By now everybody knows that business email addresses that go directly to one individual, such as jo********@ex*****.com, are considered personal data (personally identifiable information, or PII) for the purposes of GDPR and, increasingly, email privacy laws in other countries. But what about generic business email addresses, such as in**@ex*****.com, sa***@ex*****.com, or co*****@ex*****.com (also known as ‘role account’ email addresses)? The conventional wisdom is that role accounts are not considered personal data, and so are fair game to
spam add to your mailing list without prior consent. But not always, there’s a catch!
According to Gary Payne, of the Gill Payne Partnership Ltd, there are times when a so-called generic business email address can actually be construed as personal data. Mr. Payne, a noted EU and UK GDPR expert in the UK, explains “There have been cases where a role-based email address has been considered to be personal.” (Regular readers may recognize Mr. Payne as the GDPR expert who spoke with us about how GDPR applies to data collected before GDPR went into effect.)
When are Generic Business Email Addresses Personal Data or PII?
According to Mr. Payne, if only one individual has access to the otherwise generic business mailbox, that mailbox and the associated generic email address can be construed as personal data as “there can be collected information (IP addresses and such) from other parties, such as Facebook, that links the email address to the sole person operating the mailbox.”
He goes on to explain that “It’s similar to if you have an access card to a building, or an anonymous username/password, which then identifies the person holding it, it doesn’t matter if no personal details are stored. That there is a single person holding the card or username/password, which can be linked by having the person in question surrender the card or username/password is enough to make it personal details under GDPR.”
Law firm Beswicks agrees with Mr. Payne, saying that while generic business email addresses are generally not considered personal data, “email addresses that relate to a sole trader or a non-limited liability partnership are personal data if an individual can be identified from the email address.”
And in anticipating the question of why then can services even store such data, even though it can be construed as personal, Mr. Payne explains that such data can be stored because it can qualify as so-called “pseudonymized identity”, in much the same way that an address like IL*********@ex*****.org that is registered with a public webmail service like Gmail is considered pseudonymized and so can be stored by Gmail, but not added to your mailing list without consent. In other words, he explains, a pseudonymized identity can be permitted to be stored (used) in some cases, and prohibited in other cases.
“It isn’t free land just because the mailbox is a role-based one,” says Mr. Payne, noting that it is the same for other company details, not just email addresses. Generally company details are public and not considered personal data, however if the company is a sole proprietorship then those company details may be considered to be personal data for purposes of GDPR.
And while if you are sitting in the U.S. and thinking “Bully for them, but GDPR doesn’t apply here and in fact there is no law prohibiting me from adding any email address to any mailing list without consent,” it’s time to think again, and then to head on over to our article about the 4 states with data privacy laws coming online in 2023.
No responses yet