In less than six month’s time, GDPR will come fully into effect. This should be nothing new to you and if you never heard of GDPR, you should run down to your Legal Department and ask for information. Speaking of Legal, the author of this blog post is no lawyer and everything written here is his own opinion.
What is GDPR?
The General Data Protection Regulation (EU 2016/679) is the new eu-wide data protection law, adopted in 2016, it will come into effect on the 25th of May, 2018. If you are a European company or have customers in Europe, you need to be compliant with GDPR.
What are Spamtraps?
I do not think we need to talk about spamtraps, when you are reading this blog. There are several posts in regards to spamtraps (e.g. this or this). I also think, that we can all agree, that sending mail to spamtraps is bad. They can get your mail blocked or junked, which not just takes time and effort to resolve, but will cost revenue in the process.
Sending mail to spamtraps, especially commercial mail, is illegal in most countries, because you usually do not have consent of the operator of that spamtrap or an active customer relationship.
Spamtraps and transactional mail?
When we talk about transactional mail, we talk about the mails like order and shipping confirmation, online tickets or boarding passes and ToC changes. These mails are cool, aren’t they? And the answer is of course … yes and no. Certainly a clean confirmation mail will not cause a huge blacklisting or at least you can talk to the Provider to resolve that issue faster than normal.
But …?
And here we are in the centre of this blog post. What about data protection, the looming GDPR in particular. In the end an email is the transfer of personal identifiable information (PII) to a third-party. In an ideal world this would not bear any risk. But a transaction mail will most likely contain PII, in a confirmation mail it’s only the email address, but an order confirmation will contain not just the postal address, but ‘stuff this person buys’ as well.
So you are sending PII to a third-party. For transferring PII to third parties, you need consent of the data subject or any other legal basis to do so. And saying, ‘this is a customer of mine’ is not enough, as the recipient of that mail is most likely not your customer, but a company who uses that email to determine senders, who are sending spam. To make matters even worse, there are a lot of providers, who are US-based. For transferring PII to the US, which is not a safe country in terms of data protection, you need a consent from the data subject (for more information relate to the EU commission).
Depending on the general nature of your business it’s even possible, that your transactional mail contain sensitive data. Sensitive data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life (Art 8(1), GDPR).
For transmitting these you need to do a Data protection impact assessment (Art 35 GDPR) and you need to do that beforehand.
And please keep in mind that ‘not knowing, that this can happen’ is not an excuse, you are still liable. There is even a legal principle for this, called Ignorantia juris non excusat.
Consequences?
There are fines in GDPR for violations up to 20 Million Euros or 4% of yearly turnover. So there is the risk of getting fined for sending PII to a spamtrap. How dire is the situation? That depends on the question, who you ask. While the ICO (Information Commissioner’s Office) recently released a statement, that putting huge fines in headlines is scaremongering and somewhat clickbait, German authorities are stating, that they will use the fines to their full extent.
I personally think, that the 20 Million will not apply to transactional mail sent to spamtraps, but this again is just my opinion. It still is a risk, which you should consider if you sent transactional mail. Especially if your company is dealing with sensitive data, ask your management to have a look at this (common misconception: not your DPO or Legal Department is responsible for GDPR compliance, it’s your management).
Recommendation?
Recommendations are difficult at this point, but one first step should be to verify the data of customers. Try to encourage your customers to create a login for your page and ask them to verify the email address.
*Edit since original publication – For further reading please check out the article GDPR – Five Myths debunked or read this guide by the ICO.
I need to stress what I was writing at the beginning, if you never heard of GDPR, get updated as soon as possible, time is running short.
9 replies on “Spamtraps and GDPR”
Excellent post! Thank you!
What do you make of the case discussed here, Mathias?
http://mainsleaze.spambouncer.org/finnair-massive-failure-in-personal-data-processing/
This is exaclty what I am talking about. This is (at least in Germany) illegal right now and will be, when GDPR comes into effect.
What makes this case even worse is the potential of editing the flight information. When an airlines sends me the confirmation, a bad actor has everything he needs to alter my flight (Booking ID and Lastname). Funny story, I had a similar example where somebody who maintained spamtraps called me and told me, that he got boarding information from one of my customers.
Cheers,
Mathias
Hi Mathias,
what use cases are you thinking of when you talk about sending transactional messages to a spamtrap? The only thing I can think of are typos by the submitter, the person that made the transaction. I can’t imagine that a company get fined only because of a user’s typo.
Kind regards,
Ewald Kessler
Hey Ewald, exactly. Typo-Traps are the most common occurence of such cases. But there are also people deliberately entering false data.
You are right, this hopefully will not lead to major fines, but the risk is there and should be assessed.
Cheers,
Mathias
I don’t see the relation between GDPR and spamtrap here, can you explicit your thought a bit more?
Hey Benjamin, let’s stick to the order confirmation. An order confirmation contains personal identifiable data (PII). The sending of that mail is data transfer which is data procession. Therefore GDPR applies. In most cases this is not a problem, because you are transfering this data assosiated with a purchase. But and this is the core of this article tranfering this PII to someone else, like a typo trap is not legal.
This is exactly what confuses me, why would anyone deliberately transfer someone’s PII to a spamtrap?
So GDPR highlights the responsibility of the data controller to do things properly: verify the email address of the client who just purchased something. Let’s say someone registered on the ecommerce website 3 years ago, with an email address verified at this point, then never used since. Then abandoned by the guy. Then recycled as a spamtrap.
The guy logs in the ecommerce website with it (or another login) today, purchases something, blam, the order confirmation is sent to a spamtrap / third-party.
So here the ecommerce website had _no_ opportunity to “maintain” the status of the email address. And actually, it’s the spamtrap operator who could be considered as interfering with the access to PII, involuntary impersonating the guy. I doubt the ecommerce website would be considered guilty of anything here.
If we’re only talking about a typo-trap, confirmed opt-in is yet again the way to go to prevent this, that’s just another bullet in its favor. And clearly, the website would have not put in place enough measures to prevent this to happen.
You wouldn’t do it on purpose, but if you have the wrong email address on file (as could be the case if the user mistyped their address) then you are not sending the order confirmation to that user, but potentially to a spam trap (or worse another real person) instead.