Your holiday bulk emails may be breaking the law
Or Happy New Year 2016
’Tis the season to be merry, to celebrate the past year and proclaim optimism about the new one! To add to the cheer, I want to wish the best of the season to you and yours. I could have sent an individual greeting in an email to each of you but that would be indecorous and as it turns out subject to legal murk.
It is a nuisance. Many of you have probably noticed the unsavory practice of exporting contact information and spamming your entire connections list from social networks like LinkedIn. These are sometimes personal messages but increasingly about corporate messaging — some holiday wishes but just as much of promotional material. I am able to track this by source by using a LinkedIn specific email address and repeat offenders have been personally castigated and I have been unsubscribing from such mailing lists but managing the annoyance this way will not scale. If unsolicited bulk messaging of social media connections becomes even more rampant, it will lead to rejection of all social messaging which dilutes the relevance of each such platform.
It is probably illegal. In many cases the practice may run afoul of stricter privacy laws prevalent in certain jurisdictions like the EU which interprets email addresses as personal information. Under recent rulings that negate safe harbor provisions, the interpretation of how misuse of personal information is treated and the financial / punitive implications of doing so have become stricter.
My colleague Holger Dyroff at ownCloud has two excellent blog posts on this topic:
- The Business Card Case: uploading data from a business card (or exported from a social network) to a CRM system like Salesforce or a bulk email provider like MailChimp is a violation of EU data privacy laws since personal data is almost universally uploaded to datacenters in jurisdictions outside the EU.
- You can soon be fined up to 4% of revenue for violations: It is proposed that up to 4% of the annual revenue of a company can be fined by the regulatory bodies for violations against the GRPD.
“The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned. Consumers will have to give their explicit consent to the use of their data.” said Jan Phillip Albrecht, the lead of the Members of the European Parliament for this regulation.
The sensitivity extends way beyond the EU. The global data privacy laws map here shows how widespread and robust these protections are.
So unless your LinkedIn or Facebook connections have explicitly signed up to receive your bulk mailings, your export-and-spam strategy could leave you legally exposed. What is unclear is the extent to which the legal ramifications extend to individuals and/or their employers and/or your cloud based providers for CRM and E-mail marketing.
Meanwhile, it is in bad taste!