A new European Union privacy regulation is resulting in a flood of e-mails to US residents. This bombardment has been confusing and annoying but may have value.
The General Data Privacy Regulation or GDPR is the most comprehensive data privacy law in the world. Among other requirements, businesses that process personal data of EU residents or target EU residents via marketing and/or websites must:
- Update privacy policies to notify consumers of much greater rights with respect to their personal data, such as the right to object or revoke consent to processing and the right to receive a copy of all personal data maintained or used by the business.
- Have a legitimate business purpose to use personal data or obtain the consumer’s consent to do so.
These requirements do not apply directly to US residents. Some large companies, such as Google, Apple, and Facebook, are offering certain GDPR protections to US residents. These decisions are due in part to consumer backlash against recent data breach and privacy leak scandals and may relate to systemwide changes implemented by worldwide companies. Other companies may be less sophisticated and may be sending e-mails to all consumers out of an abundance of caution.
These e-mails are generally intended to:
- Notify you of changes in privacy policies; and/or
- Obtain your consent to continue e-mail marketing to you.
As a result of these blanketing efforts, many US residents are hearing from companies and websites with whom they may not have done business or have not done business for years. The impulse is to delete these e-mails. The effect of deleting the e-mails should be to free you from continuing to receive e-mail marketing from these companies.
But the e-mails have an additional significance: these companies have your personal information and are using it. It may be worth the exercise to look at these revised privacy policies to find out how your information is being used-and shared- and to opt out of such use and sharing as appropriate. Further, if the sender is offering you certain GDPR protections that may not otherwise be available to you, it may be wise to find out what your rights are.
Also important: these companies may disclose how they are using your personal data to target behavioral advertising to you and may offer you the ability to opt out of such use and advertising. If you keep seeing ads on Facebook for shoes that you put in your Amazon cart, or any ads across websites, your online activity may be being tracked and used to market directly to you.
Although intended to ensure compliance with GDPR, this e-mail overload may actually violate the GDPR when it applies. Arguably, you have to have consent to send the e-mail requesting consent. Moreover, if the sender is not required to get your consent but sends you an e-mail requesting consent, the language of the e-mail may serve to limit the sender’s ability to continue e-mail marketing to you, even if GDPR does not apply.
At the end of the day, it is clear that both senders and recipients are confused by the purpose of the GDPR e-mails. At the very least, they are confusing to US residents. But they may offer you some benefits that may be worth wading through the e-mails and related privacy policies to see how your personal data is used and what your rights are with respect to your personal data.
Paige Boshell is a cyber and privacy attorney and owner of Privacy Counsel LLC. She is a Fellow of Information Privacy and ISO-certified as an International Association of Privacy Professional CIPP/US (United States law), CIPP/E (European law), and CIPM (privacy management). She is a Best Lawyers attorney. You may find Privacy Counsel LLC at privacycounselllc.com or on Twitter @PrivacyCoLLC and Paige Boshell on LinkedIn.