23

I'm subscribed to "Visual Studio Dev Essentials" (so that I can download older versions of Visual Studio from the Microsoft website), but they are sending me unwanted marketing emails regarding both Visual Studio Dev Essentials, and other products.

In the footer of the email, it says that to unsubscribe from the emails, I must unsubscribe from the service, which I don't want to do.

Is this legal? Note that I'm based in the UK, but Microsoft (the parent company at least) is based in the US.

Hiccup
  • 355
  • 2
  • 4
  • 3
    Did you read the terms and services for Visual Studio? – Questor Mar 14 '23 at 17:19
  • 2
    If the footer contains such information, this could be an indication that Microsoft doesn't consider the email to be marketing. Do the emails relate to the product or to your subscription, or do they relate to other products/services? – amon Mar 14 '23 at 22:45
  • @amon Both the current product and other products/services. – Hiccup Mar 14 '23 at 22:55
  • 1
    @Questor I have now. It says "By joining and throughout the duration of your participation in the Program, you may receive periodic communications i) about your use of the Program; and ii) about the latest news and updates related to the Program. You can leave the Program at any time to stop receiving these communications by going to the Subscriptions tab on the Program page and selecting “leave program”. If you leave the program, you will no longer have access to download Benefits.". – Hiccup Mar 15 '23 at 16:50
  • 10
    A filter on *@microsoft.com->trash is probably the best solution here. – JonathanReez Mar 15 '23 at 19:26
  • @JonathanReez ...and that's good life-advice in general too. – Deepak Mar 16 '23 at 17:42
  • @Questor - T&S do not override laws. – Davor Mar 17 '23 at 10:31
  • @Davor This is true.. But GDPR requires that companies give you a way to remove your information from their service... The T&S is that in order to use their service you agree to have your information in their database and receive emails, so you have agreed to have your information on their server and recieve emails from them (GDPR compliant).. You can remove your information from their server but you lose access to the service (THis is GDPR compliant). – Questor Mar 17 '23 at 16:25
  • 1
    @Questor - that is absolutely NOT GDPR compliant. GDPR explicitly lists conditioning use of service on acceptance of spam as illegal. Read the last sentence in paragraph 43: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679#ntc10-L_2016119EN.01000101-E0010 – Davor Mar 17 '23 at 20:57

5 Answers5

21

No, it's not legal.

The General Data Protection Regulations (GDPR) apply given that you are in the UK (regardless of where the Data Processor is based). The UK GDPR is slightly modified due to Brexit, but the same principles apply.

The only plausible legal basis for this action would be that you consent to it, and you're entitled to withdraw that consent at any time.

Some may claim that Article 6.1(b) applies, i.e. that it's necessary to send marketing email in order to fulfil the contract, but GDPR is clear that bundling such consent into a contract for service simply to permit the data processor additional actions isn't allowed, as I'll demonstrate.

UK GDPR requires that consent to use your personal information (in this case, your email address) for the stated purpose be freely given.

Consent to use your information for direct marketing is not freely given if it's inseparable from the consent to use it for some other service, as per [recital 43]:

Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

And Article 7.4 gives this legal effect:

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

The intent of Article 6.1(b) is that only the processing required for the service you have bought is allowed (e.g. if you supply your address for delivery of stuff you've bought, the data processor can use that address to send you the stuff, but is not allowed to add a contract term that allows them to send you unwanted stuff).

Examples of emails that Article 6.1(b) would allow (in my assessment) include things such as notification of upcoming downtime, or a reminder that subscriptions are due, but not unsolicited advertisements for other products. There's a grey area that's open to interpretation, where adverts are piggybacked onto actual service messages.

Toby Speight
  • 549
  • 2
  • 15
  • 1
    It's a pity that the person(s) who downvoted and proposed deletion couldn't be bothered to add a comment to indicate what they think is inadequate in this answer. – Toby Speight Mar 15 '23 at 20:32
  • 5
    Yes, especially as I'm pretty sure this is the correct answer, given the GDPR aspects that say you cannot make access to a service conditional on allowing your data to be processed [for things other than necessary to provide the service itself]. Maybe citing/quoting those parts would make them happier? I think its recital 42/43. – mbrig Mar 15 '23 at 22:29
  • I don't buy the last paragraph. The "some other service" is the one that comes with the inconvenience of receiving marketing emails. It is what it is. Take it or leave it. – Greendrake Mar 16 '23 at 00:18
  • 4
    @Greendrake, I think that's a matter of interpretation. My take is that the marketing emails are not necessary for the purpose of providing access to the "Dev Essentials" service, but perhaps the provider claims otherwise? The legality seems to hinge on that test. – Toby Speight Mar 16 '23 at 07:11
  • This is indeed the right answer, though it would benefit from references and quotes to explain and justify why it is. – jcaron Mar 16 '23 at 10:36
  • Why do you think consent is necessary? What about performance of a contract, i.e. article 6(b)? Your conclusion seems plausible to me but answering the question fully requires analysing this, including any similarity or difference with Facebook's “GDPR bypass” (which is probably going to be litigated further). In any case, Microsoft does not seem to be claiming that they rely on consent for this in either https://visualstudio.microsoft.com/license-terms/devessentials/ or https://privacy.microsoft.com/en-us/privacystatement – Relaxed Mar 16 '23 at 11:36
  • 1
    In other words, the fact Microsoft do not have proper consent for this is not in dispute and a secondary consideration, the main question is do they require it in the first place? – Relaxed Mar 16 '23 at 11:39
  • 1
    @Relaxed, if consent is not necessary, which other legal basis do you suggest applies? Is there a reason that marketing email is necessary for the provision of the "Dev Essentials" service? Or that there's a need to do so to protect vital interests or to comply with legal obligations? – Toby Speight Mar 16 '23 at 14:40
  • 4
    @Greendrake: Literally the entire point of GDPR was to specifically and unambiguously outlaw the exact sort of "take it or leave it" contract you describe. The EU saw lots of (mostly American) tech companies offering such contracts, decided those contracts were harmful to consumers, and banned them. – Kevin Mar 16 '23 at 18:48
  • @TobySpeight I already mentioned article 6(b) and I also agree that it's probably a weak basis. Nonetheless, the answer needs to explain why that is rather than assume it. Again, I see no sign that Microsoft is claiming consent, there is no point getting lost in the specifics of consent, the key question is whether Microsoft has another legal basis. Which they very well may not have but you don't even state that. – Relaxed Mar 17 '23 at 07:28
  • @Relaxed, the second paragraph looks at the legal basis. I'll update it for article 6(b). – Toby Speight Mar 17 '23 at 07:57
  • 1
    That is not paragraph 43 but recital 43. It is prefatory and has no direct force of law. Article 7.4 doesn't "back up" recital 43; it gives legal effect to it. – phoog Aug 27 '23 at 12:51
  • @Relaxed why is the GDPR even implicated here? Is the sending of a marketing e-mail message a "data processing" activity under the GDPR? – phoog Aug 27 '23 at 12:55
  • @phoog I don't think I brought the issue up, I was just trying to think through Toby Speight's reasoning but I do agree it would typically apply. Why would you doubt it? Technically, sending an email to a random address (e.g. duck.com) would not necessarily implicate the GDPR but names and email addresses containing names are definitely personal data. Microsoft 's Privacy Statement also seems to acknowledge that. – Relaxed Aug 27 '23 at 13:09
  • @phoog: Thanks for the terminology correction; I've edited accordingly. – Toby Speight Aug 27 '23 at 13:40
14

Unless a stipulation in a contract is clearly illegal in the contract's stated jurisdiction, it's legal to have it in a contract, and the Terms of Service (TOS) you clicked through is a contract. If you don't like the TOS, and the fact that you agreed to receive marketing emails, you don't have to use Microsoft's service.

Edit re: comments: Yes, processing personal information in terms of emails addresses under the DPA does take place, when signing up for or closing an account. You seem to be interpreting that processing personal information takes place when Microsoft simply sends an email; I don't see that.

And, don't forget that Microsoft is a huge company with the best lawyers money can buy; they would certainly try very hard to not violate GDPR or DPA with a TOS or marketing tactics, as they have too much to lose in the international market.

BlueDogRanch
  • 18,824
  • 5
  • 35
  • 61
  • 5
    So you don’t think the Data Protection laws apply here? – Sneftel Mar 14 '23 at 17:59
  • 3
    Specifically which part of the Data Protection laws? Data protection doesn't prevent one from simply sending emails or requiring an agreement to receive emails under the terms of a contract. I'm sure the storage and security of emails addressees and PII related to them are covered under DOP and GDPR. – BlueDogRanch Mar 14 '23 at 18:31
  • 6
    Of course it does - one of the purposes of the DPA is to require a lawful basis for processing personal information, for purposes such as direct marketing, which restricts what the company can make contingent on the user’s consent. – Sneftel Mar 14 '23 at 18:38
  • 2
    Citation of that part of the DPA you refer to? – BlueDogRanch Mar 14 '23 at 18:43
  • 11
    @Sneftel the GDPR for example requires your data to be removed on request, it does NOT require you to continue to receive services after that request. – jwenting Mar 14 '23 at 20:06
  • 3
    @BlueDogRanch GDPR article 21, say. – Sneftel Mar 14 '23 at 21:12
  • 2
    Considering that comments can be deleted at any time when they're already addressed in the post, could you replace or add context for "Edit re: comments:" on the body? – Andrew T. Mar 15 '23 at 03:52
  • 8
    Your contention that sending emails isn’t “processing” is surprising, given the breadth of the GDPR’s definition of the term. You don’t feel that sending an email to an email address counts as “use” of that email address? – Sneftel Mar 15 '23 at 08:12
  • 3
    I'm not refuting your overall claim. However, I feel you're overstating the power of a ToS. As I understand they are considered contract of adhesion and as such are held to a stricter standard. If a ToS says that by using your product I have consented to giving you all my worldly possessions that is not going to hold up in court, even if there is no law making it illegal to write a contract that signs over all my worldly possessions in the relevant jurisdiction. – dsollen Mar 15 '23 at 22:04
  • 10
    Making access to a service contingent on giving permission to use your data in ways not necessary to provide the service is strongly ruled out by the GDPR. The sections on consent are clear it renders consent invalid, and the sections on contractual basis apply only to necessary procesing – mbrig Mar 15 '23 at 22:40
  • 1
    Re the final paragraph: history shows that the size of a company is a poor guide to their standards of ethics and compliance - even for GDPR violations, where the maximum fine is specified as a proportion of the company's revenue. – Toby Speight Mar 16 '23 at 20:52
  • Specific example: Google is a company of comparable size to Microsoft, and it received a €50 million fine for GDPR violation. – Toby Speight Mar 23 '23 at 16:19
  • @jwenting but the GDPR requires a lawful basis for processing. If sending of marketing e-mail is comprised within "processing data" and if the lawful basis is consent, then the GDPR says that the consent must be freely given, and that requiring receipt of marketing e-mail ("processing of personal data that is not necessary for the performance of that contract") can't be a condition for having access to downloads ("the performance of a contract"). I'm not certain that the marketing messages constitute data processing, though, or that the downloads constitute "performance of a contract"). – phoog Aug 27 '23 at 13:06
  • @phoog irrelevant. If as part of the account signup process you agreed to the marketing email being part of the service for which the account was created, the two are linked. And then you did indeed consent to those emails. Same with all the millions of tracking and advertising cookies, by visiting that website and clicking ok on the cookie banner you sign up for that marketing and tracking, the GDPR doesn't care that you did so only because you wanted something else. – jwenting Aug 28 '23 at 15:32
3

Being in the UK you probably fall under the GDPR (unless the UK removed itself from that, I don't think they did).

The GDPR gives you the right to have your data removed from a database upon request, it does NOT stipulate that such removal have no consequences when it comes to receiving services and products from the entity your data was stored by. It also requires that only data required for the performance of the service be retained, meaning that the data you requested be removed is data needed to provide the service. Thus you want your email address to be removed, your email address is needed to provide you the service of attaining those downloads, thus removal of your email address makes providing you those downloads impossible.

You can of course always just create a filter in your email client that automatically deletes any and all emails you don't want to read.

jwenting
  • 491
  • 3
  • 6
  • 2
    So you’re saying that if there is a lawful basis (contract performance, say) for a particular use of a particular piece of personal data, that piece of data can be used for other purposes regardless of whether the lawful basis applies to them? – Sneftel Mar 14 '23 at 21:20
  • 19
    The GDPR Art 21 right to objection provides the absolute right to object to further processing for marketing purposes, which should be orthogonal to processing for other purposes. In any case, there are more specific rules on marketing emails in PECR, which tracks the EU ePrivacy directive. Marketing emails are allowed without consent in some scenarios (soft opt-in), but there's an absolute right to object to further emails. While you're right that the lack of consequences isn't explicitly required, I'd doubt the ICO would like such an interpretation. – amon Mar 14 '23 at 22:31
  • @Sneftel if you read the terms of service I'm sure they state clearly that you sign up for emails, making the storage of your email address to send emails allowed under the GDPR. – jwenting Mar 15 '23 at 07:00
  • 3
    So you’re saying consent as a basis? How would you square that with the statutory considerations of whether that consent is “freely given”? – Sneftel Mar 15 '23 at 08:05
  • 4
    Indeed, the GDPR does not allow mixing purposes and pretending that this constitutes "consent", almost as if someone predicted that companies would come up with this construct. – Simon Richter Mar 15 '23 at 15:43
  • 5
    In particular: “Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.” Do you not think that describes this situation? – Sneftel Mar 15 '23 at 21:37
  • @SimonRichter "almost as if someone predicted that companies would come up with this construct": it's not exactly farfetched to imagine somebody making such a prediction. – phoog Aug 27 '23 at 13:08
2

According to the CAN-SPAM Act:

§ 316.5 Prohibition on charging a fee or imposing other requirements on recipients who wish to opt out.

Neither a sender nor any person acting on behalf of a sender may require that any recipient pay any fee, provide any information other than the recipient's electronic mail address and opt-out preferences, or take any other steps except sending a reply electronic mail message or visiting a single Internet Web page, in order to:

(a) Use a return electronic mail address or other Internet-based mechanism, required by 15 U.S.C. 7704(a)(3), to submit a request not to receive future commercial electronic mail messages from a sender; or

(b) Have such a request honored as required by 15 U.S.C. 7704(a)(3)(B) and (a)(4).

Looking at § 316.3 Primary purpose, the described messages almost certainly would not be considered transactional since 316.3(a)(3)(ii) says:

A recipient reasonably interpreting the body of the message would likely conclude that the primary purpose of the message is the commercial advertisement or promotion of a commercial product or service. Factors illustrative of those relevant to this interpretation include the placement of content that is the commercial advertisement or promotion of a commercial product or service, in whole or in substantial part, at the beginning of the body of the message; the proportion of the message dedicated to such content; and how color, graphics, type size, and style are used to highlight commercial content.

So requiring you to login and delete your account goes beyond what is allowed for compliance with the act ("provide any information other than the recipient's mail address").

Since Microsoft is a US corporation, they would be held to the CAN-SPAM act. I don't think you can personally make an FTC complaint that they are violating the act, but anyone else in the US should be able to make a claim.

Alcanzar
  • 137
  • 3
  • 2
    The OP is not just a recipient who happens to receive the emails out of the blue. They have signed up for the service that causes them sent. Thus, the cited provisions don't apply. – Greendrake Mar 16 '23 at 00:25
  • 3
    They are marketing emails under the CAN-SPAM definition. It doesn’t matter if he signed up for a service (ie transactional emails). There’s a definition in the act that says if it’s both transactional and marketing, it’s marketing if the recipient reasonably assumes it is. – Alcanzar Mar 16 '23 at 02:44
  • 1
    @Alcanzar Then that definition should be in your answer. – Spencer Mar 16 '23 at 15:06
2

The corner point here is that the user agreement is a contract between you and Microsoft, and that contract clearly states that all along the program life, you will receive marketing emails.

If that contract is in contradiction with other general laws, what matters is the precedence rule observed in both the UK and the USA. AFAIK (but IANAL) in France and more generally in the EU, the rule is that a European law prevails over a national law which in turn prevails over a private contract. The rule is that if an article of the contract is illegal it is supposed not to exist. But I had been told that in the UK a contract could prevail over a more general law, and the UK is no longer in the EU.

Toby Speight
  • 549
  • 2
  • 15
Serge Ballesta
  • 149
  • 3
  • Indeed, and the other discussions where people are linking to the EU GDPR are somewhat off the mark since they should be looking at the UK GDPR. One contributor noted that it is slightly different, and this seems to be a likely point of difference. The most popular answer cites a provision relating to the performance of a contract, and if UK law approaches the relationship between statutory provisions and contract provisions differently then the analogous section of the UK GDPR could be worded differently or interpreted differently. – phoog Aug 27 '23 at 13:14