top | item 24822933

Ask HN: How are products that sell email info like SalesIntel,ZoomInfo legal?

6 points| _wwwg | 5 years ago

GDPR and CCPA protect personal information from being sold or abused yet sales "intelligence" tools rake in millions. These companies don't just sell email but also phone numbers and sometimes address for sales prospecting. As someone who works in sales, I would hate it if these tools went away.

But GDPR and CCPA ban this practice as far as I know. So, how are these tools still legal ?

I am not being critical only curious :)

6 comments

adrr|5 years ago

As far as I know CCPA isn’t being enforced. I’ve had companies refuse to delete my info or even register as a data broker. Reporting them to the AG office just gets you a generic response saying they can’t do anything.

BjoernKW|5 years ago

If anything, GDPR has made this easier provided they have the users' consent. If the user agrees you're allowed to do pretty much anything with their data.

It has also become a lot easier, unfortunately, to get that consent.

Both the convoluted legal framework itself and the dark patterns that arose from it (such as the "Allow everything" button being the primary action button and "Privacy settings" being a small, obscure link) are prone to putting off users, who more often than not will just click on anything just do get rid of those annoying pop-ups and banners.

ramboram|5 years ago

I think it's possible with user's consent.

> It is allowed to sell personal data under the GDPR subject to receipt of consent for it from data subject and compliance with the rights of data subject even if it decided to exercise the right to object or the right to be forgotten.

Source: https://legalitgroup.com/en/gdpr-requirements-to-selling-of-...

takezo|5 years ago

Thank you for this detailed explanation!

I also came across this which was fascinating: ZoomInfo offers a free product that you have to connect with your email. Once you do, they scrape EVERY single contact in your email to enrich their database.

So, technically, it is YOU who has signed over your entire contact list data to ZoomInfo and agreed to their Terms and Conditions which states that they can now sell YOUR DATA (your email and everyone else's in your contact list)

https://www.vice.com/en/article/y3zqbw/zoominfo-privacy-laws

guitarbill|5 years ago

Ah yes, a source on the GDPR that has a non-opt-out cookie box. Seems legit.

Where this falls down in practice can be clearly seen e.g. from UK's Information Commissioner's Office [0] (despite Brexit still one of the most readable English-language sources of the GDPR):

> Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.

> Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.

> If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis.

The way companies really get away with it is that the data protection agencies are understaffed, inundated, focussed on big targets, and the GDPR doesn't allow individuals to file suit.

[0] https://ico.org.uk/for-organisations/guide-to-data-protectio...