Why You Get Emails From Every Company You’ve Ever Used, and How to Stop It
If you’re anything like me, you’ve spent the last week feeling grateful you’re able to work anywhere without much inconvenience. In the wake of the coronavirus’s spread and the subsequent national emergency declaration from the United States government, many of us are engaging in social distancing practices like working from home or avoiding large gatherings. For me, this has meant some additional time to keep up with my personal email inbox — an activity I usually reserve for every couple of weeks.
Now that I’m paying closer attention, I’ve noticed a surprising number of email responses to Covid-19 from companies I either hadn’t engaged with in quite a while or didn’t realize had my name and email information. Aside from hearing from every single travel sector service I’ve ever used attempting to avoid massive losses, I also received a heartfelt message about increased sanitation practices from my old gym, located in another country, and which I quit two years ago.
It appears I’m not alone — Twitter was abuzz last week with some frustrated, but mostly humorous, observations around coronavirus email notices. We’re all wondering why businesses that we haven’t interacted with in years feel the need to update us on their actions.
These businesses are likely looking to minimize revenue impact and use the moment to embrace corporate responsibility. However, in reaching out to inactive, indirect, or churned customers, they are also revealing more about their data collection, curation, and compliance practices than perhaps they intended.
Companies, particularly small businesses, which maintain personal data long beyond the time required to render services, put consumers at risk because they often do not follow standardly accepted information security practices. Even companies with well-reasoned information security policies and governance processes fall victim to data breaches, and times of uncertainty like these encourage cybercriminals to increase activity. So, while you’re engaging in social distancing, take a moment to understand how all of these emails ended up in your inbox and what you can do about it.
How do these companies still have your email address?
Given that almost all email senders provide an ability to opt out of further messages, you are probably well aware of the newsletters, brand messaging, and bills you allow to routinely pop up in your inbox. In some countries, such as European Union member states, you actively opted in to marketing or other emails in order to receive them in the first place. In most other countries, such as the United States, the “ick” factor and spam filters tend to weed out emails from companies to which you did not explicitly provide your information.
Companies typically collect your email when you do one of the following:
- Sign a contract or look to complete a transaction
- Sign up for a newsletter or marketing messages
- Sign in to receive a service like free Wi-Fi or coupon redemption (free Wi-Fi co-ops like Purple Wi-Fi or Inkspot provide your email address to more businesses than you might realize)
When you provide your contact details, the fine print in the terms and conditions usually gives the collecting company the right to use your data for a variety of purposes beyond your original intent. This could include retaining your details indefinitely for the purpose of fulfilling a contract, behavioral advertising, analytics, or data sharing.
When I signed up for my old gym membership at a popular U.K. fitness chain three years ago, I gave my email, phone number, and address as part of the initiation process. When I discontinued my membership, it didn’t occur to me that the chain would hang on to my personal information. Technically, when I provided it and then failed to request they delete it upon termination of our contract, I gave them every right to do so.
It’s clear this particular gym chain has poor email hygiene practices, given it wasted resources delivering me a Covid-19 message intended for current members. Yet, this instance is emblematic of a larger problem. While churned or inactive consumer data may provide businesses with valuable marketing insight, the security and privacy risks to consumers of holding the data indefinitely outweigh the benefits to any one particular business. This example, and those experienced last week by the Twittersphere, illustrates the need for more proactive implementation of two popular privacy principles: data minimization and data retention.
When I discontinued my membership, it didn’t occur to me that the chain would hang on to my personal information.
Data minimization and data retention principles
These two privacy principles are not new to privacy professionals, but they were most recently revived in the EU’s 2018 General Data Protection Regulation (GDPR).
The GDPR states in Article 5(1)c that “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).” In layman’s terms, companies shouldn’t take more data than what’s needed to perform the intended service. For example, my gym might need my email or my phone number to contact me, but they might not need to collect both.
An extreme example of data minimization in practice is how the VPN service Mullvad provides and takes payment for its software. Mullvad collects no personal data from its users. Instead, the user is provided with a download record ID number, which can be used to pay the monthly subscription fee indirectly via PayPal. Since Mullvad does not collect or store any personal information, and does not need it to render its services, you must keep track of your record ID in order to keep your account live.
If a company must collect personal data in order to perform services or deliver marketing content, the company should be sure to obtain opt-in consent and have a clear data retention policy.
Under the GDPR, data collectors are required to limit storage, or retention, of identifiable personal data for no longer than is required to perform the intended and communicated purpose. Under Article 5(1)e, this storage limitation principle requires a data collector to maintain a data retention policy under GDPR. This means the law does not abide indefinite retention periods for identifiable personal data. One could reasonably argue that my old gym in the U.K. is in violation of this Article given they have no need to retain my personal email address after terminating our contract.
Unfortunately, most countries still do not have regulatory requirements around data minimization and retention. Even in countries that do, many companies are able to provide acceptable justifications for collecting and storing vast amounts of personal data in order to render their services. This means you and I may leave “ghost” trails, including data we provide to companies at one stage in our lives that we quickly forget about after those companies become irrelevant to us.
How can we reclaim our ‘ghost’ data?
If you’re worried about your personal data being vulnerable to data breaches or just simply annoyed by the myriad Covid-19 emails you received this week, there are a few things you can do to reduce your risk:
- Personal data hygiene “spring cleaning” — Every year, many of us attempt to engage in a spring “purge” of non-essential household items and articles of clothing. Why not use this time to re-evaluate your personal data clutter? Each quarter, take a look at the following and request deletion of your data (in the EU, every company to which GDPR applies must allow for this) or account rather than just unsubscribing. This will ensure your data is purged rather than remaining in a database unused.
- Go to your web browser’s settings and preferences page and audit your list of saved accounts and passwords. Chances are, if you have a username and password for a service, that service also has some subset of your personal information. If you no longer wish for a company to hold your data, sign in to your account and request deletion.
- If you have a smartphone, perform an audit of the apps you’ve downloaded and their privacy settings, as I’ve suggested in a previous article.
2. Encourage regulatory enforcement— While personal data hygiene is important, it also puts the burden on consumers to protect themselves in an increasingly digital services economy. Data minimization and retention standards are still ill-defined in much of the world. If you are concerned about the risks that poor corporate cybersecurity practices pose, write to your representatives and encourage them to take action on data minimization and storage requirements.
3. Data sharing “wallet” services — Given how difficult it is to keep track of where we’ve shared our data, a number of privacy-conscious digital “wallet” startups have popped up to help us manage our exchanges with data collectors. Tech-based platforms such as Israel’s Mine or Australia’s Tide Foundation have built tools and frameworks to allow consumers to determine who holds our personal data and to exercise our data privacy rights. The goal of these initiatives is largely to empower consumers to pick and choose with whom we share data and to enable a fair value exchange (one through which these services eventually hope to take a margin).
If you’re feeling excited to do a data purge and are comfortable with sharing your email briefly, I recommend taking a look at one of these tools. If you do test them out, be sure to ask them to delete your personal data when you’re done.
This time, a global pandemic reminded us all of our carelessness when it comes to sharing our personal data. In an age of easy access to data and increasing rates of cybercrime, it’s important we stay aware of who holds what data, and for how long, in order to avoid its misuse. If, heaven forbid, there is a “next time,” my hope is we’ll all have managed our personal data well enough to receive fewer emergency response emails. Now, please excuse me while I go submit about 100 deletion requests.