Marketing biz bares folks' data in the act of asking for their GDPR comms preferences An education sector marketing firm has committed a data breach – ironically, because it mass-mailed people asking them to update their GDPR communications preferences. Sprint Education sent an email earlier this week to one of its mailing lists asking recipients to update their mailing preferences. The lengthy message stated …
"we are an organisation that takes data protection and privacy with the utmost seriousness"
Except when you don't, like when you set up a URL to specifically contain person-identifying data and not a single nitwit in your organization wakes up and says "hey, should we really be doing that ?"
But go ahead and trot out that threadbare carpet with the "we take your security seriously" embroidered on. It's not like that already hasn't been used to the bone, right ?
"From the very nature that we send teachers (corporate subscribers) a Data Collection and Fair Processing Notice before we begin actively processing their data and then that you resolved at a Preference Centre where they can manage their GDPR preferences, shows that we are an organisation that takes data protection and privacy with the utmost seriousness."
It shows me that they can't write coherent English.
The more complicated the language, the easier it is to trick someone into signing back up for spam, when they were intending to unsubscribe.
One of our clients (well, their marketing department mostly), are desperate to get back some of the 'subscribers' they lost when GDPR came in, and keep trying to obfuscate their opt-out pages to make it more complicated. We've tried pointing out that some of these moves go against the GDPR (and remind them about the fines), but all they do is roll back and try and find another 'workaround'.
I've heard that they tell customers in-store, that they have to sign up with their email address in order to receive their warranty, which I'm pretty sure is illegal.
To be fair, "processing" does have a specific meaning in GDPR, so I don't think the phrasing is that bad. You could also argue that such statements are generally unnecessary. After all, who's going to write We don't follow the relevant laws when processing your data?
I'm less happy with the general approach of harvesting data and assuming legitimate interest is okay to assume consent. This is not my understanding, not even for professional communication where the rules are slightly different. Legitimate interest is usually used to allow companies to keep customer details on record even if permission for marketing communication has been denied.
They better have had consent to contact or have already performed contractual services for these people or they will be breaching PECR (Privacy and electronic communications regs).
Under the PECR, contacting someone via email or text whom you have bought in or scraped data on to ask them if you can market to them is itself classed as marketing and so is a breach unless you have had prior contractual dealings or specific consent.
And unlike the GDPR there is no 'legitimate business interest' ground to allow for processing under PECR.
"we are an organisation that takes data protection and privacy with the utmost seriousness"
We are serious, be sure we'll sell these data to anyone ready to pay for them.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
