How The GDPR Is Still Ruining Christmas
from the privacy-what? dept
Late last year, I wrote about how the GDPR almost ruined Christmas in one German town, where it was determined that the annual tradition of kids putting their wishes on a tree in the center of town (to be fulfilled by local town officials) would violate the GDPR. Some people did figure out a “workaround” involving some pointless bureaucracy in getting parents to first sign “consent” forms to allow the town to do the same thing they’ve always done for years without a problem.
However, now we have another story of the GDPR ruining another Christmas tradition in a different way. This tradition? Taking back the awful presents people give you that you don’t actually want. At least some retailers are telling people that doing so under the GDPR requires them to inform the original purchaser that you really didn’t like their gift:
While the pilgrimage to take back garish jumpers and superfluous socks is a new year’s tradition as familiar as taking down the Christmas tree, data rules now oblige internet retailers to tell a buyer when an item they have bought is returned – regardless of whether it was a gift.
In some cases, companies are warning customers that they should inform the gift-giver themselves that they are making the return – before the company has to let them know.
In one instant, a father returning a child’s coat to Boden was told that the original buyer would be informed ‘due to data protection regulations’.
I’m sure some can try to spin this as a way of forcing people to be a bit more honest about not liking the awful sweater their dear old aunt bought them for the holidays, but, really… how exactly is this protecting anyone’s “data”? If anything, it seems to be violating more people’s privacy in revealing what they do with the crap presents they never wanted in the first place.
The article notes that not all retailers are doing this, but it does appear many believe it’s necessary:
Eleven of the 30 retailers approached by The Mail on Sunday said they would have to inform buyers if gifts they had bought were returned.
The article does quote some “data protection” officials saying that retailers don’t need to do this, but at the very least it highlights the same thing we keep pointing out about the GDPR and other attempts to regulate the internet. When these grand sweeping regulations are written in ways that are so vague and broad — with such massive punishment for getting things wrong — no one should be surprised when the end result is utterly ridiculous.
Comments on “How The GDPR Is Still Ruining Christmas”
Ploy by retailers to avoid returns.
You don’t appear to have made any effort to more than vaguely wonder on the key point, just rushed to use it as excuse for attack on GDPR.
If is retailers doing it to avoid returns, which is my bet because what could possibly be the rationale, then you have the culprits completely wrong.
With "journalists" like you spreading FUD on just bias, it’s no wonder that there’s confusion.
If turns out your bias is wrong, you won’t report that.
Re: Still lying l
Looks who’s back to darken our doorstep.
Re: Ploy by retailers to avoid returns.
Yes, instead of just “GDPR bad” how about finding out what feature(s) of GDPR make these merchants believe they need to do this. There’s nothing in the regs that I can think of that requires it.
Re: Re: Ploy by retailers to avoid returns.
I could see Article 13 section 3 being interpreted that way. Returns could easily be assumed to be a different purpose than purchases, especially if the retailer is set up such that sales and returns are in different departments such that data has to be transferred from the sales department to the returns department in order to complete the transaction.
Re: Re: Re: Ploy by retailers to avoid returns.
This is… screwed up. GDPR is one of the shiniest examples of why the road to Hell is paved with good intentions.
Re: Re: Re:2 Ploy by retailers to avoid returns.
What good intentions? It’s been pretty clear since the beginning that it was driven principally by malice and the desire to harm American tech companies.
Re: Ploy by Trolls
So your pure speculation is somehow better than TD’s opinion? Because “They want to reject returns” is just baseless and unsupported.
I’t the TD Blog – where Mike and others give their opinion. We can go to your website to see your super-better opinion, right? What is that link again? http://www.tinfoiliscommonlaw.com
Re: Re: Ploy by Trolls
Meh. He has a point. Why wouldn’t they want an excuse to reject returns?
Rule of Acquisition #1: Once you have their money, never give it back.
Re: Re: Re: Ploy by Trolls
Why not both?
😉
Re:
You have done nothing to clear up that so-called “confusion”, so how about you shut the hell up when the grown folks are talking.
Re: Re:
Not my problem you got coal for Christmas, blue.
There Shall be No Joy in Sombertown*
How The GDPR Is Still Ruining Christmas
The GDPR and it’s anti-Christmas minions are mere pikers in comparison to the Burgermeister Meisterburger.
"Toys are hereby declared: illegal, immoral, unlawful, and anyone found with a toy in his possession will be placed under arrest and thrown in the dungeon. No kidding!" ~ Burgermeister Meisterburger, mayor of Sombertown
https://christmas-specials.fandom.com/wiki/Burgermeister_Meisterburger
https://www.youtube.com/watch?v=TX87QQLVD5k
*Borrowed from Santa Claus is Comin’ to Town
Really...?
Is this truly a widespread thing? This TD article quotes from an article in the Telegraph, which in turn seems to be quoting from an article (which I can’t actually find) in the Mail on Sunday.
The MoS is quoted by the Telegraph as saying 11 of 30 retailers approached have such policies, but is there much support for this?
The only retailer actually identified in the Telegraph as having this GDPR policy is Bodens, a company with apparently just three high-street shops nationwide and some concession stands in two-dozen branches of John Lewis. They’re not really what I’d call a household name – and before this article appeared, I’d never even heard of them.
Perhaps if someone can find the original MoS article, there might be something a bit more compelling than the very thin and questionable evidence currently on show.
Re: Really...?
They’re an online retailer. You might as well call Amazon “not a household name” using their lack of stores as the same rationale.
Re: Really...?
“Bodens, a company with apparently just three high-street shops nationwide and some concession stands in two-dozen branches of John Lewis”
Why is their physical footprint relevant to an article specifically talking about online retail?
https://en.wikipedia.org/wiki/Boden_(clothing)
“Boden is a British clothing retailer selling primarily online and by mail order and catalogue”
“They’re not really what I’d call a household name”
Why is the size and fame of the retailer relevant to them being confused by the legislation? I’d actually say that it’s more important to see what’s happening with less prominent retailers, since there’s more of them and they may not have the legal resources available to clear their actual responsibilities, hence the overreaction.
Sorry, but this article is so lol. Just because some online merchant is stupid the GDPR is wrong? Really? Is this the argument?
Re: Re:
Not wrong. Just horribly open to abuse, which the proponents of GPDR repeatedly insisted wouldn’t happen.
To quote GLaDOS, “Nice job breaking it, hero.”
Re: Re:
No, not just because of that.
You’ll find that, if you look on the lefthand side at the top of the page, there is a list of tags. Try clicking on the one that says "gdpr". You will find that this is not the first article Techdirt has published on the subject.
FYI, if you’re under the age of 13, you’re not supposed to be participating in online forums.
Oh, yeah. The online seller of my dishwasher told me, that they can only repair it when I send it to them, so they can have a look, fix it and return it to me in only 5 weeks. And they cannot do it any other way because…. Tada! GDPR.
So, yeah, GDPR is used now to excuse any lunacy the companies (and towns, too) can come up with.
Another instance of companies abusing the GDPR name
If anything, the GDPR would require the opposite: since there is no legitimation for sharing the information of the return with the original purchaser, it would be illegal to inform him under the GDPR. This is just a misguided tactic of some traders who do not want to take back goods sold.
It would make more sense to attack the GDPR on this horrible legal outcome: Google must remove sanctioned docter from search engine — hereby undermining the safety of medicine.
https://www.trouw.nl/home/google-moet-berispte-arts-verwijderen-uit-zoekmachine~a1fb7f03/ (in Dutch)
Replace “Christmas” with “everything”, and you’ll be closer to the mark.
Sounds more like some retailers figured on a novel way to discourage returns, taking advantage of the general public not knowing what GDPR is.
Most of you have no idea on corporate compliance
Its very interesting to see a bunch of people who are not in corporate compliance argue how this is a non-issue and doesn’t have to do with GDPR. As someone who is in compliance and is an acting CISO for an American company, let me state a few things.
1. GPDR is a very vague law that waves its hands around “complying” in a lot of vague and general ways that affects a bunch of highly technical industries where vague solutions are not an option. This makes complying in a way that makes the corporation bullet proof very hard. If someone complains and a government lawyer takes up the complaint, the company has to spend lots of time and money to prove they complied with every single little aspect of the law.
2. The penalties for unsuccessfully guarding against a single complaint is €10M-20M or 4% of Gross Worldwide Product (whichever is bigger). For a huge percentage of the businesses in this world, that penalty would destroy the business. Even fighting it might destroy the business.
3. GDPR Article 13 section 3 states:
Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
I can very well understand this company’s rules about return. They took the customer’s information for the purpose of making a sale. A return is not a sale, and to look up the transaction, process it as returned, and then update that customer’s information, it is quite easy to argue the return as a secondary purpose and therefore the business is required by law to notify the customer. I understand it sounds insane to many, but it’s a sensible interpretation of the law that if they don’t comply with may destroy their business.
And just because someone is quoted as saying “there are other ways to comply with this law” doesn’t mean any of those options are better. Lots of big businesses in the USA are still complying with the GDPR by blocking all EU traffic to their websites.
Re: Most of you have no idea on corporate compliance
“Lots of big businesses in the USA are still complying with the GDPR by blocking all EU traffic to their websites.”
That’s something that deserves reiterating. The law is so confusing that businesses thousands of miles away are blocking an entire continent of 500 million potential customers until they understand what they need to do to comply.
If that doesn’t explain how people who operate directly within the jurisdiction might also overreact, I’m not sure how to make it clearer.