What Should I Do With All These Privacy Policy Emails?

Your inbox is a sacred place but, if you’re like the rest of us, last week, it was infiltrated by an onslaught of “privacy policy” emails from companies.

The emails likely came from companies you’ve purchased products/services from online or you’ve submitted your email address to subscribe to a newsletter.

Or, if you’re like me, companies you engaged with eons ago and then promptly forgot existed…

What? I’m a sucker for a ‘Sign up and receive 10% off!’ deal.

So, why are they emailing you now?
Well, on May 25th, the General Data Protection Regulation (GDPR) law officially came into effect, so it was time for companies to take action in order to be compliant.

But before we dive into what you can (and possibly should) do about these emails, let’s back up a second…

What is The General Data Protection Regulation (GDPR)?

Put simply, the General Data Protection law is the most recent in a chain of EU parliamentary measures designed to put the highest levels of protection around personal data.

From its charter: “The protection of natural persons in relation to the processing of personal data is a fundamental right”and this isn’t a big surprise for Europe as they’re focused more on the “consumer-first” point of view while American laws and regulations tend to favor business.

There are actually six different ways that companies can legally justify using personal data:

1. With the individual’s unambiguous consent
1. “a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of their personal data, either by means of a statement or by a clear affirmative action.”
2. Contractual obligation
1. A common example of this would be processing an employee’s name, surname, and photograph to produce a company identification badge.
3. In the legitimate interest of the data controller
4. In the vital interests of the data subject
1. Recital 46 gives examples of vital interests and public interest as those which require processing for humanitarian purposes (to control epidemics, for example) and situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.
5. In the public interest
1. For example, schools may obtain a central sex offenders’ registry clearance certificate, which is required for everyone who works with minors.
6. In compliance with legal obligations
1. Some companies are required to preserve data and documents for a period of 5 years in compliance with Article 25 of Law 34/2002, of 11 July, on information society and e-commerce services.

Psst… if you’d like to know more about GDPR and how it affects HubSpot Marketers, definitely check out this our blog post, “May or Bust: Your Essential Guide to GDPR Prep for HubSpot Marketers.”

But this blog post isn’t about GDPR, it’s about those dang emails.

So, Why The Privacy Policy Emails?

Now that companies are becoming GDPR compliant, it’s their responsibility to reach out to you if they’re unsure if they properly received consent from you and it’s not just the responsibility of companies located in the EU to reach out.

In fact, GDPR requires all companies who may have global customers need to confirm consent.

Personally, I love the way that this aggressive inbox tap on the shoulder has been explained by Tiffany Li, a resident fellow at Yale Law School’s Information Society Project and former in-house counsel for for the coding education startup General Assembly:

“I love the subject lines like ‘Please don’t leave us,’ ‘We value you,’” she says.

“The companies reaching out are like a bad boyfriend: They want you to stay, but they know they did something wrong.”

So, sure. It’s great that companies are reaching out and asking us to stick around but for other companies (we can think of them as ‘The Bad Boy Boyfriends’) who have avoided compliance, they’re getting hit hard right now.

Both Facebook and Google were hit with lawsuits on May 25th.

The complaint against Facebook was filed with Austrian data regulators, Google with French regulators, WhatsApp with German regulators, and Instagram with Belgian regulators as soon as the law went into effect at midnight.

The lawsuits, which seek to fine Facebook 3.9 billion and Google 3.7 billion euro (roughly $8.8 billion in dollars), were filed by Austrian privacy activist Max Schrems, a longtime critic of the companies’ data collection practices.

Those fines have got to hurt, however, it’s worth noting that both companies have publicly argued that existing measures were adequate to meet GDPR requirements.

So What Do I Need to Do With All These Privacy Policy Emails?

While it may be tempting to immediately delete the privacy policy emails t flooding your inbox, I want to ask you to hold on and think about it before you do that.

These companies are reaching out because they have some sort of personal data stored for you.  

It’s a great opportunity to ‘break up’ with those companies who you no longer want to be linked to.

Unsubscribe to email lists and close accounts with companies who you no longer shop with (or use - I’m looking at you Ello) and make sure you know and are comfortable with those people you don’t.

If you’re too slammed right now but understand the need to really look through these account and companies, consider creating an email folder for all of these emails.

You can go through that folder on the weekend or during the evening hours when you have some time.

It’s also a great time to really dive into how companies have updated their Privacy Policy to be compliant.

Many of the emails I’ve read explain that they’ve added additional information and transparency to their policies.

And, in the spirit of being transparent with the new compliance, companies have also made it very clear in these emails whether or not you need to take any sort of action and if so, what to do to make sure you’re comfortable. 

Indeed, for example, let me know that there wasn’t any further action I needed to take upon receiving the email - “By continuing to use our services, you agree to the updated terms.”  

Ommwriter made it easy for me to unsubscribe if I no longer wanted to receive their emails by clicking a bold link under the signature and Medium actually suggested that users reach out via email with their feedback if we were unsure or unclear as to what it means for users of the site. That’s a nice personal touch.

But, of Course That Doesn’t Stop the Internet From Cracking Jokes

Okay, I won’t spend a lot of time on this section but come on… the following are too good not to acknowledge…

Star Wars: The Last Jedi director Rian Johnson:

Writer, director and comedian Zack Bornstein:

Web-video Producer Marques Brownlee:


Conclusion

At the end of the day, my recommendation is to read everything -- or at least skim it.

By taking stock in what companies have your information, and then either unsubscribing or staying connected, you’ll be smarter and more aware of who knows what, lower the risk of your data being compromised, and also play a more active role in the experience/service you receive from these brands.

Consider this your opportunity to either break up with and stay in engaged in your corporate relationships.