GDPR

I’ve just received, somewhat late, an email from Deezer (I used to get it with my orange subscription) stating all the wonderful new things, by the way we value your privacy, blah blah.

The small print at the bottom:

Ces modifications entreront en vigueur deux mois suivant la date de réception de cet email à l’exception de celles relevant des dispositions obligatoires du Règlement Général sur la Protection des Données (« RGPD ») lesquelles sont d’application immédiate. En utilisant nos services passé ce délai, vous acceptez les nouveaux termes de nos Conditions Générales d’Utilisation et de Vente et de notre Politique de Confidentialité. Si vous n’acceptez pas ces modifications, vous pouvez résilier votre abonnement dans les conditions prévues à l’article 5 des Conditions Générales de Vente.

Uh, yeah. Remind me why ROOL and CJE and others specifically asked me for permission to continue holding information on me if it would suffice to just fall back on the usual “if you do nothing we’ll assume you’re okay with this” excuse?

I’d expect something like this from an American outfit, but a French company? Pffft…

Remind me why ROOL and CJE and others specifically asked me for permission to continue holding information on me if it would suffice to just fall back on the usual “if you do nothing we’ll assume you’re okay with this” excuse?

Because they overreacted, or were sailing close to the wind beforehand?

As I pointed out to Chris when he was mourning the demise of his mailing list over on the newsgroups, the consent that he was requesting would already have been on file if he had been operating the list according to the Information Commissioner’s Office’s “best practice” guidance which had been in place for many years (and perhaps even the email marketing legislation from 2003, which goes slightly beyond “guidance” and into the realm of “legal requirement”).

I can’t track ROOL’s email down at present, but wasn’t it roughly “we’ll have to stop telling you about updates to the software that you’ve paid for”?

In CJE’s case, the email was completely unnecessary if CJE had requested explicit permission before adding anyone to the list, and then retained that permission on file. Equally, it would have been unnecessary (by the GDPR, at least) if all the addresses were from customers, and CJE claimed a basis of “legitimate interest” in notifying them of new offers, which is something that the ICO highlight, IIRC.

In ROOL’s case, a basis of “contract” would seem to have been a good reason for emailing customers about updates that they had paid for. Failing that, “legitimate interest” would also seem to have been viable, IMHO.

Going for positive consent again appears to be a good indicator that either a company wasn’t sure of the provenance of their email lists (or underlying data), or that they hadn’t bothered to read the ICO’s guidance on how to implement the GDPR (and that’s coming from someone who sent just that kind of an email out to a largeish number of theatre-goers back in May).