Breach or Blessing? Lessons from a Suppression List Slip-Up
A cautionary tale about a client who accidentally sent an 'oops' email, and what data protection lessons we can all learn from it.
How many times have you received an 'Oops, we screwed up' email in your inbox from that company you thought you unsubscribed from 5 years ago?
If you're like me, the answer is probably 'once a week for the last 20 years'. It's a common enough occurrence that most of us shrug, and chalk it up to 'shit happens'. Except for those handful of folks who take great umbrage that their inbox has been besoiled by these misdirected missives.
Still, it feels awful if you're the poor bastard who sent the email. And it's also mildly nerve-wracking and anxiety-inducing if you're the organization ultimately responsible. I suspect this is why some companies send out those ‘it was the intern!’ emails in response.
A few weeks ago, one of my clients, a medium-sized charity, called me in a bit of a panic after they had unintentionally committed this venial digital sin. As part of a marketing appeal, they had sent out a message both to their subscribers and around 10,000 people who had previously unsubscribed from their mailings. Whoops!
They had, in short, violated both the General Data Protection Regulation, and probably the ePrivacy Directive. They'd also arguably caused a technical data breach (at least from the DPC's perspective), though not a reportable one.
But for today's post, I’m going to skip the ePD and data breach aspects, and instead focus on what this lesson can tell us about the value of good data quality & management practices, and the importance of the GDPR’s accountability principles. For those who don't have the GDPR on mental speed dial, Article 5 says, amongst other things that personal data must be:
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
accurate and, where necessary, kept up to date;
processed in a manner that ensures appropriate security of the personal data, including protection against unlawful processing, using appropriate technical or organizational measures.
These principles are often short-handed by data protection folks as the purpose limitation, accuracy, and security principles, and they are foundational pillars of the GDPR (and many other data privacy/protection laws).1 Without the accountability principles, you might be saying you 'care about privacy' on paper, but you aren't protecting personal data. Or complying with the law.
In this case, my client had accidentally and unlawfully processed emails stored on their opt-out/unsubscribe list for a purpose that wasn't valid (i.e., they had no lawful basis to send out marketing emails to people who had unsubscribed).2 They also should have had better technical and organizational measures in place to avoid sending out these emails in the first place. There's also an interesting accuracy issue buried in this tale as well. I'll get to that in a minute. In short, all of this can be chalked up to a case of poor data quality and data management as far as their email suppression list was concerned.
My client didn't do any of this on purpose, of course, and after we had a little chat, I gave them some guidance and they addressed the problem in a timely, respectful, and apologetic way. As was the case, most recipients took the whole thing in stride and ignored the message and the apology emails entirely. But a small percentage (around 0.16%) responded, with an even smaller number (~10 individuals) asking for access to their information or requesting that their data be erased. A few people responded negatively, but didn't otherwise ask for anything. None of this is unique to the client, and all my fellow DPOs are nodding right now at their keyboards.
What made this story interesting (and therefore blog-worthy) though, was that within that 0.16% response rate, most people who received the unwanted email were surprised that they had been unsubscribed at all and asked to be resubscribed. Some of them even took the opportunity to donate to the charity!
Needless to say, my clients were elated to have something good come out of this slightly embarrassing error.
Experience Really is the Best Teacher
That said, I don't think that anyone should treat this as some sort of new marketing strategy. The vast majority of cases where I've witnessed this as a DPO rarely end on a happy note. Usually, it’s just a large number of angry people and demands to be removed again, with threats to complain to the regulator. My charity client's case was extraordinary, and was probably based on a combination of dumb luck & the fact that they support a very worthy cause.
But there are a few data protection-related teachable moments in all of this that I want to share:
Bad Data Quality & Management Makes your DPO Cry
As I mentioned at the outset, my client's data quality practices fell short of the ideal in this case. Operationally, for reasons I can't really discuss, it was easy for this particular mistake to have occurred, and for it to have hit such a large number of former subscribers. Certain technical controls were quite brittle, or missing altogether, including the workflows for handling unsubscribe requests and suppression lists.
It turns out that having good, robust data quality practices is really hard, and depending on existing systems, and the organization’s technical, people, and financial constraints, perfect data quality/management may not always be achievable. Bad, inaccurate, or imprecise data means there's always a risk for something to go wrong, even if the organization wants to do right by its customers/users/donors. It doesn't help that most companies see data protection & compliance as a cost-center, rather than a way to build goodwill and customer relationships.
That said, we're all (data) sinners here. Anyone who claims that their house is perfectly in order (or that they're 100% GDPR compliant) is probably lying, or trying to sell you something. We should all strive to be better, and to meet the standards that the laws require. Fortunately, my client has been taking steps to improve their processes in response to this bit of human fallibility. As the wise data sages say, never let a good crisis / data breach go to waste.
Limited Choices May Leave Money on the Table
When I was chatting with Daragh O'Brien, who has been doing the whole data quality/management thing for a long time, he shared a valuable insight: my client's unsubscribe process was a blunt tool, rather than a precise, user-empowering data management process. And because of that, my client has literally been leaving money (and supporters) on the table.
To comply with laws like the ePrivacy Directive, most emails from organizations (commercial or nonprofit) have an unsubscribe / consent management workflow that looks something like this.
A person signs up to receive emails from the organization (e.g., to donate money, participate in a survey, or find out about an upcoming event).
The messaging and purposes are overly broad / all-or-nothing.
The organization sends dozens of undifferentiated emails to the person who signed up. Most of them just fill up the inbox, unread.
The person gets annoyed, and clicks the unsubscribe link, where they're presented, and maybe a survey on why.
The user unsubscribes, and promptly forgets about the organization.
A better approach would be for the unsubscribe feature to look more like this:

Now, I'll leave it to the UX and marketing pros to explain why this may or may not be better from a design perspective, but it's absolutely better from an accountability/accuracy/data minimization perspective.
Give People Options
First, this approach gives individuals more control over what they actually want to see without adding too much cognitive load.
For example, I might enjoy receiving emails about events, initiatives, and a general email about what the organization is doing. But as a yearly donor to a few charities, I do not need to see a donor appeal message every week. Not only is that sort of thing generally ineffective, it gets annoying, especially if everyone is doing it all the time. Either align your processing with your stated purposes, or at least let people decide how often they want to hear from you.
Sadly, most unsubscribe options are usually binary — and if it's between 5-10 annoying emails a week or nothing — I'm going to go with nothing every time.3 At that point, everybody loses: the organization loses engagement, and I forget that it ever existed. At least until I receive that accidental email. And then I’m probably annoyed.
In this case, my client was legitimately surprised (and moderately delighted) that so many of their former supporters were unaware that they had been unsubscribed. But it isn't surprising at all — it's bad data management. If they'd had more precise messaging options, that handful of one-off donors might have been ongoing donors — and the relationship would have been stronger. A few hundred dollars here and there adds up…
But there's a second reason for granularity here: It provides organizations with better, less obtrusive metrics on what works (and what doesn't).
Say, the marketing team is firing off weekly donor appeals / product announcements / upsells, or those pointless 'Step 1 of 49 of how to use our product' messages that nobody actually reads. A targeted unsubscribe (and/or an email frequency toggle) provides more clarity on exactly what people are sick of seeing — and what they're comfortable with, as well as how often they want to see it. And it avoids the organization fading into the shadows, never to be thought of again.
Above all, it tightly couples the data collection and processing purposes in a transparent way, and dramatically lowers the shock factor of receiving a sudden email out of the blue when the occasional human screw up occurs.
I get that I am likely scandalizing/offending marketing pros with this — and as I mentioned above, there may be better approaches from a user experience perspective. But from a data protection angle, provided that the options are tightly coupled with the exact purposes of processing, not hidden in a dark pattern maze, and are clear and easy to distinguish, an organization will be in a better place overall.
Though I'm sure that no matter what you do, you'll always get that small percentage of people outraged that they received that accidental email after unsubscribing. But at least you'll keep your customers (and your DPO) happy.
NB: That picture is Leroy as a kitten, nearly 8 years ago. He was meowing, but I felt like he channels the mood and my rage nicely.
Some pedants might also argue that this violated the data minimisation and storage limitation principles (5(1)(c) and 5(1)(e) GDPR), and to that I say, go duke it out in the comments. And for you ePrivacy Directive geeks, yes, I know that's also an issue. Don't @ me.
To be clear, my client did have a lawful basis for keeping the emails -- they needed to know who to avoid emailing in the first place.
Looking at you, security compliance vendor who shall remain nameless, but should absolutely know better. My client does not do this, because they know I would be sad.
Where's Leroy? Is it me or am I missing his picture?