GDPR Buffoonery: Email Addresses Widely Leaked In Privacy Notices

Ghostery was ridiculed this week for exposing the email addresses of privacy notice recipients. How unfair--it wasn’t the only firm to mess up: Consumers have also reported “GDPR email fails from MPs, university computing clubs, restaurants, shops, writers' groups and local councils,” according to the UK’s Register.

Case in point: Nutrition biz Vitl. The provider of diet and lifestyle plans sent “an email to multiple users rather than BCCing them,” Register adds. 

“Oh dear @VITLhealth cares about our privacy, yet doesn't seem to mind giving everyone's email address out to complete strangers- awkward,” one customer tweets, according to the Register.  

In its apology, the firm states that the mishap affected only a “small number” of users -- a claim that has further infuriated customers, one of whom calls it a “cop-out.”

But that was only one episode. According to this report, another person tweets: “Received a GDPR email from my old university computing society. They didn't BCC people when sending it out or send it as individual emails. Received 1000 ex/current member emails.”



Yet another says: “One of our suppliers just sent us an email, addressed to all of their customers, about GDPR. They forgot to BCC all 720 email addresses.”

It’s bad enough to flood inboxes with GDPR consent notices, some of which are incomprehensible. But leaking their email addresses is in direct conflict with GDPR, and is not likely to reassure consumers that their data is safe.

Not that these mistakes were perpetrated with evil intent: they seem to be the result of pure technical incompetence. 

At deadline, there was no sign that the UK Information Commissioner’s Office or any other authority had taken action.

The Ghostery screw-up resulted in the leak of email addresses in several batches of 500.

It remains to be seen whether consumers will be satisfied with Ghostery’s mea culpa. On Saturday, the web browser extension provider tweeted: “Due to a technical issue, Ghostery sent out an email that resulted in the exposure of some Ghostery users’ email addresses. We sincerely apologize.”

The company blames a new email distribution tool for the leak, and says it has stopped using the tool. 

All that aside, the parade of GDPR product launches marches on: 

  • DiscoverReady has launched a GDPR compliance program, designed to help clients meet the new requirements. 
  • Box, the cloud-based content management and file sharing service, is offering multizone support for its Box Zones, designed to ensure GDPR compliance. 
  • OneTrust has updated its cookie consent and website scanning solution to help firms comply with GDPR. By the way, you have to accept a cookie to read this announcement.   

Meanwhile, there is silence in Brussels.



Next story loading loading..