Programming, philosophy, pedaling.

How many GDPR notices did I get?

May 26, 2018

Tags: workflow

I've seen a few people on Twitter mention the massive number of GDPR emails they've received, so I figured I would take a moment to analyze mine.

Some quick background:

  1. I don't have many social media accounts. Twitter is the only social media that I'm even semi-active on.
  2. I have three email addresses: one personal, one academic, and one old personal address that gets forwarded.
  3. I'm American and live in the United States, so companies with my physical location may have decided that I'm not worth emailing.

The process

To collect all of my GDPR-related emails, I turned to the fantastic imapfilter. I had already set it up with a cron timer for routine management of my email, so adding a new rule was straightforward.

In ~/.imapfilter/config.lua:

messages = yossarian["INBOX"]:contain_message("GDPR")
    + yossarian["INBOX"]:contain_message("General Data Protection Regulation")
    + terpmail["INBOX"]:contain_message("GDPR")
    + terpmail["INBOX"]:contain_message("General Data Protection Regulation")

For those not familiar with imapfilter, this rule:

  1. Selects all messages from my first inbox (yossarian) containing "GDPR"...
  2. ...or "General Data Protection Regulation"...
  3. ...or in my second inbox (terpmail) containing "GDPR"...
  4. ...or "General Data Protection Regulation"...
  5. ...and them all to a folder named "GDPR" under my first inbox.

I could have done that a bit more cleanly with a loop (imapfilter's config is just a Lua script), but ¯\_(ツ)_/¯

The result:

$ imapfilter
imapfilter: IMAP (4): 1019 NO [TRYCREATE] No folder GDPR (Failure)
21 messages copied from william@yossarian.net@imap.gmail.com/INBOX to william@yossarian.net@imap.gmail.com/GDPR.
4 messages copied from woodrufw@terpmail.umd.edu@imap.gmail.com/INBOX to william@yossarian.net@imap.gmail.com/GDPR.

(The TRYCREATE there is just imapfilter seeing that the folder didn't already exist, and creating it for me).

So, 25 messages in my inboxes contained "GDPR" in their either their bodies or their envelopes.

To make sure I hadn't missed anything that had been already removed by other filters (including spam filters), I also manually checked my other folders on both accounts for GDPR notices. From this search I found an additional six messages, for a total of 311.


The results:

My "GDPR" folder (Censored addresses are financial correspondences.)

The first email I received to even mention GDPR came from Amazon on 3/19, and was an advertisement for online tech talks.

The first emails to actually notify me of a GDPR-related privacy policy change came three days after that, on 3/22, from Slack. Slack's team appears to have de-duplicated their GDPR email traffic — I only received one email per unique address, instead of one email per Slack group membership.

After that, the notices tricked in for about two months. Twitter sent four of five on 4/25, and the fifth on 5/4. Google sent me two notifications, concerning unused analytics accounts, spaced two weeks apart. Two Homebrew emails were also caught up in the filter, as we added a mention of the Google Analytics retention period to our documentation.

After the trickle came a flood on the last four days: I got nearly as many emails (14) between 5/22 and 5/25 as the two months prior (17, 14 of which were actual notices). The latest one was from Steam at 11:17PM EST, which is already a few hours past the deadline (assuming GMT).

Of all of the notices, a few were delivered to interesting addresses: one was delivered to a high school address that I must have set to forward years ago, and another was delivered to a Gmail address that I had used to originally sign up for GitHub (and then promptly forgot about).


Overall, I was a little underwhelmed by the number of GDPR notices I received — I expected many more, given the number of accounts I have. I have three decent hypotheses for these results:

  1. The vast majority of my accounts didn't run afoul of the new GDPR rules, and so most companies didn't feel the need to email me.
  2. My imapfilter search was too conservative, and I missed a large number of notices.
  3. I've been tagged as U.S. based on most of my accounts, and so I simply wasn't included in any additional protections granted by GDPR (or, at the very least, wasn't notified).

The second hypothesis is challenged by the results of my manual search: the only non-matching emails I found were the Twitter ones, and I added those by hand. As such, I'm inclined to think that either (1) or (3) (or both!) is the case. The former would be reassuring, and the latter would be a little annoying.

Thanks for reading!

  1. Included in that six were five from Twitter (mostly for old bot accounts), none of which contained either "GDPR" or "General Data Protection Regulation." 

Reddit discussion