Nun stehe ich da und habe die Brille auf. 256 GB haben nicht nur die…
Trying to push sales with games and prices is a win-win for both the customer and the company. Usually. And it makes perfect sense to combine the price with some sort of privileges granted from the end user to the company offering the contest. Such as using the email for marketing or using the address for mailings. Current privacy legislature makes it clear how these situations are to be handled and there are strict rules in place to be followed. Seemingly not all companies know this. Especially a security related plugin developer named iThemes Security. What happened?
No double-opt-in no consent for Marketing-Mails
It is not allowed to send marketing mails of whatever type to someone who has not clearly given their consent to receive them. This i regulated in all recent major privacy legislatures. And one would expect that a security focused company such as Liquidweb who stands behind the iThemes Security plugin would know. But the either don’t know or they ignore. Permission can be given by merely two ways: implied or expressed:
- Implied permission describes those with whom you have an existing business relationship. This could be because they are a current customer, donate to your charity, or are an active member of your website, club, or community.
- If you don’t have implied permission to email a person, then you’ll need express permission. Express permission is granted when someone specifically gives you permission to send them email campaigns, potentially by entering their email address in a subscribption-form on your website or entering their details into your in-store newsletter subscribe form.
Wheel of Misfortune
Back in December 2020 iThemes offered a nice wheel of fortune to promote their holiday sales. You could win coupon codes and freebies ranging from 25% – a merely 80% off. Nice! All you had to do was to enter your mail address, and you were good to go. One would expect that this is just to make sure the coupon code is personalized and only valid for this email address to prevent people from entering the contest multiple times. But this was not the case.
A were generic code to rule them all
All codes you could win were generic. There was no personalization and therefore no real reason to require the email in the first place. What do they need it for then? I got a glimpse of what might happen to the data acquired by this contest. But I refused to believe as there was neither a double opt-in as required legally nor was there any hint on what the data you entered might be used for. See the following screenshot as proof. Nothing being told. The only reason given is to prevent multiple use of the fortune wheel.
Digging deeper makes it worse
Spam from a security company is a dead end