to put this into a PP. If the subscribers did not gave
consent for this it cannot be tracked (at least I think).

~~~
DanBC
Consent is only one reason for data handling. There are others. Consent
doesn't always need to be given.

[https://twitter.com/bainesy1969/status/995370110587154433](https://twitter.com/bainesy1969/status/995370110587154433)

~~~
stingraycharles
Only if it is strictly necessary in order to conduct business, and no longer
than that. E.g. using cookies for managing a session’s shopping cart.
Obviously tracking emails for marketing purposes is not allowed.

~~~
adulau
Tracking emails for marketing purposes can be seen as a legitimate interest.
As long, it's describe to the data-subject and they give their consent, it's
allowed.

Recital 48 is giving some explanation:

"The processing of personal data for direct marketing purposes may be regarded
as carried out for a legitimate interest."

[https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...](https://eur-
lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN)

~~~
stingraycharles
I really think the answer to this question at the moment depends upon the
person asking. All I read in recital 48 is that PII might be shared within a
group of companies that fall under the same holding.

IANAL, but I spent the past 2 years as CTO of an EU-based analytics company
becoming compliant with GDPR, and consider myself quite informed on the topic.
I would tread more carefully than what you are suggesting.

------
hispanic
I asked the following question of MailerLite and received the following
answer...

Q: "Does Mailerlite allow me to disable open tracking and click tracking for
the purposes of GDPR compliance?"

A: "Email tracking is not forbidden by GDRP. We just recommend to update the
privacy policy that clicks and opens are tracked in the newsletter they get."

------
DanBC
This website might be useful: [https://www.infosecurity-
magazine.com/blogs/gdpr-questions-a...](https://www.infosecurity-
magazine.com/blogs/gdpr-questions-answered-blog/)

~~~
hispanic
Thanks for the pointer, but this simply speaks to collecting the email
addresses (which is rather easy to obtain explicit consent for), not email
tracking.

------
rdlecler1
GDPR implementation is a nightmare for small startups.... so to avoid case-by-
case consent options you make your newsletter adapt to the reading behavior of
the user. If this becomes a key feature of the service it would seem that this
data becomes necessary for the service and you could force consent without
make it one of many optional features that a user opts in to.

~~~
zaroth
It seems pretty straightforward that tracking deliverability, opens, and
click-through of your newsletter is essential in providing a newsletter
service.

These metrics are fairly essential if you want to be sure your users are
actually receiving your content, and what content they are relating to in
order to improve your content.

Since providing relevant content which actually makes it into your users’
Inboxes is the whole point of a newsletter, it seems like ensuring that is
actually happening is a core part of the service.

But I am not a lawyer, and I am certainly no expert on GDPR.

~~~
hispanic
Well said. As a hypothetical non-technical recipient of an email newsletter,
I'd probably disagree that such tracking is essential. Personally, I just use
the service so I don't have to manually send emails when I post new articles.
The tracking doesn't interest me much.

Simply because the industry has molded the competitive landscape in such a way
that tracking can be deemed "essential" does not, in my mind, make their
behavior and actions immune from consent. But, I don't doubt that they could
make that argument and win.

------
cm2012
Realistically, no one is ever going to go into your mailchimp account to audit
if you're tracking opens. Dont worry about it.

~~~
hispanic
I'm not necessarily worried about it. I mostly ask because the lack of
activity/discussion surrounding email tracking mystifies me. Just trying to
understand.

------
nitwit005
It looks like you can uncheck the tracking box if you get a paid account,
which I suppose means that your GDPR compliance will be $10 a month:
[https://kb.mailchimp.com/reports/enable-and-view-click-
track...](https://kb.mailchimp.com/reports/enable-and-view-click-tracking)

~~~
hispanic
Yeah, I saw that. They state that they require it for free and new paid
accounts - for the purposes of "compliance".

