A company tried to buy my email list

Lauras Law

I have a beauty website with just over 37,000 registered users. A few weeks ago I was contacted by a company who wanted to purchase the list of email addresses of all 37,000 of my users. I turned them down straight away. I value my members privacy too much and I've worked too hard to build up my audience to risk it all for a small payout.

But the reason why I'm here is to try and understand why this company would be trying to buy these emails? If I had given them my 37,000 email addresses what would they do next with that? I thought it was illegal for a business to email a person without previous agreement to do so? How would it have benefited them?

Stanford

Do a % of these people represent business opportunities for this company?

Lauras Law

Stanford wrote: »

Do a % of these people represent business opportunities for this company?

Yes, my users would be the exact target audience for this company. Also it's a legit UK company which surprised me even more that they were trying to buy emails.

Stanford

Well thats your answer then, if you had sold the list you could have been fined under the GDPR rules, they could offer their products to your customers on the basis that even if a % bought it would represent a good (if not illegal) business opportunity.

Its not illegal per se to e-mail somebody provided you offer an opt-out clause

gozunda

OP - remember you also have legal obligations under GDPR regulations and legislation as to your customers personal data including their email addresses ...

See:
http://gdprandyou.ie

NSAman

Lauras Law wrote: »

I have a beauty website with just over 37,000 registered users. A few weeks ago I was contacted by a company who wanted to purchase the list of email addresses of all 37,000 of my users. I turned them down straight away. I value my members privacy too much and I've worked too hard to build up my audience to risk it all for a small payout.

But the reason why I'm here is to try and understand why this company would be trying to buy these emails? If I had given them my 37,000 email addresses what would they do next with that? I thought it was illegal for a business to email a person without previous agreement to do so? How would it have benefited them?

Quick access to similar clients and probably sales oriented.

I run a few businesses with around 200K active clients on them. I get these offers all the time. Never do I divulge my clients information. Never would I allow anyone to strip the company of that information. It is your business after all and you faught hard to get those clients. If you sell the business with 37K active clients that is money in the bank for a potential purchaser.

rd1izb7lvpuksx

Stanford wrote: »

Well thats your answer then, if you had sold the list you could have been fined under the GDPR rules, they could offer their products to your customers on the basis that even if a % bought it would represent a good (if not illegal) business opportunity.

Its not illegal per se to e-mail somebody provided you offer an opt-out clause

It is unlawful to use personal data (including email address) without consent for direct marketing purposes. You can't send marketing email and cover yourself with an opt-out.

tayto lover

How much did they offer?

Stanford

OP you would be well advised to raise a concern with the Data Protection Commissioner to protect your own interests in this matter

https://www.dataprotection.ie/

Stanford

tayto lover wrote: »

How much did they offer?

And the relevance of this is???????????????

dudara

Depending on how you collected the email addresses, and the details of your privacy policy, you may not be able to sell the email list either.

Nothing wrong with buying / selling email addresses, but all sides need to be very transparent that it is taking place.

Lauras Law

Just to clarify, I am not, and will not be selling my users email addresses to any 3rd party.

I just want to understand how purchased emails could be of any use to a company if its illegal for them to actually email those people.

Stanford

You have no guarantee that they will behave legally

rd1izb7lvpuksx

Mr.S wrote: »

If you specifically mention in your ToS / sign-up / checkout page etc giving customers the option to "receive special offers from third parties" (or variants of that messaging) then you would be able to sell the lists of third party opt-in's and be GDPR compliant, no?

For B2C, under GDPR and PECR, no. If you are relying on consent as the lawful basis for processing, then you will need to collect informed consent from the user for each company that you share their email with, and be able to demonstrate that they understood that they were providing consent for that company to process their details for marketing purposes. A recent ruling in France affirmed that consent cannot to another controller through a contractual relationship, so you would have to be very careful.

For B2B, PECR means marketing is fine with an opt-out.

killanena

tayto lover wrote:

How much did they offer?

Stanford wrote:

And the relevance of this is???????????????

He asked a question out of curiosity. I would like to know also if the op is willing to share that information.

Simple_Simone

Lauras Law wrote: »

I just want to understand how purchased emails could be of any use to a company if its illegal for them to actually email those people.

Perhaps the purchaser could circumvent GDPR by issuing emails to your contact list from a country outside the EU?

rd1izb7lvpuksx

Lauras Law wrote: »

Just to clarify, I am not, and will not be selling my users email addresses to any 3rd party.

I just want to understand how purchased emails could be of any use to a company if its illegal for them to actually email those people.

It's probably unlawful for them to store those people's PII at all, even without emailing them. Very hard to see a lawful outcome for them.

dudara

Simple_Simone wrote: »

Perhaps the purchaser could circumvent GDPR by issuing emails to your list from a country outside the EU?

. Doesn’t matter, GDPR will still apply as the recipients reside within the EU. GDPR has implications for any business in the world dealing with EU residents. Some US websites have simply stopped serving content in the EU rather than deal with GDPR.

rd1izb7lvpuksx

Simple_Simone wrote: »

Perhaps the purchaser could circumvent GDPR by issuing emails to your contact list from a country outside the EU?

GDPR applies to data about European residents held anywhere in the world - there's no geographic limitation.

Stanford

Simple_Simone wrote: »

Perhaps the purchaser could circumvent GDPR by issuing emails to your contact list from a country outside the EU?

It is the illegal acquisition of these addresses that flouts GDPR in the 1st place

OldMrBrennan83

Could it be got around with a simple consent popup thing? The vast majority of people don't read those and just click ok, especially since they're on all websites now.

Stanford

Patww79 wrote: »

Could it be got around with a simple consent popup thing? The vast majority of people don't read those and just click ok, especially since they're on all websites now.

Who would be asked to "consent" and why would PPI be needed for pop-ups?

Lauras Law

A large number of my members are based in Canada and the US. Maybe it wouldnt be illegal for a company to email consumers without permission in these countries?

EmptyTree

Stanford wrote: »

It is the illegal acquisition of these addresses that flouts GDPR in the 1st place

Is it A. the acquisition, B. the sale or A and B of the data that is illegal?

368100

Stanford wrote: »

And the relevance of this is???????????????

*eyerolls*