Yes, so it is, but was not thinking of you but the sender here.
This isnât true for several reasons.
First, as this article notes, one of the lawful reasons to contact people on a list you own is for âlegitimate interests,â and itâs at least arguable that we have a legitimate interest in fulfilling the desires of our subscribers by sending them the free publication that they signed up for.
https://privacylawblog.fieldfisher.com/2017/re-consenting-to-marketing-under-gdpr
Second, if you have an existing mailing list, you would only have to ask subscribers to opt-in again if you had subscribed them in âsoftâ ways before (such as by a checkbox that was pre-filled on some form, or by subscribing them and then sending email giving them the opportunity to opt-out). Since everyone who subscribed to TidBITS did so completely intentionally and without any deceptive practices, we donât have to ask everyone to resubscribe.
The main thing that could trip up a company is that the GDPR also wants a record of that consent, and for any list thatâs been around for a long time, it may be hard or even impossible to provide that information.
All that said, I do believe that people who are running a mailing list that isnât trying to market to its members are probably in a much better position than your standard direct marketer.
Good article! Still puzzled a bit by this as see seemingly fine mailing-lists send out messages asking for renewed consent, even when I have signed up intentionally for them, but it could be they are also puzzled. Was also thinking that many send out the re-consent e-mails just because they could not prove previous given consent in every case.
Also for my own mailing-lists it has always been a mixture of people signing up intentionally and me adding them because I think them may be interested (usually because they have bought something or shown an interest without directly asking for being added to a list). Never added any people to a list without good reason though. So for âlegitimate interests" for sure (mostly the legitimate interest of the recipient rather than the sender, but both), but also occasionally âby subscribing them and then sending email giving them the opportunity to opt-outâ (or rather a note at the end how they unsubscribe or a note telling them I have added them).
But good to see you know how to deal with this!
Oh Iâm considering the sender as well. No sender has the right to bombard people with stuff they donât consent to. If somebody doesnât tell you he/she wants your stuff, you shall not send them your stuff. Itâs their call. If theyâre too lazy, well then thatâs their choice too and you shall respect that. This right hasnât been respected well in the past at all - not even in the analog world (junk mail). If in the digital world the EUâs GDPR is the instrument that changes that, more power to them.
I think Adamâs above post shows quite nicely how a legitimate content distributor like TidBITS has nothing to fear from GDPR.
My strong suspicion is that any small player whoâs trying to do the right thing will probably be OK in the long run.
As @ace said, this is probably the reason. I know I used to run mailing lists and the âconfirm subscriptionâ emails were never something that I kept (or even saw). A request to join the list generated a single email to the address asking for confirmation. If the user confirmed, that message was automatically handled by the mailing list and discarded.
So, under that system, a list would need to, I guess, ask for confirmation again and this time keep it.
I assume that GDPR also mandates some way for a list to remove a userâs posts? I havenât thought about that, but that would be quite a problem if there is.
Actually, that would be largely impossible, since you would need to be able to remove their quoted content as well.
Hmm, glad Iâm not running a mailing list, but maybe someone has looked into this.
OTOH, mailing list are fast becoming the next USENET. Sure, some people still use them, but far fewer than there used to be.
Me too, just that one get a bit nervous trying to figure out if it will be up to peopleâs decisions or the law so to speak. One wonders if the regulation will save money or be a loss â either way there are big costs. Also not totally sure the guy in the article is totally correct. (âLegitimate interestsâ might be up to different interpretations ⌠.)
But this is essentially a new sort of mailing list. I know that the software has a method to anonymize posts, but I wonder how successful it would actually be at catching all instances of somebodyâs name in quotes, as you mentionâŚ
Yes, thatâs the âright to be forgotten.â Here in Discourse, thatâs easy with new users because of how itâs architected, but I canât even begin to imagine how youâd erase someone from a traditional mailing list archive. Realistically, I suspect that (a) this wonât happen to hardly any traditional discussion lists and (b) if it does, and the list admin perceives a real threat, theyâll just kill access to the archive since it wonât be worth the manual effort. Thatâs what Iâd do anyway.
Art. 17 GDPR Right to erasure (âright to be forgottenâ)
Assuming an email or web forum post counts as âpersonal data,â when is it âno longer necessary in relation to the purposes for which they were collected or otherwise processed?â One could argue it will always be necessary as it is part of the record of the discussion (their name could be removed from the posts though).
I think removing or editing my messages or posts in which I quote or talk about someone who wishes to be deleted would violate my rights. As a matter of copyright, quotations should be protected on fair use/ fair dealing principles but I admit I donât really understand the degree to which some Europeans think attempts to control information about oneself should supersede other interests.
The language of the GDPR is clearly much more about non-public data organizations have, not information freely provided by users to the public or to others outside the organization (e.g. members of a private mailing list or forum). I have seen mentions of âreasonablenessâ in the regulation. A web forum removing a userâs name, email address, and alias from a Users table (but leaving the row in place with a random or anonymous id) is likely reasonable in most system. Doing a large search and replace for their name as a string in text archives or in the body of messages is probably not reasonable. Iâm hoping reasonableness will prevail and this will be a minor issue for web fora.
I am pretty sure that he GDPR considers email address to be personal. Also, many people have signatures that have other information that would be classified as personal.
But I donât know that mailing lists posts wold be part of GDPR at all.
I meant the content of the message. Discourse doesnât need to expose sender email addresses. I donât know if a bare bones Mailman archive can but thatâs the kind of thing that I think should fail a reasonableness test. Ditto for whatever one chooses to share in their .sig file.
I am not a lawyer, but my general assessment is that a great deal will depend on the nature of the mailing list and the specific consent given. If a user subscribes to the mailing list and is explicitly informed their posts will be available to list members/the public for the foreseeable future, then that consent is probably valid. If the nature of the mailing list and/or access to its contents changes, consent may need to be explicitly re-acquired.
If a user withdraws their consent and wishes their information to be removed under the âright to be forgotten,â then mailing list/archive maintainers may have an obligation to attempt to anonymize the material, and it probably extends not just to public services but to backups/archives as well. I have seen some assessments that this should also extend to the content of that usersâ messages and and threads/messages that quoted them. However, this creates a minefield for trolls: imagine someone going through every thread in a forum, tacking on a smiley or âme too!â post, then demanding all those threads be deleted in their entirety under GDPR rules? Certainly not the intention of the regulations.
I have also seen some GDPR assessments that mailing lists and forums that that are not used for commercial/marketing purposes (for instance, not for commercial activity, do not conduct user profiling, do not share data with third parties, etc) will have little or no liability under GDPR, so long as they take reasonable steps to protect usersâ personal information.
I think the specifics will vary quite a lot by mailing list/forum: thereâs not going to be a single one-size-fits-all way to cope with the issues. But I am no more a lawyer now than I was when I started this reply.
Hereâs a slightly different situation. A blog that is run by 2 persons with me as tech support. 5% or less of the visitors are from EU countries. Nothing is sold. This is not even a company. Literally run from a kitchen table 99% of the time. (At times from a porch at a beach.) But they do cover controversial subjects and at times blog posts can be about situations in EU countries.
This blog runs on WordPress. But we DO NOT require or even allow people to create accounts.
So talk about just factoring the GDPR CODB into our pricing is absurd. We have no pricing. We donât take ads. We do have Twitter and Facebook buttons with appropriate pages for each. And we are running Google analytics so we can see where we are popular look at things like how big to assume a minimal screen size for both desktops and mobile.
And while once in our past we did remove all the comments from a person at their request it created such a mess that we said no more. Suddenly dozens of comment made no sense. 100s.
After 9 years weâre up to over 300K commments. Typically 4000 to 5000 unique visitors per day with occasional peaks lately of 10K to 20K.
To me this is going to be a very large PITA. Sigh.
Iâm not sure that you have to do anything? You donât have accounts and it doesnât sound like youâre collecting personal information, so why would GDPR be an issue for you?
Per what Iâve read here and other places, IP addresses count. So do email addresses. And maybe handles. And for sure their names if they give it like at the end of their comment as a signature. Plus our posts and the comments may reference real people who really donât want some things public about them.
Most commentors use their real email address. We tell them if they want us to get in touch with them due to an issue with their comments we need a real email. (We wind up with a non trivial number of moderated comments due to the subject matter some days.)
If they want to be removed could you just mark all of thier comments as removed by request. Then it wonât mess up the heirarchy.
Most of the comments refer to previous comments. Many quote part of or all of a previous comment.
A few months back a semi-regular went a bit nuts and I spent 3 to 4 hours cleaning up after purging his way over the edge comments. As I also got to go find all the links to his comments which included quotes from him and/or arguments about what he said that also had to be âpurgedâ.
Also the standard Wordpress tools are not really geared to dealing with people whoâve commented 1000+ times. Or even 100+. And editing all their comments to remove what they said and replace it with âComment removedâ would get to be tedious at best.
And we have issues of future legal issues where people might have to explain why they said what they did about some person or topic but if they comments they were referring to are gone, then what? I wonder how this plays out in the EU in courts?
The GDPR only applies to enterprises, âa natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.â Presumably a web site having ads is sufficient to count as economic activity but since the blog in question doesnât even have that, I donât think it applies. GDPR would still apply to the blog, even without economic activity taking place on it, if the blog is run by an âenterpriseâ engaged in economic activity; e.g. I donât think thereâs any economic activity in the TidBITS Talk forum but TidBITS is an enterprise engaged in economic activity.
I checked the EU site, and there could potentially be a problem if this site is processing data, not simply collecting it:
âSMEs only have to keep records if data processing is regularâ
http://ec.europa.eu/justice/smedataprotect/index_en.htm#mobile-menu
IMHO, the chances of the EU going after this blog are the lowest end of minimal. Google, Amazon or Facebook it ainât. Complaints need to be filed before any action is taken.
Marilyn