Legal, Tax, and Accounting October 18, 2020

How are products that sell e-mail addresses like SalesIntel, ZoomInfo legal?

takezo

GDPR and CCPA protect personal information from being sold or abused yet sales "intelligence" tools rake in millions. These companies don't just sell email but also phone numbers and sometimes addresses for sales prospecting. As someone who works in sales, I would hate it if these tools went away.

But GDPR and CCPA ban this practice as far as I know. So, how are these tools still legal?

I am not being critical only curious :)

  1. 3

    According to the GDPR, they must not sell an email address (on any personal data) of a citizen or resident of the European Union.
    Data protection laws with a similar approach: the UK, any other non-EU country from Europe, Brazil, Argentina, Uruguay, Malaysia, Singapore, Thailand, Dubai (DIFC), Egypt, Turkey, South Africa...

    According to the CCPA, they can sell data as long as:

    • they inform users about that in the privacy policy,
    • they show a notice to users (this is separate from a privacy policy) on arrival on the website/app providing an opportunity to opt-out from the sale of data, and
    • they provide an opportunity on the website for opting-out of the data sale.
      Remember that CCPA applies only to California companies in any case, and to any company in relation to California residents.
      ZoomInfo is a Massachusets company, so these rules apply only to their relation with California residents. There are no limitations for selling data of residents of Massachusets, New York, Florida, etc.

    Basically, the whole world aligns with the EU data protection standards. The US is the exception (and the few countries that have no privacy laws at all), which means that US companies can sell US citizens data. If they sell data of Europeans, Brazilians, etc, they face penalties.

    1. 1

      Thank you for this detailed explanation!

      I also came across this which was fascinating: ZoomInfo offers a free product that you have to connect with your email. Once you do, they scrape EVERY single contact in your email to enrich their database.

      So, technically, it is YOU who has signed over your entire contact list data to ZoomInfo and agreed to their Terms and Conditions which states that they can now sell YOUR DATA (your email and everyone else's in your contact list) 😮

      https://www.vice.com/en/article/y3zqbw/zoominfo-privacy-laws

      1. 2

        Unbelievable... However, if they want to collect my email address, they have to ask me, not my friends who have my email address (I'm in Europe). Collecting my email address from my contacts is against the law.
        I see that they collect business addresses, though. While a [email protected] is personal data, [email protected] is not. It depends on what exactly they collect. From what I could understand from the article, it is personal data.
        I guess they count on lack of enforcement, which is true for most countries outside of the EU. And Americans, who are not protected.

        1. 1

          Indeed. Why is [email protected] personal data ?

          You don't get to keep it once you leave the business. Hence, Doesnt it actually belong to a business and therefore outside the purview of the law ?

          1. 2

            You can identify a person with such an email.
            I would like to see opinion by EDPB or the European Court about this, though.

  2. 2

    There's a clause related to GDPR labelled "legitimate interest" which appears to cover the use of personal email data.

    The same reason why armies of SDR's can email, message & call without companies getting sued or taken to court.

    Agree with your point though.. allowing the sale of personal data does seem like a conflict. I expect the primary reasoning behind GDPR was consumer protection, as opposed to business.

    1. 1

      @fennessy legitimate interest is so wrongfully used as a basis for collecting and processing data. I believe we'll see some fines related to that soon.

      1. 1

        You could be right.

        Difficult to prove there is no legitimate interest in many cases though - and if there is precedent set here, it would effectively block all outbound prospecting.

        If you look at the intent of introducing GDPR, I believe the emphasis was more on protecting consumer / residential customers, than business (where there is more scope for legitimate interest and better protections against spam).

    2. 1

      "legitimate interest". Fascinating how there are always ways around whitecollar law :D Thank you for this insight.

  3. 1

    I agree that it would be better if contact information was more readily available and not hidden behind some shitty company's paywall.

    Removing contact information like email entirely from the public domain, however, would be bad for the business community in my opinion.

    As more businesses / executives build walls around themselves by blocking email from unknown addresses, hiring assistants to screen calls, and block LinkedIn invites from anyone who doesn't know their email, they make it harder for companies that have solutions to their problems to tell them about them, causing them to either 1) miss out on great innovations their competitors might be using to beat them or 2) pay more for all of the solutions they do finally find out about, because those companies likely had to spend a lot more money for things like trade show booths and ads to reach them and now need to recoup those SG&A costs.

    In the end, marketers are generally reaching out to businesses because they think their product can help them solve a problem. If they can't reach out, they can't let those businesses know they exist, and those problems may never get solved.

Recommended Posts