Enough already? Fed up with GDPR emails asking for your consent?

You bet!

This is an all-out attack by the zombies! They follow other zombies by sending us mindless emails saying this kind of crap:

“We’re committed to managing and safeguarding the information you give us when looking for a job. CLICK HERE TO STAY SIGNED UP.”

Or how about this:

“LET’S STAY IN TOUCH. Did you know? New privacy laws come in to effect on 25 May. This landmark new law is designed to improve your privacy rights. This is great news for online shoppers, so if you enjoy getting our promotional emails, just click below…”

Or this:

“We don’t want to lose you, so please take action NOW”


These emails are pointless!

In the UK, it’s been the law since 2003 that you can only send a marketing email to an individual recipient when they’ve consented to receive it OR you’ve an existing customer relationship with them and have offered them the opportunity to opt-out.

That’s still the case today.

The GDPR doesn’t replace the Privacy and Electronic Communications Regulations (PECR) but sits alongside it. I admit, there’s a bit of confusion as to what to do in the minds of brand owners, but any half decent data privacy professional will have understood what to do – and it isn’t sending these zombie emails asking for re-consent.

For most of us, we’ve been happily buying stuff from these brand owners online for years or have been buying stuff in a B2B context for business purposes.

We don’t need to re-consent. Doh?

What’s really stupid is that if you’ve never consented to receiving marketing messages in the first place and we get one of these ‘zombie messages’ it’s actually a breach of PECR!

This has led to the ICO here in the UK having to go on the record warning that these annoying emails aren’t actually complying with the GDPR.

“We’ve heard stories of email in-boxes bursting with long emails from organisations asking people if they’re still happy to hear from them. Think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily,” advises Steve Wood, deputy information commissioner. You can read his excellent blog here.

What we’re witnessing is a zombie reaction in fear of being fined up to 4% of global turnover or €20m, whichever is greater for not complying with the higher standards of data protection, privacy and security that are fully enforceable from 25 May.

Direct marketing is a legitimate interest of any brand owner and provided that the recipient has the opportunity to elect not to receive further marketing emails, that should be OK. The whole point of the GDPR is to build deeper digital trust so that organisations and companies can do more – not less – with personal data.

Going down the consent route may not always be the most appropriate way forward in every instance. The days of pre-ticked boxes are over and consent needs to be unambiguous, affirmative action and an expression of wishes. It can’t be conditional (one Premier League team tempted fans to consent with the chance to get a signed shirt) and mustn’t discriminate against the interests of the consumer should they not wish to consent to their personal data being processed.

“If consent is the appropriate lawful basis, then that energy and effort must be spent establishing informed, active, unambiguous consent,” adds Steve Woods.

Some brand owners, like Honda and Flybe got their wrists slapped by the ICO last year when they started sending emails asking people to agree to getting more emails. Sound familiar?

Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it’s against the law. In Flybe’s case, the company deliberately contacted people who’d already opted out of emails from them.

And all of this is plainly explained on the ICO website, so why the attack of the zombies?

The ICO recognises that companies will be reviewing how they obtain customer consent for marketing to comply with stronger data protection legislation coming into force in May 2018 but is on the record as warning companies to appreciate that they can’t break one law to get ready for another.

But it’s not only the zombies you need to steer clear of and press ‘DELETE’ when you receive one of these annoying emails.

The cyber criminals think it’s Christmas and have started ‘GDPR phishing scams.’ For example, unsuspecting customers of Airbnb have been receiving phishing emails inviting them to click on a link to update their privacy settings. This takes users to what we used to call when I was director of the Defence Academy of the UK an ‘evil twin’ website – and of course the cyber criminals start harvesting a small treasure trove of personal data and use this for committing further cyber-crimes.

And there’s no need to become a zombie!

Leave a reply