| | | Effective PR

Email - spam or scam, it's still a no win situation for targets and GPDR isn't helping

Editorial Staff

On several occasions recently, our filters have picked up e-mail from a company promoting itself as "5mins" and, as is common, offering directory services. But this one is a little different. No matter what, the target is in a lose-lose situation, which is odd because on so many levels, the mail appears to be acting both properly and legally. But there is just enough that isn't right to raise suspicions - and the UK's Information Commissioner's Office, which is responsible for the implementation of the new GPDR regime and is already having a hard time handling the scaremongering that's almost as bad as Y2K.

This is the full text of the e-mail we have had repeatedly.

The first thing that causes concern is that it arrives more than once.

The second thing is that it does not say something like "please confirm your subscription and, if you do not, we will remove you," it says, in effect, "if you don't tell us to remove you, we will make your information public."

At this stage, and we do not know what will happen later, there is no request for money or any other thing, so it's not like the far more common directory scams that tell you your domain name will disappear, or some such nonsense, if you don't pay something.

The next thing that concerns us is that we are as sure as we can be that we have never authorised the passing of our information, including individuals' email addresses, to this company. But, because of the utterly weak data protection in the UK and other jurisdictions in relation to the data that matters because it's the data that allows spam-scams to flourish, it is quite possible that they have obtained the e-mail addresses legally or, at least, not illegally.

Last week, Elizabeth Denham, the Information Commissioner, wrote on the ICO website that consent must be genuine. But that is not clear. It is into that quagmire that 5Mins has stepped and, in doing so, raised questions that the ICO must address as soon as possible.

This is the full text of the email and of the "unsubscribe" page reached via a link.

5mins.co.uk (info@5mins-listing.com)

Re: 5mins and the General Data Protection Regulations

Having trouble viewing this email? Click here .... to view in a browser.

Update your listing ......

Hi - -
We are contacting you today from 5mins.co.uk as part of our General Data Protection Regulations (GDPR), compliance procedure to inform you of our intentions regarding the use of your personal data and your rights.

Your details were obtained from a number of sources including Companies House, Call Centres, Third Parties, Online Resources & Information in the Public Domain.

Your business has been selected for a free listing on our Online Business Directory 5mins.co.uk.

Over 1 million businesses are contacted every month through 5mins and as such you may be contacted by other businesses interested in your services.

You may be also be contacted by businesses listed on 5mins offering you their services.

We hope you enjoy the benefits of 5mins and the increased business and networking opportunities it may bring your company.
5mins processes your personal data for direct marketing purposes under GDPR as a legitimate interest.

If you are happy for your data to be processed in this way you need not do anything although we would ask that you check the details we hold for you are correct in order that businesses may find you easier.

If you would prefer not to take advantage of this free service, please take this opportunity to opt-out of any further communications from us.

Update your listing ........

The 5mins Online Business Directory is owned and operated by Emailmovers

Reg in England No. 5046417. Reg office: Holtby Manor, Stamford Bridge, Dunnington, YO19 5LL.

Registered with the Information Commissioner as a data controller, registration number Z9714386.
Data Protection Officer compliance@5mins.co.uk (mailto:compliance@5mins.co.uk)
If you would like to unsubscribe from receiving future emails from 5mins then (REMEMBER, unsubscribing automatically removes your company listing from the 5mins directory) click unsubscribe


If you wish to unsubscribe so that you will not receive anything from us via email, please enter your email address below.

Note: You received the email to the address ' [redacted] ' and this is the address that will be unsubscribed. Please bear in mind that this email may have been sent to an old email address of your's or that you may have received this email as a result of being part of an email alias, for example you may receive emails that have been forwarded from a 'sales@', 'marketing@', 'info@' email address.

Once submitted please allow up to 28 working days for this process to take effect.

Please be assured that the suppression request will be automatically picked up tonight and recorded in our central email address suppression list, together with the date and time requested. The email address will then not be selected for future data processing. However, it may already be in other ongoing data processes, and that is why we quote the above period of time.

This is an extract from the Commissioners' article

Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.

So, those annoying boxes that many companies use that are auto-ticked to say they can spam you or pass your details onto third parties are not compliant.
Equally, it appears, any terms and conditions that bury such "consent" with no option to exclude that clause will not be compliant. There are many airline and on-line shopping services that follow one or both of these practices.

It's the second sentence that raises a question over the 5mins approach: they are, indeed, making it easy for people to exercise their right to withdraw consent. But, that part of the Commissioner's note is based on a false premise: it's making an assumption that the data has been legitimately passed to the company now seeking consent. Also, it fails to deal with the enormous hole in the system that says that spam sent to commercial e-mail addresses is, in effect, authorised by law. That, as the growth of e-mail borne viruses and other harmful content demonstrates, should never have been allowed and should be revoked. The law should also expressly state that consent is not transferable, except within a single group of companies in common ownership and that the passing of data, including e-mail information, to any third party without express consent for that individual transfer should be illegal. But that is not the legal position now and so, again, 5mins have not, so far as is obvious, broken any laws.

So why does it give us cause for concern?

First, the mail says that 5mins are creating a directory - of what? We have no idea what data they hold nor how they intend to use it.

Secondly, they say that they have obtained our data from any one of a number of sources, some of which are open to question because they appear to be harvesting from websites.

Thirdly, by unsubscribing, we are by definition confirming that the e-mail address is valid. If they were serious, they would adopt the system that we adopt when we update our mailing lists: we send two mails and if they bounce our system deletes the mail from our mailing lists. If they don't bounce, the recipient is invited to click TO CONFIRM continued contact. If they don't reply within 14 days, the e-mail address is removed from our mailing lists. In this way, the recipient is in complete control and if they don't want to hear from us, they just ignore us and we will go away. Most importantly, we do not know whether the e-mail address is valid, if we are blocked or just deleted unread and while natural curiosity means we would like to know, we do not need to know.

The ICO should, immediately, issue guidance that says that where consent is sought, it must confirm and update consent, not to operate as a back-door method of confirming contact information. And denial of consent should be assumed in the absence of renewed consent.

We almost feel sorry for 5mins: they may have been trying to do things right but they have demonstrated how to do it wrong.

The full text of the Commissioner's article is at https://iconewsblog.org.uk/201...