GDPR
Posted: Sun May 20, 2018 6:42 am
As you know, GDPR is becoming effective on May 25, 2018, which is a great thing. I've done a bunch of reading, and I don't see that we need to change anything to be compliant. We've never sent even one message to our user base (we do send account confirmation and password reset messages of course, and we try to reply to individual users who email us), our privacy policy is strict, and we stick to it. We've never shared our (sparse and likely near worthless) user information with anyone or used the information for any purpose other than providing the service, and we don't plan on ever doing any of that kind of stuff.
It's worth noting that I designed the system from the start to avoid having any personal data as it was then defined by EU laws. While it's true that we're really not interested in your demographic information, it was happily also true that our data structure fell short of including more than one item of personal info - your protected email address - and for quite some time I was confident we fell outside the regulations altogether. Now I'm less sure, since the definition seems to have expanded. (Certainly your email goes through the system and lots of things could be in that. But we merely forward it, and we don't look at it other than putting our tags in the headers/subject line and swapping out your email address if you have reply address masking enabled).
But there is one real concern I have, and I'm not sure what I can do about it -- that's false reporting. When our users get email messages through spamgourmet and report them as spam, sometimes the reporting systems are not smart and they blame spamgourmet along with (or instead of) the true source of the message. Fortunately this is somewhat rare and hasn't happened for awhile, but when it does, it's a nightmare - we've wound up on spam block lists that way (which prevents a whole lot of our users from receiving their mail) and had to scramble and tell the story to a bunch of hostile people over and over in order to get removed. Indeed there are some mail services who just permanently block us - and can't be reasoned with by us or our affected users - their customers. (Those users either have to find another email provider or not use spamgourmet - and possibly not any other forwarding service either)
These false reports have been way out in front as my least favorite part of running spamgourmet. My concern is that, with GDPR, their effects could get a whole lot worse. We definitely don't have the resources to fend off regulators who wrongly think we have personal data and that we're spamming our users, and the potential consequences are dire. I don't think anyone right now knows exactly what the enforcement mechanism will be like - I never want to find out...
I would welcome any brainstorming on this topic. I'm an American, so it's not really in my face day to day. I'm sort of in wait-and-see mode right now, and I'm hoping for the best. A worst-case scenario definitely has the potential to force us to shut down the service, though, so I want to be up front about that, and also ask for help thinking through it.
It's worth noting that I designed the system from the start to avoid having any personal data as it was then defined by EU laws. While it's true that we're really not interested in your demographic information, it was happily also true that our data structure fell short of including more than one item of personal info - your protected email address - and for quite some time I was confident we fell outside the regulations altogether. Now I'm less sure, since the definition seems to have expanded. (Certainly your email goes through the system and lots of things could be in that. But we merely forward it, and we don't look at it other than putting our tags in the headers/subject line and swapping out your email address if you have reply address masking enabled).
But there is one real concern I have, and I'm not sure what I can do about it -- that's false reporting. When our users get email messages through spamgourmet and report them as spam, sometimes the reporting systems are not smart and they blame spamgourmet along with (or instead of) the true source of the message. Fortunately this is somewhat rare and hasn't happened for awhile, but when it does, it's a nightmare - we've wound up on spam block lists that way (which prevents a whole lot of our users from receiving their mail) and had to scramble and tell the story to a bunch of hostile people over and over in order to get removed. Indeed there are some mail services who just permanently block us - and can't be reasoned with by us or our affected users - their customers. (Those users either have to find another email provider or not use spamgourmet - and possibly not any other forwarding service either)
These false reports have been way out in front as my least favorite part of running spamgourmet. My concern is that, with GDPR, their effects could get a whole lot worse. We definitely don't have the resources to fend off regulators who wrongly think we have personal data and that we're spamming our users, and the potential consequences are dire. I don't think anyone right now knows exactly what the enforcement mechanism will be like - I never want to find out...
I would welcome any brainstorming on this topic. I'm an American, so it's not really in my face day to day. I'm sort of in wait-and-see mode right now, and I'm hoping for the best. A worst-case scenario definitely has the potential to force us to shut down the service, though, so I want to be up front about that, and also ask for help thinking through it.