GDPR - anyone working in this area?
Discussion
wombleh said:
I believe that an IP address only identifies an individual when combined with network access logs which link it to a user. However don't tell the ECJ about 127.0.0.1 as that'll be a consent nightmare.
As I understand it a static IP address can be personal data without any logs. Domain names can also be personal data so presumably it should be possible to have Google (for example) stop storing cached results for DNS lookups for a personal domain.plasticpig said:
As I understand it a static IP address can be personal data without any logs. Domain names can also be personal data so presumably it should be possible to have Google (for example) stop storing cached results for DNS lookups for a personal domain.
Yea think so, that's what happens when non technical people set the rules. Absolute farce and makes a mockery of serious efforts by turning it into a pointless box ticking exercise that just increases the cost of doing business to no benefit. Mind you that describes 3/4 of the IT security industry these days so I guess it's at least on trend.DELETED: Comment made by a member who's account has been deleted.
This is proving to be our issue I think.... In the hope of moving things on a bit, we're going to download a copy of a GDPR data protection policy and make sure we comply with it, this at least will get people talking and give them something tangible to work to....I'm beginning to despair of ever getting this sorted if I'm honest!
DELETED: Comment made by a member who's account has been deleted.
The right to erasure is the issue in this instance though. I have not given consent to Google to process my personal domain that uniquely identifies me by just the domain name. There are mechanisms in place for me to tell Google that I don't want them process my website and show it on its search results though. AFAIK there is no mechanism in place for me to tell Google that I don't want it to process my domain or store it in the cache for it's public DNS servers.
Interested to hear thoughts on this one...
Let's say a visitor to a website decides to use a company's livechat service in order to ask a question. Let's assume the customer has to enter their email address in order to use the service. There would be a tick box link at the bottom of the chat window saying something along the lines that use of the service grants permission to use the customer's information in accordance with the company's privacy policy.
On the hyperlinked privacy policy there would be specific wording to say that consent is being given to allow the customer's email addresses to be contacted with what the company believes would be relevant products and services. The customer can opt out at any time by clicking an unsubscribe link.
Whilst in the above scenario the company perhaps could do more to make it clear it would like to use the email address provided to remain in touch with the customer, I am wondering if this would pass a minimum GDPR threshold for using a customer's email address for the company's marketing purposes?
Let's say a visitor to a website decides to use a company's livechat service in order to ask a question. Let's assume the customer has to enter their email address in order to use the service. There would be a tick box link at the bottom of the chat window saying something along the lines that use of the service grants permission to use the customer's information in accordance with the company's privacy policy.
On the hyperlinked privacy policy there would be specific wording to say that consent is being given to allow the customer's email addresses to be contacted with what the company believes would be relevant products and services. The customer can opt out at any time by clicking an unsubscribe link.
Whilst in the above scenario the company perhaps could do more to make it clear it would like to use the email address provided to remain in touch with the customer, I am wondering if this would pass a minimum GDPR threshold for using a customer's email address for the company's marketing purposes?
EddieSteadyGo said:
Interested to hear thoughts on this one...
Let's say a visitor to a website decides to use a company's livechat service in order to ask a question. Let's assume the customer has to enter their email address in order to use the service. There would be a tick box link at the bottom of the chat window saying something along the lines that use of the service grants permission to use the customer's information in accordance with the company's privacy policy.
On the hyperlinked privacy policy there would be specific wording to say that consent is being given to allow the customer's email addresses to be contacted with what the company believes would be relevant products and services. The customer can opt out at any time by clicking an unsubscribe link.
Whilst in the above scenario the company perhaps could do more to make it clear it would like to use the email address provided to remain in touch with the customer, I am wondering if this would pass a minimum GDPR threshold for using a customer's email address for the company's marketing purposes?
What you could do is add in a double opt-in process to this. So that the first email they receive is asking them to confirm their subscription. Those that do, automatically go into a welcome/nursery journey. Those that don't will not receive future commsLet's say a visitor to a website decides to use a company's livechat service in order to ask a question. Let's assume the customer has to enter their email address in order to use the service. There would be a tick box link at the bottom of the chat window saying something along the lines that use of the service grants permission to use the customer's information in accordance with the company's privacy policy.
On the hyperlinked privacy policy there would be specific wording to say that consent is being given to allow the customer's email addresses to be contacted with what the company believes would be relevant products and services. The customer can opt out at any time by clicking an unsubscribe link.
Whilst in the above scenario the company perhaps could do more to make it clear it would like to use the email address provided to remain in touch with the customer, I am wondering if this would pass a minimum GDPR threshold for using a customer's email address for the company's marketing purposes?
You'll need to be explicit about what type of comms you are sending them - news or offers (or both).
Ensure that your emails have an unsub link top and bottom etc
pmanson said:
What you could do is add in a double opt-in process to this. So that the first email they receive is asking them to confirm their subscription. Those that do, automatically go into a welcome/nursery journey. Those that don't will not receive future comms
You'll need to be explicit about what type of comms you are sending them - news or offers (or both).
Ensure that your emails have an unsub link top and bottom etc
I agree you are describing best practise but in reality, in the scenario I outlined, no-one is likely to click the second opt-in link. Hence why I was wondering if the specific provisions I mentioned in the scenario is likely to meet a minimum GDPR threshold - what do you think?You'll need to be explicit about what type of comms you are sending them - news or offers (or both).
Ensure that your emails have an unsub link top and bottom etc
EddieSteadyGo said:
I agree you are describing best practise but in reality, in the scenario I outlined, no-one is likely to click the second opt-in link. Hence why I was wondering if the specific provisions I mentioned in the scenario is likely to meet a minimum GDPR threshold - what do you think?
Not a cat in hells chance. Falls way below IMHO.plasticpig said:
EddieSteadyGo said:
I agree you are describing best practise but in reality, in the scenario I outlined, no-one is likely to click the second opt-in link. Hence why I was wondering if the specific provisions I mentioned in the scenario is likely to meet a minimum GDPR threshold - what do you think?
Not a cat in hells chance. Falls way below IMHO.
t offer which I never asked for. Now to get it to stop I have to text "YESSJBMWSTOP" to 60777 to "opt-out" when I never opted in. Edited to add: and when sending the text with the SMS message with the correct syntax, my phone warned me that SMS messages to 60777 are chargeable and not including in a call plan.
Edited by EddieSteadyGo on Wednesday 31st January 14:07
EddieSteadyGo said:
Well, how about this then as a comparison with how fast and loose many very large companies act. Just this second I have received an SMS message from a BMW dealer, sent to my personal mobile with some bullst offer which I never asked for. Now to get it to stop I have to text "YESSJBMWSTOP" to 60777 to "opt-out" when I never opted in.
Edited to add: and when sending the text with the SMS message with the correct syntax, my phone warned me that SMS messages to 60777 are chargeable and not including in a call plan.
They will be taking a higher risk under GDPR. Currently a lot of marketing is relying on implicit consent. With GDPR you have to get explicit consent. Stating exactly what the information will be used for. Hiding that detail behind a link won't cut it.t offer which I never asked for. Now to get it to stop I have to text "YESSJBMWSTOP" to 60777 to "opt-out" when I never opted in. Edited to add: and when sending the text with the SMS message with the correct syntax, my phone warned me that SMS messages to 60777 are chargeable and not including in a call plan.
Edited by EddieSteadyGo on Wednesday 31st January 14:07
EddieSteadyGo said:
Interested to hear thoughts on this one...
On the hyperlinked privacy policy there would be specific wording to say that consent is being given to allow the customer's email addresses to be contacted with what the company believes would be relevant products and services. The customer can opt out at any time by clicking an unsubscribe link.
My interpretation is that you will no longer be able to hide clauses in long T&Cs or privacy policies. So if you want to collect an email address for live chat access and then subsequently use that for marketing purposes, you have to inform the user at the point of collect and presumable for an email it has to be opt-in, rather than opt-out.On the hyperlinked privacy policy there would be specific wording to say that consent is being given to allow the customer's email addresses to be contacted with what the company believes would be relevant products and services. The customer can opt out at any time by clicking an unsubscribe link.
plasticpig said:
AFAIK there is no mechanism in place for me to tell Google that I don't want it to process my domain or store it in the cache for it's public DNS servers.
No and nor should there be. It's a public address and DNS is fundamental infrastructure to make the internet work. When we start having legislation interfere with technical systems it's not going to end well.plasticpig said:
EddieSteadyGo said:
Well, how about this then as a comparison with how fast and loose many very large companies act. Just this second I have received an SMS message from a BMW dealer, sent to my personal mobile with some bullst offer which I never asked for. Now to get it to stop I have to text "YESSJBMWSTOP" to 60777 to "opt-out" when I never opted in.
Edited to add: and when sending the text with the SMS message with the correct syntax, my phone warned me that SMS messages to 60777 are chargeable and not including in a call plan.
They will be taking a higher risk under GDPR. Currently a lot of marketing is relying on implicit consent. With GDPR you have to get explicit consent. Stating exactly what the information will be used for. Hiding that detail behind a link won't cut it.t offer which I never asked for. Now to get it to stop I have to text "YESSJBMWSTOP" to 60777 to "opt-out" when I never opted in. Edited to add: and when sending the text with the SMS message with the correct syntax, my phone warned me that SMS messages to 60777 are chargeable and not including in a call plan.
Edited by EddieSteadyGo on Wednesday 31st January 14:07
First of all, this is primarily not a GDPR issue, it's a PECR issue. That is the Privacy and Electronic Communications Regulation, which covers the use of electronic communications for marketing purposes. It has been the case since 2003 that you require consent to send marketing (including charity fundraising) communication to individuals by email, text or fax.
There is a wrinkle to this. If you have bought something from a vendor and provided them with an electronic communications address as part of that transaction, they have the right under PECR to send you marketing material for similar products or services WITHOUT requiring a specific opt-in, provided they give you a means of opting-out as part of every communication.
So if you have ever bought anything from this dealer, and you gave them your mobile number at some point during that process, then even if they didn't at some point get your consent (possibly in some sneaky fashion, see below) they are still operating legally provided they obey your opt-out.
They cannot, using this entitlement, pass your details on to anyone else, or process your data for other purposes, or try to sell you anything not closely linked to the original purchased item.
Where the GDPR comes in, and it's only tangential here, is that it clarifies for all data-processing purposes the necessary clarity of consent - so burying a consent for marketing, data-sharing and so on in the small print on page 27 of a PCP agreement, for instance, is no longer OK.
BUT - and this is critical - no-one needs your consent to market to you. If they want to send you physical post, or phone you (provided the call is hand-dialed), they can do that without needing your consent provided you have not previously opted-out (including the MPS and TPS services) and they offer you an opt-out in the communication. They will be doing this marketing on the basis of a "legitimate interest" justification (this is Article 6.1f of GDPR, for the nerds) and will claim that they have made a balanced assessment of their interests in generating business for themselves versus your right of privacy over your name, address and phone number.
When and if the new ePrivacy Regulation replaces PECR, this will not change. It just broadens the definition of electronic communication so that things like Facebook and Twitter are covered as well as email and text.
What many people are struggling to grasp is that the GDPR is not a revolutionary re-invention of data protection. Pretty well all of the key provisions of the GDPR were already in the 1998 Data Protection Act. What the GDPR does is hugely enhance the requirement for transparency in collection and processing - so now you have to tell the data subject what you're up to, in clear and obvious detail, rather than registering as a data controller with the ICO, and you have to make consents, and opt-outs, and notifications of transfer, and so on clear and unequivocal, and ensure that the data subject cannot avoid seeing them. There has been no substantive change to the requirement for consent, just a significant enhancement of what it means to get that consent, and the regulator has been at pains to remind data controllers that there are 6 different justifications for processing of which consent is not only just one, but often not the right one.
The main effect of the GDPR in my experience has been that organisations are finally doing what they should have been doing for the past (almost) 20 years, and paying attention to the key principles of data protection - notably data minimisation, least privilege, appropriate justification and limited retention - under the banner (and cosh) of GDPR compliance. Some parts of some organisations are having trouble with the new stuff - notably Article 14 notification of data received about the data subject from other sources - but that's often because what they have been doing is, frankly, a bit creepy and now they have to tell people about it.
[/rant]
More ranting here on the same theme: https://blog.rappidly.com/2017/12/12/y2k-wasnt-a-r...
964Cup said:
I don't want to p*ss on anyone's chips, but this is precisely the misunderstanding of GDPR that has everyone barking up the wrong trees.
First of all, this is primarily not a GDPR issue, it's a PECR issue. That is the Privacy and Electronic Communications Regulation, which covers the use of electronic communications for marketing purposes. It has been the case since 2003 that you require consent to send marketing (including charity fundraising) communication to individuals by email, text or fax.
There is a wrinkle to this. If you have bought something from a vendor and provided them with an electronic communications address as part of that transaction, they have the right under PECR to send you marketing material for similar products or services WITHOUT requiring a specific opt-in, provided they give you a means of opting-out as part of every communication.
So if you have ever bought anything from this dealer, and you gave them your mobile number at some point during that process, then even if they didn't at some point get your consent (possibly in some sneaky fashion, see below) they are still operating legally provided they obey your opt-out.
They cannot, using this entitlement, pass your details on to anyone else, or process your data for other purposes, or try to sell you anything not closely linked to the original purchased item.
Where the GDPR comes in, and it's only tangential here, is that it clarifies for all data-processing purposes the necessary clarity of consent - so burying a consent for marketing, data-sharing and so on in the small print on page 27 of a PCP agreement, for instance, is no longer OK.
BUT - and this is critical - no-one needs your consent to market to you. If they want to send you physical post, or phone you (provided the call is hand-dialed), they can do that without needing your consent provided you have not previously opted-out (including the MPS and TPS services) and they offer you an opt-out in the communication. They will be doing this marketing on the basis of a "legitimate interest" justification (this is Article 6.1f of GDPR, for the nerds) and will claim that they have made a balanced assessment of their interests in generating business for themselves versus your right of privacy over your name, address and phone number.
When and if the new ePrivacy Regulation replaces PECR, this will not change. It just broadens the definition of electronic communication so that things like Facebook and Twitter are covered as well as email and text.
What many people are struggling to grasp is that the GDPR is not a revolutionary re-invention of data protection. Pretty well all of the key provisions of the GDPR were already in the 1998 Data Protection Act. What the GDPR does is hugely enhance the requirement for transparency in collection and processing - so now you have to tell the data subject what you're up to, in clear and obvious detail, rather than registering as a data controller with the ICO, and you have to make consents, and opt-outs, and notifications of transfer, and so on clear and unequivocal, and ensure that the data subject cannot avoid seeing them. There has been no substantive change to the requirement for consent, just a significant enhancement of what it means to get that consent, and the regulator has been at pains to remind data controllers that there are 6 different justifications for processing of which consent is not only just one, but often not the right one.
The main effect of the GDPR in my experience has been that organisations are finally doing what they should have been doing for the past (almost) 20 years, and paying attention to the key principles of data protection - notably data minimisation, least privilege, appropriate justification and limited retention - under the banner (and cosh) of GDPR compliance. Some parts of some organisations are having trouble with the new stuff - notably Article 14 notification of data received about the data subject from other sources - but that's often because what they have been doing is, frankly, a bit creepy and now they have to tell people about it.
[/rant]
Very interesting post. Just a couple of follow up points.First of all, this is primarily not a GDPR issue, it's a PECR issue. That is the Privacy and Electronic Communications Regulation, which covers the use of electronic communications for marketing purposes. It has been the case since 2003 that you require consent to send marketing (including charity fundraising) communication to individuals by email, text or fax.
There is a wrinkle to this. If you have bought something from a vendor and provided them with an electronic communications address as part of that transaction, they have the right under PECR to send you marketing material for similar products or services WITHOUT requiring a specific opt-in, provided they give you a means of opting-out as part of every communication.
So if you have ever bought anything from this dealer, and you gave them your mobile number at some point during that process, then even if they didn't at some point get your consent (possibly in some sneaky fashion, see below) they are still operating legally provided they obey your opt-out.
They cannot, using this entitlement, pass your details on to anyone else, or process your data for other purposes, or try to sell you anything not closely linked to the original purchased item.
Where the GDPR comes in, and it's only tangential here, is that it clarifies for all data-processing purposes the necessary clarity of consent - so burying a consent for marketing, data-sharing and so on in the small print on page 27 of a PCP agreement, for instance, is no longer OK.
BUT - and this is critical - no-one needs your consent to market to you. If they want to send you physical post, or phone you (provided the call is hand-dialed), they can do that without needing your consent provided you have not previously opted-out (including the MPS and TPS services) and they offer you an opt-out in the communication. They will be doing this marketing on the basis of a "legitimate interest" justification (this is Article 6.1f of GDPR, for the nerds) and will claim that they have made a balanced assessment of their interests in generating business for themselves versus your right of privacy over your name, address and phone number.
When and if the new ePrivacy Regulation replaces PECR, this will not change. It just broadens the definition of electronic communication so that things like Facebook and Twitter are covered as well as email and text.
What many people are struggling to grasp is that the GDPR is not a revolutionary re-invention of data protection. Pretty well all of the key provisions of the GDPR were already in the 1998 Data Protection Act. What the GDPR does is hugely enhance the requirement for transparency in collection and processing - so now you have to tell the data subject what you're up to, in clear and obvious detail, rather than registering as a data controller with the ICO, and you have to make consents, and opt-outs, and notifications of transfer, and so on clear and unequivocal, and ensure that the data subject cannot avoid seeing them. There has been no substantive change to the requirement for consent, just a significant enhancement of what it means to get that consent, and the regulator has been at pains to remind data controllers that there are 6 different justifications for processing of which consent is not only just one, but often not the right one.
The main effect of the GDPR in my experience has been that organisations are finally doing what they should have been doing for the past (almost) 20 years, and paying attention to the key principles of data protection - notably data minimisation, least privilege, appropriate justification and limited retention - under the banner (and cosh) of GDPR compliance. Some parts of some organisations are having trouble with the new stuff - notably Article 14 notification of data received about the data subject from other sources - but that's often because what they have been doing is, frankly, a bit creepy and now they have to tell people about it.
[/rant]
Firstly, when you said this, "no-one needs your consent to market to you. If they want to send you physical post, or phone you (provided the call is hand-dialed), they can do that without needing your consent provided you have not previously opted-out", does that also apply to email marketing?
More specifically, using my live-chat example from earlier, if you enquired on a company's live-chat asking about a widget, and then the company sent you a follow up email a couple of days later with an email about 'how to keep the widget clean' or 'how best to use the widget', is that compliant with PECR even if the company hadn't made it explicitly clear that is what they might do?
By the way, on the BMW dealer SMS message, I have never purchased anything from the BMW dealer. I did phone the dealer in question a few weeks ago (from my mobile phone) asking if they had a certain model of car in their showroom. They didn't have the car in question so I didn't bother going in to see them. But they harvested my mobile number anyway and added it to their marketing database. Is that legitimate as I didn't think it would be?
EddieSteadyGo said:
Very interesting post. Just a couple of follow up points.
Firstly, when you said this, "no-one needs your consent to market to you. If they want to send you physical post, or phone you (provided the call is hand-dialed), they can do that without needing your consent provided you have not previously opted-out", does that also apply to email marketing?
No. That's the whole point of PECR. They need your specific consent to use email as a marketing channel.Firstly, when you said this, "no-one needs your consent to market to you. If they want to send you physical post, or phone you (provided the call is hand-dialed), they can do that without needing your consent provided you have not previously opted-out", does that also apply to email marketing?
EddieSteadyGo said:
More specifically, using my live-chat example from earlier, if you enquired on a company's live-chat asking about a widget, and then the company sent you a follow up email a couple of days later with an email about 'how to keep the widget clean' or 'how best to use the widget', is that compliant with PECR even if the company hadn't made it explicitly clear that is what they might do?
It would depend on the consent that you agreed to when you provided your email address as part of the live chat. Right now PECR consent standards aren't high; that does change with the general focus on clarity, transparency, specific purpose and limitation of duration requirements in GDPR.EddieSteadyGo said:
By the way, on the BMW dealer SMS message, I have never purchased anything from the BMW dealer. I did phone the dealer in question a few weeks ago (from my mobile phone) asking if they had a certain model of car in their showroom. They didn't have it, so I didn't bother going in to see them. Is that legitimate as I didn't think it would be?
Nope. That's illegal under PECR if that's the only contact you've had with them. Calling you would have been fine, by the way, but texting you is out. You would be within your rights to complain both to the dealership and to the ICO.EddieSteadyGo said:
Thanks 964Cup - I appreciate your reply. You really know your stuff on this topic!
Thanks. Actually - a clarification: there is also another dodge that may apply here. In your live chat example, if the follow-ups from the company were (clearly) instructions for use, rather than overt marketing, then they wouldn't be covered under PECR and would be permissible, even under the new regime. PECR only applies to marcoms; they would say this was instructional and a continuation of their customer service engagement with you, and probably justify it under legitimate interest rather than consent. The ICO has taken a dim view of disguised marketing, but would not object if they were (at least ostensibly) trying to provide customer support. There would still have to be opt-out instructions in the email, since you always have the right to ask controllers/processors to stop processing your information if it's being done under consent or legitimate interest.Gassing Station | Business | Top of Page | What's New | My Stuff