Put the boot in

by | May 6, 2023 | Uncategorised

If you’re looking for people to market your products to, a French company called Evaboot have got you covered. Companies offering what Evaboot does are usually squeamish about how the work, but there’s a refreshing directness about their pitch.

They offer “The Smartest LinkedIn Sales Navigator Scraper”, hoovering addresses from LinkedIn and elsewhere, or creating them from derived information if the emails aren’t there. Having mined the internet for data, let the spamming commence!

But wait, what about GDPR? Fear not. “GDPR compliance of B2B prospecting is based on Legitimate Interest. B2B Prospecting is GDPR compliant as long as you gather B2B info to contact people on their pro emails to offer them a product or a service that can bring value to their activity.”

So you need one less of your five a day after that word salad, but the underlying idea is very popular in the data broking / scraping / spam community – all job-related data is fair game, any spamming is safe because of legitimate interests.

I received an email to “tturner @ 2040training.co.uk”, which landed in my catchall folder that receives anything ending in 2040. It was from a medium sized IT company flogging their ransomware training. Because “tturner@” doesn’t exist, I asked them where they got it from.

They said LinkedIn. I only have one address associated with LinkedIn and it ain’t this one, so I asked them to try again. This time, they said they “came across” my email using LinkedIn and Evaboot and I should ask Evaboot how they had my address “readily available”.

Let’s be clear about what the company did here. They lied (they didn’t find my email on LinkedIn) and they used automated processing to generate an email address that isn’t available publicly. Both elements are unfair and untransparent.

They also explained their approach to legitimate interests in a familiar way: “I contacted you on your professional email address based on legitimate interest because I think the product or service will bring value to your activity.” He didn’t even edit the Evaboot text before using it; just parroted it before telling me that he wouldn’t reply again.

I know some people disagree, but I think the model of inventing email address is automatically a GDPR breach because it’s untransparent, both in itself and because the spammy companies who use such emails always pretend that they don’t. I think scraping real addresses is borderline, but inventing them, accurate or otherwise, doesn’t pass the legitimate interests test.

More importantly, there can’t be any debate that actively misleading someone who is exercising their GDPR rights to find the source of personal data is a breach. I don’t think a legitimate interests assessment which involves cutting and pasting from a supplier’s website is valid, so there’s no lawful basis.

Nobody is coming for Evaboot. Their website slyly emphasises that they’re not keeping a database of personal data and selling it – you’re using a tool. I think they’re completely off the hook. If I wanted to complain about anyone, it would be the spammers and I think that complaint would be valid.

The company who emailed me looks legit. Part of their business is selling security, ransomware training and other important governance tools. I’m deliberately not naming them to avoid arguing with dreary apologists about whether naming and shaming is legitimate. It absolutely is and however small the hit on their reputation would be, they’d deserve it.

Instead, I want to emphasise the importance of not swallowing the assurances of suppliers who swim entirely outside the GDPR’s waters. Spam is annoying. “B2B prospecting” is not exempt from the GDPR, it’s just outside PECR. By effectively lying to me, these dumbos committed a more serious breach than the original spam.

To my fellow GDPR trainers and consultants, let me say this. Some of you contribute to this nonsense. You oversimplify, reassure companies that “B2B” is somehow a Wild West free of regulation and rigour. Again, I won’t name names but some of you know ought to know better. Spamming individual subscribers is more legally constrained, but marketing to people at work still happens within a legal framework. You can’t just hide behind legitimate interests and spam at will.

Done badly (done like this), uncritical B2B carpet-bombing also carries a risk of looking lazy, careless and unprofessional. I’d never heard of this company before and now, this is all that know about them. Business is rough right now; I know a lot of companies who are struggling. But you have to do better than this, and as a sector, we have to stop serving up reassuring drivel that give the scrapers a foot in the door.