The Spamhaus Project

blog

Have you "really" got consent for every email on your mailing list?

With so much talk about the Spamhaus Informational listings and the subsequent talk of cleaning up mailing lists and mailing practices, here are sound words of advice on the subject of consent from Simon McGrath.

by Simon McGarrFebruary 02, 20239 minutes reading time

Jump to

Introduction

With so much talk about the Spamhaus Informational listings and the subsequent talk of cleaning up mailing lists and practices, here are sound words of advice from Simon McGarr, Managing Director of Data Compliance Europe, on the subject of consent.### It seemed like such a great idea

Once upon a time, when I was a young man trying to be helpful about my parent’s house, I decided to clean out the ashes in the fire. I’d watched my father on his hands and knees plenty of times, using a brush and steel coal shovel to transfer the ashes into a battered steel bucket. It looked like no fun at all. I realized that, foolish middle-aged parent that he was, he must have missed the obvious solution. Why not just vacuum up all those ashes? Not for me, the cinders and ash of Grimm’s fairytales. I would apply modern technology for better living.

I quickly finished the job, leaving a dust-free hearth.

I don’t know why nobody has ever thought of this before, I said to myself. Then I turned around and found the vacuum cleaner was on fire. Some eejit had filled it full of hot ash and embers.

Sometimes, as I learned then, there is a reason nobody has thought of your brilliant idea before.

This experience popped into my head as I considered the story I’m about to tell you from the Spamhaus listing archives.

Another “great” idea

Our friendly data controllers wanted to use a database of email contacts they had obtained (by means unknown) for commercial purposes. They wanted to sell access to this database of email addresses to their clients and use it themselves. However, they knew, dimly in the back of their minds, that there was some Data Protection issue under the General Data Protection Regulation (GDPR). Then, like my younger self, someone among our Data Controllers stopped suddenly one day and thought to themselves, “I don’t know why nobody has ever thought of this before.”

Their idea wasn’t to suck up a load of rubbish – quite the opposite.

They were going to send rubbish, I mean emails, to people. And after the people had received the emails, they believed they could use those email addresses legitimately.

The subject line they chose was “Notice of Data Processing. This is not an advertisement.”

And to be fair, you will probably agree with that subject line’s assessment once you understand their concept…

It’s not just about the GDPR

The problem here, as you may have guessed by now, is that there is actually a reason why nobody has ever thought, let alone done, this before.

And that reason is that emailing people for commercial purposes (which is what even emails headed ‘this is not an advertisement’ are doing when you send them to benefit a commercial, corporate entity) is not an activity solely subject to the GDPR.

Commercial email to EU addresses is also subject to the e-Privacy Directives and their various national transpositions in each of the EU member states.

What is the e-Privacy Directive?

Good question. The e-Privacy Directive is known in the arcana of European law as a lex specialis. The GDPR is the general data protection regulation (the clue is in the name). Meanwhile, the e-Privacy rules amend those general provisions with specific, different rules for specific circumstances. Like, for example, sending commercial emails.

So, while legitimate interest is permitted as a legal basis for data processing under Article 6 of the GPDR, the e-Privacy Directive restricts the legal basis on which data may be processed for the purposes of sending out commercial email to only one basis – consent.

Here’s Article 13.1 of the e-Privacy Directive as inserted by Directive 2009/136/EC. You can quote this at parties if you want to be considered charming and popular.

1. The use of … electronic mail for the purposes of direct marketing may be allowed only in respect of subscribers or users who have given their prior consent.

Just so everybody has an incentive to behave themselves, it goes on at Article 13.7 to insert a clause to ensure that every single person in the EU who receives an email that breaks that consent rule has a right to sue for defined penalties.

Back to the email sent by the data control team

The notice sent out (‘not an advertisement’) made an effort to tell the recipients some of these things, perhaps with some intention to claim they had been appropriately informed and given ‘implied consent’ if they didn’t object. The problem with that idea comes with the final part of the puzzle.

4) Unambiguous

It isn’t enough to presume consent. It’s necessary to receive an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. People have to take a step to indicate their consent- using pre-ticked boxes or presuming that consent is given by not objecting will not meet the requirement.

To recap, sending out a data processing notice by mass email doesn’t get you a clean database of European email addresses that you can say have given valid, informed consent to receive commercial email. It just gets you millions and millions of potential instances of regulatory and civil liabilities.

As I learned to my cost all those years ago, nobody’s ever thought of this before because sometimes you’ve come up with an idea so bad, you’ve managed to create a trash fire in a vacuum.

About Simon McGarr

Simon McGarr is a lawyer with McGarr Solicitors in Dublin, and the managing director of Data Compliance Europe, a global consultancy on GDPR and data protection matters. He is a Senior Policy Advisor for M3WAAG and a guest lecturer with the European Academy of Law in Trier as well as the External Examiner for the Law Society of Ireland on Data Protection. He has represented clients in both the landmark Digital Rights Ireland and Schrems I cases before the Grand Chamber of the Court of Justice of the EU.