Hacker News new | comments | show | ask | jobs | submit login
Ask HN: Is anyone disabling email tracking because of GDPR?
17 points by hispanic 7 months ago | hide | past | web | favorite | 25 comments
I'm trying to make my personal blog GDPR-compliant. I use a free MailChimp account to send emails when I post a new article. Seems to me that MailChimp's tracking of email opens and clicks, which are clearly associated with personally-identifying email addresses, is not GDPR-compliant. Obviously, MailChimp is not alone in offering this functionality. And yet, I don't get the sense that anyone is turning off email tracking or, alternatively, requesting my permission to track my interaction with their emails.

Why don't you put a privacy policy explaining this in your blog? As long as you ensure 'lawfulness, fairness and transparency', you can easily be "GDPR-compliant". Keep a record of your processing activities (e.g. MailChimp is data processor and your are the data controller) and a quick note about the risk associated.

I appreciate the thought, but I don’t see how that complies with either the spirit or the wording of the GDPR. One of the goals of the GDPR is for data controllers to obtain explicit consent that is rather granular in nature - aligned with the purposes for each data collection. In the case of me providing a form allowing people to subscribe to my blog, the ostensible (and stated) purpose of me collecting their email address is so I can send them emails notifying them when I post a new article. But, if I’m also using their email addresses to track their interaction with my emails, that’s a distinct and separate purpose to which they never consented. More info: https://www.gdpreu.org/compliance/email-tracking/

Embedding implied consent to such tracking in a separate document (privacy policy) does not seem to be very transparent. What am I misunderstanding?

I think it's more easy. When they subscribe to your blog, you should include the aspect that the data processor (handling the email) do some additional tracking in order to pursue a specific service. Regarding the consent (article 7 of the GDPR), provide a clear description why you do tracking and the objective. The transparency aspect is very important.

PS: It's usually better to have a look at the GDPR on the official website of EUR-Lex. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

MailChimp wants to embed GDPR-compliance language akin to the following: "You acknowledge that the information you provide will be transferred to MailChimp for processing in accordance with their Privacy Policy (https://mailchimp.com/legal/privacy/) and Terms (https://mailchimp.com/legal/terms/).”

But, MailChimp allows open-tracking to be disabled. So, that wouldn’t seem to be a required element of their processing. Which means it’s for the controller to decide. I don’t understand how article 7 of the GDPR allows for email tracking to be immune from explicit consent.

It's not immune to explicit consent. You have to clearly state it why you (or your data processor) does email tracking. This can be included and described when the user subscribe to your blog post.

Oh - OK. Then we’re of the same understanding. And yet I don’t see anyone do this. But I seriously doubt everyone is disabling their email tracking en masse. Which is why I asked my original question. :)

You would still need to ask specifically for opt-in for that tracking, because it is not essential to the "service" (the newsletter).

And yet, amongst all of the privacy policy update emails I've received of late, I haven't been explicitly asked to consent to email tracking.

It isn't enough anymore to put this into a PP. If the subscribers did not gave consent for this it cannot be tracked (at least I think).

Consent is only one reason for data handling. There are others. Consent doesn't always need to be given.


Only if it is strictly necessary in order to conduct business, and no longer than that. E.g. using cookies for managing a session’s shopping cart. Obviously tracking emails for marketing purposes is not allowed.

Tracking emails for marketing purposes can be seen as a legitimate interest. As long, it's describe to the data-subject and they give their consent, it's allowed.

Recital 48 is giving some explanation:

"The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."


I really think the answer to this question at the moment depends upon the person asking. All I read in recital 48 is that PII might be shared within a group of companies that fall under the same holding.

IANAL, but I spent the past 2 years as CTO of an EU-based analytics company becoming compliant with GDPR, and consider myself quite informed on the topic. I would tread more carefully than what you are suggesting.

If a data-subject subscribes to a mailing-list by giving your email and you have a "request for consent shall be presented in a manner which is clearly distinguishable from the other matters" which can be clearly describe in your privacy policy, you are totally inline with the article 7 for the condition of consents.

I asked the following question of MailerLite and received the following answer...

Q: "Does Mailerlite allow me to disable open tracking and click tracking for the purposes of GDPR compliance?"

A: "Email tracking is not forbidden by GDRP. We just recommend to update the privacy policy that clicks and opens are tracked in the newsletter they get."

Thanks for the pointer, but this simply speaks to collecting the email addresses (which is rather easy to obtain explicit consent for), not email tracking.

GDPR implementation is a nightmare for small startups.... so to avoid case-by-case consent options you make your newsletter adapt to the reading behavior of the user. If this becomes a key feature of the service it would seem that this data becomes necessary for the service and you could force consent without make it one of many optional features that a user opts in to.

It seems pretty straightforward that tracking deliverability, opens, and click-through of your newsletter is essential in providing a newsletter service.

These metrics are fairly essential if you want to be sure your users are actually receiving your content, and what content they are relating to in order to improve your content.

Since providing relevant content which actually makes it into your users’ Inboxes is the whole point of a newsletter, it seems like ensuring that is actually happening is a core part of the service.

But I am not a lawyer, and I am certainly no expert on GDPR.

Well said. As a hypothetical non-technical recipient of an email newsletter, I'd probably disagree that such tracking is essential. Personally, I just use the service so I don't have to manually send emails when I post new articles. The tracking doesn't interest me much.

Simply because the industry has molded the competitive landscape in such a way that tracking can be deemed "essential" does not, in my mind, make their behavior and actions immune from consent. But, I don't doubt that they could make that argument and win.

Yeah, seems like this is the primary loophole in GDPR. Find ways to make data “necessary” for providing the product to the user.

Maybe one day a prosecutor will use a database schema as evidence of GDPR violations...

Realistically, no one is ever going to go into your mailchimp account to audit if you're tracking opens. Dont worry about it.

I'm not necessarily worried about it. I mostly ask because the lack of activity/discussion surrounding email tracking mystifies me. Just trying to understand.

It looks like you can uncheck the tracking box if you get a paid account, which I suppose means that your GDPR compliance will be $10 a month: https://kb.mailchimp.com/reports/enable-and-view-click-track...

Yeah, I saw that. They state that they require it for free and new paid accounts - for the purposes of "compliance".

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact