Tag Archives: data portability

GDPR and Email: Part 3, Data Portability

data portability
NOTE: This is the third in a series of articles addressing the GDPR and its effects on email marketing. For an overview of the subject, see our previous article: GDPR and Email: Part 1, an Overview.

Last time on this blog, we looked at the issues of forgetting and unsubscribing, and how the General Protection Data Regulation (GDPR) affects email marketers. That particular portion of the GDPR has received a lot of press, but there’s a far thornier issue lying in wait a few paragraphs further down in the regulation. I’m referring to the “right to data portability,” which gives the subscriber the right to receive all the data a company has collected on them.1 Compared to the other features of the GDPR, the right to data portability seems haphazardly drawn up, or, at least, drawn up without ever considering the difficulties and problems that its simple request could generate.

Acceptable Formats

Briefly put, the right to data portability says a subscriber has the right to receive any data about them in a “structured, commonly used and machine-readable format.” They don’t specify what this format is. “Commonly used” would suggest a comma separated values (CSV) file, XML, or something similar. Even then, there’s no guarantee that the data can be formatted in a useful manner. Every customer relationship management system (CRM) and email-marketing service provider (ESP) has its own structure, order of operations, and, to a certain extent, terminology, so porting the data from one site to another isn’t as easy as transferring the file. Try opening a Microsoft Word file in a text editor and you’ll see what we mean. Even when the two system can read each other’s data, it doesn’t mean than one system will have a place for all the data from the other. There is no standard for formatting things like click-throughs or deletes without opening. In Recital 68 (separate clarifications to the GDPR), the regulation states that “data controllers should be encouraged to develop interoperable formats that enable data portability,”2 but they make no suggestions as to how this would be accomplished. It is the bureaucratic equivalent to a mom’s admonition for kids to “learn to get along.”

Privacy issues

CSV and XML certainly qualify as commonly used formats, but they are also as easy for humans to read as they are for machines, which raises other privacy issues. If the “Right to Erasure,” presents the danger of someone other than the subscriber making the request, the Right to Data Portability is even more of a threat. With erasure, you’re simply asking to have your data removed from a system. Most people wouldn’t cry if to learn that their data has been accidentally erased by their ESP, but would hit the ceiling if they learned that their data was sent to someone else. Anything sent out in an email has a risk of being seen by others. Even if the format is not easily read by humans, the “commonly used” qualifier means anyone looking to steal someone’s data probably has a program that will have no trouble deciphering the information. But there are other dangers waiting in the wings.

Identity Issues

There are plenty of examples of people pulled aside by the TSA at the airport because their names matched people on suspicious person lists. This isn’t a big concern in the email marketing field, because every subscriber already has a unique identifier: their email address. Even if someone enters the wrong email address, the email will go to the person who has the account and they can choose to ignore the message. There is some danger that if an email account is hacked, the identity thief can now request all that person’s data from the ESP, and the ESP will, by law, be required to provide all the personal data for that hacked account. Depending on the data that is kept, this could provide the thief with a wealth of information about that person. Security on an email account is even more critical than ever.

Here Come the Lawyers

It’s ironic that a regulation designed to help protect an individual’s private data might be the very thing responsible for the theft of that same data. This speaks to the rather haphazard nature of this particular clause. This is why the Internet Corporation for Assigned Names (ICANN) has filed a suit against EPAG, its German affiliate, in an attempt to get better clarification of the GDPR’s restrictions. EPAG recently informed ICANN that when it sells new domain name registrations it would no longer collect administrative and technical contact information, as it believes collection of that data would violate the GDPR rules. For ICANN, this presented an untenable problem since maintaining this data is central to ICANN’s purpose. It’s a thorny issue, for sure. Right now, no one is sure where the balance between private data and public records lies. The courts have their work cut out for them.

While ICANN’s lawsuit is aimed at clarifying the regulations, other lawsuits are aimed at companies that are seen as already violating the GDPR. As of this writing, the only major lawsuits filed against companies under the GDPR are ones against Google, Facebook, Apple, Amazon, and LinkedIn. These were filed shortly after the law went into effect and are intended as test cases. The outcome of these cases will determine what happens next.

Stay Frosty

We will keep watching the events involving GDPR as they unfold and keep you posted if anything changes. In the meantime, as long as you’ve followed the rules of the GDPR that we laid out in part one of our GDPR and Email Overview, you should be alright.

(This concludes our three-part series on the GDPR.)


1. Chapter 3, Article 20: Right to data portability

2. Recital 68: Right to data portability

GDPR and Email: Part 1, an Overview

GDPR vs. Email
They started working on it in 2012, and for the next four years, the countries of the European Union argued over, cajoled each other, and hammered out the details of a ruling known as the General Data Protection Regulation (GDPR). It was a long hard slog, but when the dust had cleared, the feeling was that the Council of the European Union and the European Parliament had a regulation that would satisfy the privacy issues inherent with any new or future technology, without hampering individual needs.

Or did they?

Ratified on May 24, 2016, the GDPR took effect on May 25th, 2018, and offers the strictest set of regulations to date as to what you can and cannot do with someone’s data. Everything from Facebook to your digital camera has to comply with the regulation, and that includes email subscriptions.

It Affects the Whole World

Although intended to protect the citizens on the European Union, it also applies to overseas companies with EU subscribers—and here’s where the GDPR starts getting fuzzy. In a recent webinar, listeners were told that they don’t have to worry about the GDPR as long as they can prove that did not actively seek European subscribers. On another site, readers were told that if you have any European subscribers, you’re obliged to follow the GDPR restrictions. So who’s right? The webinar is correct, in fact. If you can prove that you intended for your site to be used exclusively outside of the EU and had no mechanism in place to entice European subscribers, you are not liable, but that also means you might have to prove it at some point, and if, for reasons beyond your control, a large number of your subscribers are from the European Union, you’ll probably lose that fight.

That Depends on What The Meaning of “Is” is

At first glance, the GDPR looks pretty thorough. It even has a section that defines the terms it uses, such as “personal data” and “natural person.”1 But look more closely and you’ll see that every definition, in turn, raises new questions. “Personal data,” for instance, is defined as “any information relating to an identified or identifiable natural person (‘data subject’),” and goes on to explain that “an identifiable natural person is one who can be identified, directly or indirectly” (italics mine). Although the ruling is broad enough to include it, you won’t find a discussion of email anywhere in the regulation. In fact, the word “email” is used only once—as an example of one of the things that can be used to identify a person.

After reading and re-reading the current crop of articles about the regulation, what strikes us is how few of these address the questionable areas of GDPR, especially as it relates to email marketing. Whether you run email marketing using your own equipment or take advantage of a hosted solution, here are some questions and discussion about GDPR challenges for email senders.

Tell Me You Like Me

If you’re a European citizen and you’ve signed up to receive email from a company, that company must “demonstrate” that you actually did sign up. So how do you demonstrate that someone provided their information on a web form? The GDPR goes on to talk about written declarations, but that is unlikely to apply for email marketing.

You can be audited to ensure that you are complying with the GDPR, so you should be able to prove this.2 If you say that the recipient confirmed with a double-opt-in, what physical evidence can you present to backup this statement? Is the word of your software that says the recipient clicked the link enough? Do we need to record additional information to show this action really happened, like recording the IP address and browser information used when the confirmation link was clicked? But wait! Isn’t that Personal Identifying Information (PII) that you shouldn’t be keeping on recipients? Which takes precedence? Proving the recipient “demonstrated” their consent, or minimizing the PII for that recipient?

A double-opt-in confirmation step would seem to “demonstrate” the person’s interest in receiving your email. But as many email marketers know, getting people to confirm is challenging. A double-opt-in can reduce the list size; forcing them to do it again is guaranteed to reduce list sizes even further.

Unsubscribing is not Forgetting

You won’t find the word “unsubscribe” anywhere in the regulation or its recitals.3 When you unsubscribe, your information is still in the database, being applied to past metrics and ensuring that you aren’t accidentally left on any mailing list segments. Unsubscribing should be easy. Just click the unsubscribe link on any email and as long as it is an honest and legitimate company you should stop receiving mailings from that company in short order. But the GDPR even complicates this.

“Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed…” the regulation states, but then goes on to say: “In a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” To further muddy the waters it continues by adding that “personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes…in order to safeguard the rights and freedoms of the data subject.”4

The first statement seems to indicate that data about a recipient can be retained only while it is needed for processing. For a regular newsletter subscriber, it seems likely that retaining their information would be acceptable to be able to provide the newsletter service. But what if the person unsubscribes? Or the email address is no longer valid (goes on-hold). Should any personal data for the recipient be removed at this point?

The structure of the GDPR seems to suggest that the answer to this is no unless the person has requested to be “forgotten,” which opens up a whole new can of worms.

I Forgot to Remember to Forget

One of the most controversial and discussed topics about the GDPR is its “Right to erasure (‘right to be forgotten’)” clause, which states that the “data subject” has the right to request the erasure of personal data.5 Of course, nothing is ever that simple. The regulation goes on to list the cases where a person may request erasure. Since these include for direct “data marketing purposes,”6 we can assume that it applies to most email situations, but is it possible to request that a company erase all your personal information, even though you wish to remain a customer? And what about past metrics? If 25 subscribers clicked on links last year, then asked to be forgotten this year, what happens to that data? Data from previous could be construed as “historical research,” which the GDPR says is okay to keep.7

If “forgotten” means you’re no longer anywhere in the system, and not simply, “we’re not going to send you any more email,” how would you know this? Surely you need to keep a record verifying that a person requested to be forgotten, but if you do, then they’re not completely forgotten. It reminds us of comedian Mitch Hedberg’s joke: “A man in an infomercial told me to forget everything I knew about comforters, so I did. Then he tried to sell me a comforter, but I didn’t know what it was.” If you don’t keep track of who asked to be forgotten, then how can you prevent them being re-entered into your system? It’s ludicrous. The GDPR seems to suggest that a marketer has the right to retain the email address since it’s required for compliance with the legal obligations of the states and is required by the email marketer for the defense of claims that the recipient might make.

Data Extraction

In Article 20, the GDPR is very clear that a person has the right to “receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format.”8 This is the “data extraction” clause, and the way it is worded suggests that every email marketer intending to be compliant with the GDPR should have a mechanism that allows recipients to see the data that’s been collected on them. It just doesn’t say what this data might be. Data in demographic fields or associated one-to-many tables would seem like reasonable choices, but how about open and clickthrough data?

For both the data extraction request and the request to be forgotten, there are privacy and security issues left unaddressed by GDPR. You could, for instance, create a web form that lets an email address be “forgotten” when it’s entered, but then a malicious person could erase data just for kicks. Similarly, providing all the collected personal data on request should require some validation to ensure the recipient is actually requesting this data.

Many ESPs have added a request to be forgotten feature to their privacy policies requiring you to send an email to request this. While this wouldn’t appear to be automated, at least it’s a step towards ensuring the recipient is the one making the request. As for the request for data requirement, so far, only Goolara offers to extract the recipient’s personal data in electronic form. Since it is a requirement of the GDPR, we expect others will eventually comply.

Final Thoughts

While the goals of the GDPR are fairly clear and even laudable, it can be difficult to implement when the rubber hits the road. How do we both remove personal data and keep some for the purpose of honoring the unsubscribe? Do we really need to remove all demographics when someone unsubscribes? How do we implement features like data extraction and make it available for portability? We’d like to hear your thoughts on this in the comments below.

In Part Two, we’ll get a little deeper into the nitty-gritty of the GDPR, and look at the right to be forgotten in more detail.


1. Chapter 1, Article 4: Definitions

2. Chapter 2, Article 7: Conditions for consent

3. Recitals are brief descriptions added to the GDPR to help clarify certain terms and aspects of the regulation. At this time, there are 173 recitals!

4. Chapter 2, Article 5: Principles relating to the processing of personal data

5. Chapter 3, Article 17: Right to erasure (‘right to be forgotten’)

6. Chapter 3, Article 21: Right to object

7. Chapter 9, Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

8. Chapter 3, Article 20: Right to data portability