I bought one, but I have to give a recommendation:
Please don't have full name and address as a requirement to see the extreme shipping prices, and hence full price of the product. (Country should be good enough for shipping estimates)
Especially when you then send an E-mail using that name saying "Hi NAME You left items in your cart"
..that is both making your prices way less transparent and misuse of data.
I put in a name to see the shipping prices, not to get advertising.
To be honest that is also a reason for me to delay the purchase.
In the EU at least it is illegal to use data for other purposes than what it was stated.
and I did not sign up for advertising, I just checked prices and was just about to buy it.
So while I look forward to the Hubitat arriving, I am worried about what data you are keeping in your databases and systems, since it seems like you use the shipping information for personalised advertising.
I'm no GDPR expert, but doesn't sound like misuse of data to inform you on purchase status during a purchase process. If you received emails outside that process that seems more like it would fit your comment.
Did you have a specific statement in the GDPR that applies to this? Genuinely curious.
I have received those types of emails from various sites, so I started to put fake information and a random address in my area to check shipping rates.
Sure, I work with GDPR at my job, so I can indeed give details.
An issue with giving information is that it creates culpability and some perceive it as hostile to quote law, so not my first choice, but since you ask:
First point is consent, where Recital 32 makes it very clear that consent has to be:
Given freely
Not unnecessarily disruptive
For each specific purpose
and:
Silence is not consent
(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.
Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Consent should cover all processing activities carried out for the same purpose or purposes.
When the processing has multiple purposes, consent should be given for all of them.
Since I was surprised that I suddenly got an E-mail with my name, I would say that it also triggers Recital 58.
It was not clear to me that trying to get the price for the product (which requires an E-mail address, full name and full address would be used for advertising.
It is not common and I know that at least in my country airlines have gotten stern warnings for requiring too much data before showing a price.
It is considered bad business ethics to do so and is in a legal grey area.
Companies usually don't do it as it annoys customers, and they usually follow guidance from authorities when given warnings.
(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.
Such information could be provided in electronic form, for example, when addressed to the public, through a website.
This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising.
Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
You can read the full text and verify the claims here: https://eur-lex.europa.eu/eli/reg/2016/679/oj
I use the more specific links of the unofficial site, as it makes it easier to get to the right section.
We could go even deeper into if this is improper processing, but I assume that is given if it is established that consent to the processing was never given, so pointing to Article 5 gives a good hint:
Article 5
Principles relating to processing of personal data
Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and
organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
We have (c) on data minimisation, is the full name, address and E-mail needed for the purpose of finding out what the shipping cost are?
I would say no, only country is needed.
Then (e) on not keeping the data after the purpose (checking shipping price) has expired "no longer than is necessary for the purposes for which the personal data are processed"
That I get the E-mail a day after is a clear indication of the information being stored way past its initial purpose, even if advertising was considered part of checking a price in a store (it isn't) then the full name would not be needed.
GDPR applies to all companies selling into EU:
(80) Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body.
4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher
6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
I apologise for the long post, but I was explicitly asked to quote sources.
We can argue law for a long time and I can recommend a lawyer I know who specializes in GDPR if you want to get 100% into it and pay for his hours.
The intention of GDPR is to make it easy to do what is necessary,
but annoying, hard and in some cases illegal to gather and misuse data outside of what is strictly necessary.
The simple fix is:
Data minimisation
Be transparent
Don't require more information than needed
Ask permission for everything that you want to use the data for
The text has to be short and easy to understand, especially if 16 year olds or younger can buy the product. (Recital 58)
Quoting law can seem harsh and accusative, hence why I did not include the details.
But hopefully this can be a little crash-course on the important parts of GDPR
A good learning opportunity
These quoted sections are indeed the parts of GDPR that most companies have issues with, you are not alone.
A lot of companies have been used to a time where customer data could be stored indefinitely and used for advertising without any remedy for the customer.
LOL...I have a feeling my wife would assess penalties far more painful than anything the EU or German courts could dream up if I spent "her money" arguing w/a GDPR lawyer. I'll pass on that.
Thanks for all the background. I hope you will forgive me if I don't follow every link, but you certainly documented your concern very well. I'll leave it for HE staff to respond further.
Thank you for creating this as a separate topic and reading it
Yes, the links are not strictly needed, they are references to the quote-block to document that they are correct.
Following the links would not give you anything extra.
They are just nice to have compared to an "According to this forum post"
Then we can reference the real GDPR rather than a tangent of "is the quote correct or not".
Personally I use the PDF of GDPR the most, I have bookmarks and notes there.
But the deep links are better when the target audience is at the management layer
I am used to documentation never being read
Again, thank you for taking your time to both read and ask questions on this very interesting topic