Why hasn't GDPR stopped spam?

In 2018, The EU General Data Protection Regulation (GDPR) was implemented as a means of regulating the way individuals; companies and organisations are able to process personal and private data. It also addresses the export of personal data outside the EU and EEA areas.

As GDPR requires individuals to give consent when signing up for something online, many see it as an attempt to mitigate the prevalence and magnitude of spam email distribution and give people more control over their personal, private data.

Despite the institution of this EU regulation, spam has showed no signs of slowing down, with statistics compiled by Nesta, the UK’s innovation research specialists, indicating that approximately 60% of internet users in the United Kingdom felt that they had no more control over the volume of marketing emails being received in their personal email inbox. Further to this, 22% of those surveyed indicated that they had received an increased number of targeted marketing or spam emails following GDPR’s introduction.

At Blackhawk Intelligence, our GDPR and data intelligence teams explore the reasons behind this worrying trend and the various implications of GDPR on the current digital climate and on your personal and private data.

What is spam?

Spam is, in essence, a commercial marketing tactic. The ethics of this form of marketing, however, are inherently dubious – with email marketing cultivating a reputation for antagonising its targets and recipients who often are unaware that they have been signed up to the associated mailing list or database.

If you have an email address, chances are you have encountered a spam email. A close relative of typical junk mail, spam is an economically sound investment as a marketing strategy, with high volume, high reward being its typical modus operandi. Put simply, if you flood the inboxes of a high volume of people with a low-cost, universal email, you essentially have an economical, far-reaching piece of advertising which, if there is even a remote degree of engagement, will stand to make you money.

The dilemma for companies using this strategy lies in the origins of their email list, with email harvesting and web address collection being legislated against (in the GDPR for example). Basically, if you send an email to someone who has not signed up to your mailing list, you are perpetuating the problem and are taking advantage of this marketing tactic from an unethical and, to an extent, illegal standpoint.

How is spam different from targeted marketing?

It is estimated that 95% of all email traffic is constituted by spam, and while some of this may be commercial marketing content, spam viruses and phishing emails also account for and contribute to this number.

Targeted marketing campaigns should involve the recipient being complicit in the exchange, whereby the email is sent to its intended target as a result of that user signing up to the mailing list. Spam, on the other hand, involves the distribution of data to addresses generated from publicly accessible sources, webmail harvesting or automated email generators, typically where the user has not agreed to receive the content.

Some spammers conceal or falsify the origins of their content as a means of circumventing regulations and legislative countermeasures, which is where much of the problem lies for reducing spam and mailing list abuse. The falsification of origins is not the only issue encompassed by spam emailing, with fraudulent emails and phishing scams a prevalent problem. These utilise the same methods for generating web address lists but target these addresses with routine attacks and misleading content.

It is primarily for these reasons that countermeasures are introduced and legislated, however, the scope for combatting spam is incredibly broad and implementing such measures is inherently problematic, particularly when offenders will go to great lengths to protect the source of their data and content.

What has been done to stop spam?

The introduction of data protection rules has been a welcome change to the largely unregulated space of the internet. A reactionary attempt to mitigate the affluence of spam emailing, the EU’s GDPR is a reform which intends to give people more control over their data and privacy – particularly in terms of the content they receive via email and the security of their email address.

No one wants to be bombarded with ads and commercial marketing content, particularly those which they have not signed up for. Often the process of unsubscribing from these lists can be difficult to navigate, which is why legislation like the GDPR exists. Furthermore, the threat posed by calculated phishing content and fraudulent email dissemination is an added cause for stringent security measures and data protection procedures.

Replacing the 1995 Data Protection Directive, the GDPR was instituted across the EU in May 2018 as a means of harmonising data protection laws in Europe and protecting individual rights and freedoms. Contained within the GDPR’s articles, individuals are provided certain privileges which allow them to access the data which companies hold about them, as well as responsibilities for companies to obtain consent when it comes to the information they collect from individuals.

Your rights under the GDPR

The GDPR stipulates eight data rights for an individual’s privacy and security:

Right to be informed – A company is required to inform you when your data are collected, as well as clearly outline the purpose for which they are being collected.

Right of access – You must be able to view any data that a company has gathered on you.

Right to rectification – You are entitled to correct erroneous information about yourself that has been recorded by the company.

Right of erasure – Otherwise known as the “right to be forgotten”. You’re entitled to request the deletion of your personal data, however, this right is not absolute.

Right to restrict processing – You can request that your personal data be suppressed, or restrict its processing.

Right to data portability – You’re entitled to take data that a company has collected on you and share it elsewhere.

Right to object – You have the right to object to specific uses of your data, and to prevent them from being used for particular purposes, eg. for direct marketing.

Rights related to automatic decision-making – You are only able to be profiled with your explicit consent, in circumstances where you enter into a contract or where such processing is authorised by the state.

For companies that collate peoples’ data, accountability is now enforceable under GDPR, and in circumstances where data breaches occur (such as recent notable breaches of companies such as Yahoo, LinkedIn and Facebook) or where data aren’t being properly protected – significant repercussions are involved.

Essentially, the legislation leans towards better protection of the rights and privileges of the individual, and the security of their private information. While this is fine in theory, unless it proves to be effective and operational, it stands for nothing – and currently, it’s not working.

Why hasn’t GDPR stopped spam emails?

There are a handful of reasons as to why GDPR is failing to live up to its claims, but the main consideration and biggest hurdle that this legislation faces is the public’s understanding of what they are agreeing to when they do in fact input their data and ‘check the boxes’.

Despite GDPR now regulating data collection with an Opt-in vs Opt-out format, whereby a company is required under the statute to ask you to ‘opt-in’ to their web mailing list rather than automatically registering you and then prompting you to opt out in the fine print, many individuals are handing over their private information without realising the ramifications or understanding the full extent of what’s being done with their data.

Part of this is due to the nature of the online advertising industry, particularly in the way it is structured to obfuscate how profit is being made with personal data deliberately and tactically. As mentioned above, this, paired with the incomprehensible terms and conditions of some ‘sign up’ processes make it hard for people to understand what they’re agreeing to, and as such, they’re jeopardising the security of their private data and essentially are complicit in handing it over and making themselves vulnerable.

Blackhawk’s GDPR services

While GDPR has not stopped spam emails, it does not mean that your company should ignore your GDPR obligations or cease compliance. Doing so will risk a heavy fine. At Blackhawk Intelligence, our GDPR teams have been helping companies across Europe where we provide an extensive analysis of how data are stored, what you can and cannot do with them, and what you can do to prevent accidental or deliberate security breaches.

If you would like to know more about GDPR, contact us on +44 (0)20 8108 9317.

For more information, see: