The emails likely came from companies you’ve purchased products/services from online or you’ve submitted your email address to subscribe to a newsletter. Or, if you’re like me, companies you engaged with eons ago and then promptly forgot existed…
But before we dive into what you can (and possibly should) do about these emails, let’s back up a second…
What is The General Data Protection Regulation (GDPR)?
Put simply, the General Data Protection law is the most recent in a chain of EU parliamentary measures designed to put the highest levels of protection around personal data.
From its charter: “The protection of natural persons in relation to the processing of personal data is a fundamental right”and this isn’t a big surprise for Europe as they’re focused more on the “consumer-first” point of view while American laws and regulations tend to favor business.
There are actually six different ways that companies can legally justify using personal data:
With the individual’s unambiguous consent
“a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of their personal data, either by means of a statement or by a clear affirmative action.”
A common example of this would be processing an employee’s name, surname, and photograph to produce a company identification badge.
In the legitimate interest of the data controller
In the vital interests of the data subject
Recital 46 gives examples of vital interests and public interest as those which require processing for humanitarian purposes (to control epidemics, for example) and situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.
In the public interest
For example, schools may obtain a central sex offenders’ registry clearance certificate, which is required for everyone who works with minors.
In compliance with legal obligations
Some companies are required to preservedata and documents for a period of 5 years in compliance with Article 25 of Law 34/2002, of 11 July, on information society and e-commerce services.
But this blog post isn’t about GDPR, it’s about those dang emails.
Now that companies are becoming GDPR compliant, it’s their responsibility to reach out to you if they’re unsure if they properly received consent from you and it’s not just the responsibility of companies located in the EU to reach out.
In fact, GDPR requires all companies who may have global customers need to confirm consent.
Personally, I love the way that this aggressive inbox tap on the shoulder has been explained by Tiffany Li, a resident fellow at Yale Law School’s Information Society Project and former in-house counsel for for the coding education startup General Assembly:
“I love the subject lines like ‘Please don’t leave us,’ ‘We value you,’” she says.
“The companies reaching out are like a bad boyfriend: They want you to stay, but they know they did something wrong.”
So, sure. It’s great that companies are reaching out and asking us to stick around but for other companies (we can think of them as ‘The Bad Boy Boyfriends’) who have avoided compliance, they’re getting hit hard right now.
The complaint against Facebook was filed with Austrian data regulators, Google with French regulators, WhatsApp with German regulators, and Instagram with Belgian regulators as soon as the law went into effect at midnight.
The lawsuits, which seek to fine Facebook 3.9 billion and Google 3.7 billion euro (roughly $8.8 billion in dollars), were filed by Austrian privacy activist Max Schrems, a longtime critic of the companies’ data collection practices.
These companies are reaching out because they have some sort of personal data stored for you. It’s a great opportunity to ‘break up’ with those companies who you no longer want to be linked to.
Unsubscribe to email lists and close accounts with companies who you no longer shop with (or use - I’m looking at you Ello) and make sure you know and are comfortable with those people you don’t. If you’re too slammed right now but understand the need to really look through these account and companies, consider creating an email folder for all of these emails.
You can go through that folder on the weekend or during the evening hours when you have some time.
Many of the emails I’ve read explain that they’ve added additional information and transparency to their policies.
And, in the spirit of being transparent with the new compliance, companies have also made it very clear in these emails whether or not you need to take any sort of action and if so, what to do to make sure you’re comfortable.
Indeed, for example, let me know that there wasn’t any further action I needed to take upon receiving the email - “By continuing to use our services, you agree to the updated terms.”
Ommwriter made it easy for me to unsubscribe if I no longer wanted to receive their emails by clicking a bold link under the signature and Medium actually suggested that users reach out via email with their feedback if we were unsure or unclear as to what it means for users of the site. That’s a nice personal touch.
But, of Course That Doesn’t Stop the Internet From Cracking Jokes
Okay, I won’t spend a lot of time on this section but come on… the following are too good not to acknowledge…