Europe's GDPR Privacy Law Is Why You're Getting All Those Subscription Emails

The European Union General Data Protection Regulation (GDPR) went into effect today, and it brings significant changes to how companies that deal with EU citizens’ data can collect and process it. 

Most online services previously tended to enable all of their data gathering checkboxes by default, because that’s how they could get the most users to “agree” to that collection. By far the most significant change the GDPR brings is that this practice is no longer legal in the EU. Users will also get more control of their data, including being legally empowered to request that companies delete all the data they have on them.

There are still some grey areas in the law, such as companies being allowed to claim that they can collect some classes of data without consent if they have a “legitimate interest” to do so. The intention of the EU politicians wasn’t to allow companies to claim that any data whatsoever can be called a “legitimate interest.” However, some online services may still push the legal limits on this, and courts may have to step in to clarify the issue.

New Data Processing Agreements From Online Services

Over the past few weeks, you may have noticed that most of the companies to which you’ve subscribed in the past have started sending you emails to agree to their new data processing terms. This is happening because the data previously gathered by companies on their users does not qualify for consent, so they need your explicit consent for the use of that data.

Although they had two years to prepare, most waited until the last minute to implement the changes, all while claiming that they're making the changes because they care deeply about your privacy. Additionally, the emails usually come with a warning that if you don’t agree you may lose access to your account. That’s a condition that may not be legal in some cases, because that shouldn’t qualify as free consent.

Other companies may have simply warned you that their terms have changed and that you don’t need to do anything beyond that. This is usually sent by companies that have already obtained your explicit opt-in permission to collect your data in the past.

GDPR Hall Of Shame

After getting tired of receiving so many GDPR emails all of the sudden, Owen Williams from the Netherlands built a website called the “GDPR Hall Of Shame,” where he calls out companies that implement GDPR poorly.


Among those “shamed” by Williams are Verizon-owned Oath websites (Yahoo, TechCrunch, Engadget, etc), which seem to use an opt-out rather than opt-in method for sharing users’ data with hundreds of Verizon partners; Razer, which says that unless you agree to its new terms your mouse or phone will stop working; Zoom, which gives users only the options of receiving more marketing emails or fewer; and other companies.

Twitter also seems to be forcing users to agree to the new terms or their account will be deactivated:

Google, Facebook, WhatsApp Accused Of Violating GDPR

The None Of Your Business (noyb) privacy rights group, founded by Max Schrems, also accused Google, Facebook, and Facebook subsidiaries WhatsApp and Instagram of violating the GDPR due to the companies “forcing” users to consent to their new terms.

Schrems is the same Austrian activist who fought against U.S. intelligence agencies’ mass surveillance operations targeting EU citizens as well against the American companies violating EU citizens’ rights with their data collection. His lawsuit eventually brought down the Safe Harbor agreement and he’s currently in another lawsuit that may end up invalidating the new Privacy Shield and other loopholes American companies have found to avoid properly complying with EU data protection laws.

In a public statement, noyb said:

An end of “forced consent” does not mean that companies can no longer use customer data. The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent. With this complaint we want to ensure that GDPR is implemented in a sane way: Without just moving towards “fishing for consent”.

The “take it or leave it” approach embraced by some both large and small companies will likely not sit well with the EU’s executive body, the European Commission, which may soon start taking action against the companies they see as most blatantly violating the GDPR. If found guilty, the companies could end up paying up to $20 million or 4% of their global annual turnover, whichever of the two is the greater sum of money.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • chicofehr
    thats why I have a seperate email I never check that I use for signing up for stuff & any shady sites.
    Reply
  • bit_user
    20999385 said:
    This New EuropeanEurope's GDPR Privacy Law Is Why You're Getting All Those Subscription Emails
    Thanks for fixing the click-bait title. Informative titles are better, and I think the public has gotten wary of the click-bait style. Personally, I find them repulsive and instinctively avoid them.
    Reply
  • DookieDraws
    This data collecting is a bunch of BS and needs to stop! All this info is being collected on us, then at a later date we'll hear of a data breach and that our "PROTECTED" data was stolen. If this isn't a good enough reason to ban the collection of sensitive data on us, I don't know what is. What a crock!!!!!

    And what's up with this? "Razer, which says that unless you agree to its new terms your mouse or phone will stop working.." Seriously? The Razor products you have purchased will stop working if you do not agree with their terms of service? Is this a joke? If this is true, SCREW YOU RAZOR AND EVERY OTHER COMPANY FORCING THE SAME BS ON IT'S CUSTOMERS! I say all of you Razor owners raise hell over this nonsense. I do not own a single Razor product, and won't consider owning any if this is how they wish to treat their customers.

    I better cut it short before I get too pissed! :)

    Reply
  • therealduckofdeath
    ...about this... Are we going to be forced to accept this GDPR agreement on Tom's Hardware on every page load from now on? :)
    Reply
  • DookieDraws
    21000485 said:
    ...about this... Are we going to be forced to accept this GDPR agreement on Tom's Hardware on every page load from now on? :)

    All I had to do to keep my membership here at Toms was to send them a blood, urine, and stool sample. So I just sent them a pair of my draws to cover all of that. :pt1cable:
    Reply
  • bit_user
    21000511 said:
    21000485 said:
    ...about this... Are we going to be forced to accept this GDPR agreement on Tom's Hardware on every page load from now on? :)

    All I had to do to keep my membership here at Toms was to send them a blood, urine, and stool sample. So I just sent them a pair of my draws to cover all of that. :pt1cable:
    I think only you get to tell that one...
    Reply
  • sykozis
    21000481 said:
    This data collecting is a bunch of BS and needs to stop! All this info is being collected on us, then at a later date we'll hear of a data breach and that our "PROTECTED" data was stolen. If this isn't a good enough reason to ban the collection of sensitive data on us, I don't know what is. What a crock!!!!!

    And what's up with this? "Razer, which says that unless you agree to its new terms your mouse or phone will stop working.." Seriously? The Razor products you have purchased will stop working if you do not agree with their terms of service? Is this a joke? If this is true, SCREW YOU RAZOR AND EVERY OTHER COMPANY FORCING THE SAME BS ON IT'S CUSTOMERS! I say all of you Razor owners raise hell over this nonsense. I do not own a single Razor product, and won't consider owning any if this is how they wish to treat their customers.

    I better cut it short before I get too pissed! :)

    Really sounds like Razer should be preparing for lawsuits if hardware will stop functioning due to a change in their Terms of Use....
    Reply
  • N0BOX
    @DookieDraws I actually stopped using my Razer Naga Epic MMORPG gaming mouse in part (the main reason being that it was old and worn out, had had the notorious double-click issue, which I had fixed, and) because Razer switched to requiring that you signed up with an email address for an online/cloud account in order to use their "Synapse" configuration software (the software that allows you configure mouse button bindings, virtual surround for positional audio, "Chroma" unified device LED color effects and many other device-specific functions (firmware upgrades, keyboard macros, etc). I chose to get a Roccat Nyth, instead, and have actually been much happier with it.

    Even if you use a fake email address they are gathering information about color choices, macros, and games played (and much more if they set their software up to spy on your window and process lists) that is linked to your IP address, if not to a "real" email address Every new IP address you use, including any VPN IPs, are all linked together using that fake email address. In the end, your data is theirs.
    Reply
  • 10tacle
    When I am forced to give out an email address, I create a new spam email account through either Yahoo or G+. When I am forced to give a phone number, I use a spam caller number that called my mobile in the past (I use White Pages to reverse lookup phone numbers I do not know - White Pages allows users to report spam/fraud numbers).

    Problem solved. I never give out my real number nor my real email address assigned to an IMAP Outlook account. The only exceptions are for official business needs like utility companies and tax revenue offices as well as home & auto insurance and banking. Oh, and for Tom's Hardware of course for sweepstakes and giveaways. :)

    Also, I only use old PCs and laptops I don't care about nor have any personal info on for these account creations, so they can datamine nothing and like it because there's nothing there for them to use. My personal business/productivity PC and laptop never touch these spam accounts, and both sets of computers are run through VPNs. Yahoo, Google, and all those other companies and websites forcing me to give an email and phone to use their services or products can go pound sand. :kaola:
    Reply
  • therealduckofdeath
    I'm not joking. Are we seriously going to be forced to accept that privacy agreement on every single page load?
    Reply