Comment by EGreg
5 hours ago
People originally opted in and provided it expecting to get a newsletter on how to use the app. We never seemed to have the bandwidth to create a good enough one, so we never sent it. We kept improving the app until it became very good and still never sent the emails. But retained the addresses, so that one day we could tell people the app has improved, to give it a try, include animated GIFs of it in action and gradually educate them on ways to use it. For that I get chastizement on HN, figures.
Yes, there is a clearly valid business purpose under GDPR for retaining the email addresses of users who want to learn how to use your app better and opted in. If you plan to send a newsletter out.
Other than those voluntarily entered emails (which aren’t even linked to the user), we haven’t retained literally any information about our users, despite having millions of users download and use the app over a decade. Which is far beyond pretty much any social app I know. But almost no one actually cares.
> For that I get chastizement on HN, figures.
I really wasn't trying to chastize, honestly it was intended as a friendly dollop of advice as someone who's dealt with this kind of thing. But since you have replied, I would say:
> Yes, there is a clearly valid business purpose under GDPR for retaining the email addresses of users who want to learn how to use your app better and opted in.
Relevance is likely to be seen as contextual. Someone wishing to do something a full decade ago is not likely to be seen as sufficient evidence to justify contacting them now in case they still wish to. That's a big chunk of the point about time-limiting data retention - the data gets less relevant and more problematic over time. I get that you're not trying to colour outside the lines here, but from the perspective of your users, and anyone looking at their potential complaints from a regulatory perspective, the window in which they reasonably consented to contact has closed (and probably some time ago).
The regulations are there, ostensibly, to protect consumers. They will be interpreted in that light. I can almost guarantee that if you sent an email to your downloader base 10 years after they last heard from you, being ignored will be the best case, and the worst will be reports to local regulators.
Is there an actual regulation or case law showing what the cutoff time is du jure?
I would be glad to respect it if there was.
As it is, laws do allow for things they didn’t explicitly prohibit, and especially good-faith things like welcoming people to try the free app again, which they themselves downloaded and asked to be exucated about, since it’s improved, and showing them how and why to use the improvements.
Yeah, that's fair enough, and it is annoying that there is rarely a specific time set in regulation (or even case law which is broadly applicable). Most regulatory bodies will tend to say things like "as short as required/possible" for retention, which is clearly open to interpretation [0].
I would personally see 10 years as "a long time" in this kind of context (although that may be contextual depending on what your product does, obviously). If you can honestly claim/show good faith, that is usually acknowledged, but my point was rather how it would be seen out of the blue from an organisation that has been silent for 10 years (my personal first thought would be "why the hell have they still got my information?", but I am well aware that I'm not the average).
Genuinely, I don't mean to imply bad faith on your part, only to suggest the reactions it may receive, and how careful you should be with your messaging.
[0]: https://commission.europa.eu/law/law-topic/data-protection/r...