I’ve seen a few people on Twitter mention the massive number of GDPR emails they’ve received, so I figured I would take a moment to analyze mine.
Some quick background:
To collect all of my GDPR-related emails, I turned to
imapfilter. I had already set it up
cron timer for routine management of my email, so adding a new rule was straightforward.
1 2 3 4 messages = yossarian["INBOX"]:contain_message("GDPR") + yossarian["INBOX"]:contain_message("General Data Protection Regulation") + terpmail["INBOX"]:contain_message("GDPR") + terpmail["INBOX"]:contain_message("General Data Protection Regulation")
For those not familiar with
imapfilter, this rule:
yossarian) containing “GDPR”…
terpmail) containing “GDPR”…
I could have done that a bit more cleanly with a loop (
imapfilter’s config is just a Lua script),
1 2 3 4 $ imapfilter imapfilter: IMAP (4): 1019 NO [TRYCREATE] No folder GDPR (Failure) 21 messages copied from email@example.com@imap.gmail.com/INBOX to firstname.lastname@example.org@imap.gmail.com/GDPR. 4 messages copied from email@example.com@imap.gmail.com/INBOX to firstname.lastname@example.org@imap.gmail.com/GDPR.
TRYCREATE there is just
imapfilter seeing that the folder didn’t already exist,
and creating it for me).
So, 25 messages in my inboxes contained “GDPR” in their either their bodies or their envelopes.
To make sure I hadn’t missed anything that had been already removed by other filters (including spam filters), I also manually checked my other folders on both accounts for GDPR notices. From this search I found an additional six messages, for a total of 311.
(Censored addresses are financial correspondences.)
The first email I received to even mention GDPR came from Amazon on 3/19, and was an advertisement for online tech talks.
After that, the notices tricked in for about two months. Twitter sent four of five on 4/25, and the fifth on 5/4. Google sent me two notifications, concerning unused analytics accounts, spaced two weeks apart. Two Homebrew emails were also caught up in the filter, as we added a mention of the Google Analytics retention period to our documentation.
After the trickle came a flood on the last four days: I got nearly as many emails (14) between 5/22 and 5/25 as the two months prior (17, 14 of which were actual notices). The latest one was from Steam at 11:17PM EST, which is already a few hours past the deadline (assuming GMT).
Of all of the notices, a few were delivered to interesting addresses: one was delivered to a high school address that I must have set to forward years ago, and another was delivered to a Gmail address that I had used to originally sign up for GitHub (and then promptly forgot about).
Overall, I was a little underwhelmed by the number of GDPR notices I received — I expected many more, given the number of accounts I have. I have three decent hypotheses for these results:
imapfiltersearch was too conservative, and I missed a large number of notices.
The second hypothesis is challenged by the results of my manual search: the only non-matching emails I found were the Twitter ones, and I added those by hand. As such, I’m inclined to think that either (1) or (3) (or both!) is the case. The former would be reassuring, and the latter would be a little annoying.
Thanks for reading!
Included in that six were five from Twitter (mostly for old bot accounts), none of which contained either “GDPR” or “General Data Protection Regulation.” ↩