As we careen wildly into a post-GDPR world at the end of this week, you've probably already been inundated with tons upon tons of emails from various companies where you either have an account or have been signed up for their mailing list. Some of these emails likely note that they want you to confirm that you want to remain on their list because of the GDPR. Others pretend they're just checking in with you for the hell of it. According to an expert in EU regulation, many of these emails probably violate another EU regulation, one designed to make spamming illegal. As for the others? They're almost certainly not necessary under the GDPR and appear to be people misunderstanding the GDPR "out of an abundance of caution."
In short, if a service already has proper permission from you, then it doesn't need to get it again. If it doesn't, it's violating EU spam regulations by asking you to give your consent to receive such messages.
Vitale said, if the business really does lack the necessary consent to communicate with you, it probably lacks the consent even to email to ask you to give it that consent.
“In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email.”
And, yes, EU regulators are aware of all of this:
“We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them,” Steve Wood, the deputy information commissioner, wrote in guidance for businesses. “So think about whether you actually need to refresh consent before you send that email, and don’t forget to put in place mechanisms for people to withdraw their consent easily.”
Like Vitale, Wood emphasised that asking for marketing consent from people who had not given it initially could be illegal. “It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act,” he said.
Depending on how you look at this, it's either the most European of European regulation situations -- in which efforts to comply with a new set of convoluted regulations means violating existing convoluted EU regulations -- or just another example of how ridiculous companies act. Still, it does seem fairly clear that the whole GDPR situation is an utter mess, with tons of companies having no idea what they actually need to do, or how to actually comply with the law.
Whether you think the GDPR is a wonderful innovation in protecting our privacy, or you think it's a giant clusterfuck of bureaucratic virtue signaling, it does seem like it could be something of a general problem if basically every internet company everywhere has no idea how to actually be in compliance.
Source