Spamtraps and GDPR
In less than six month’s time, GDPR will come fully into effect. This should be nothing new to you and if you never heard of GDPR, you should run down to your Legal Department and ask for information. Speaking of Legal, the author of this blog post is no lawyer and everything written here is his own opinion.
What is GDPR?
The General Data Protection Regulation (EU 2016/679) is the new eu-wide data protection law, adopted in 2016, it will come into effect on the 25th of May, 2018. If you are a European company or have customers in Europe, you need to be compliant with GDPR.
What are Spamtraps?
I do not think we need to talk about spamtraps, when you are reading this blog. There are several posts in regards to spamtraps (e.g. this or this). I also think, that we can all agree, that sending mail to spamtraps is bad. They can get your mail blocked or junked, which not just takes time and effort to resolve, but will cost revenue in the process.
Sending mail to spamtraps, especially commercial mail, is illegal in most countries, because you usually do not have consent of the operator of that spamtrap or an active customer relationship.
Spamtraps and transactional mail?
When we talk about transactional mail, we talk about the mails like order and shipping confirmation, online tickets or boarding passes and ToC changes. These mails are cool, aren’t they? And the answer is of course … yes and no. Certainly a clean confirmation mail will not cause a huge blacklisting or at least you can talk to the Provider to resolve that issue faster than normal.
And here we are in the centre of this blog post. What about data protection, the looming GDPR in particular. In the end an email is the transfer of personal identifiable information (PII) to a third-party. In an ideal world this would not bear any risk. But a transaction mail will most likely contain PII, in a confirmation mail it’s only the email address, but an order confirmation will contain not just the postal address, but ‘stuff this person buys’ as well.
So you are sending PII to a third-party. For transferring PII to third parties, you need consent of the data subject or any other legal basis to do so. And saying, ‘this is a customer of mine’ is not enough, as the recipient of that mail is most likely not your customer, but a company who uses that email to determine senders, who are sending spam. To make matters even worse, there are a lot of providers, who are US-based. For transferring PII to the US, which is not a safe country in terms of data protection, you need a consent from the data subject (for more information relate to the EU commission).
Depending on the general nature of your business it’s even possible, that your transactional mail contain sensitive data. Sensitive data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life (Art 8(1), GDPR).
For transmitting these you need to do a Data protection impact assessment (Art 35 GDPR) and you need to do that beforehand.
And please keep in mind that ‘not knowing, that this can happen’ is not an excuse, you are still liable. There is even a legal principle for this, called Ignorantia juris non excusat.
There are fines in GDPR for violations up to 20 Million Euros or 4% of yearly turnover. So there is the risk of getting fined for sending PII to a spamtrap. How dire is the situation? That depends on the question, who you ask. While the ICO (Information Commissioner’s Office) recently released a statement, that putting huge fines in headlines is scaremongering and somewhat clickbait, German authorities are stating, that they will use the fines to their full extent.
I personally think, that the 20 Million will not apply to transactional mail sent to spamtraps, but this again is just my opinion. It still is a risk, which you should consider if you sent transactional mail. Especially if your company is dealing with sensitive data, ask your management to have a look at this (common misconception: not your DPO or Legal Department is responsible for GDPR compliance, it’s your management).
Recommendations are difficult at this point, but one first step should be to verify the data of customers. Try to encourage your customers to create a login for your page and ask them to verify the email address.
I need to stress what I was writing at the beginning, if you never heard of GDPR, get updated as soon as possible, time is running short.