During the holiday season, you had only good intentions and wanted to increase your sales with your mailing or wish the greatest number of customers, almost customers, newsletter recipients and business partners a good holiday? Unfortunately, your email also reached recipients who no longer wanted to receive email specifically from you. Of course, you have always kept your mailing lists clean and deleted all unsubscribers. Either way, however, either address was mistakenly imported back into your mailing list. This can irritate unsubscribed unsolicited subscribers rather than satisfy them and will damage your reputation as a sender and therefore your sales in the long term …

Technical practice

To prevent this from happening, email service providers generally maintain block lists, which ensure that the addresses contained therein receive emails only from certain customers or do not receive emails at all. emails. However, the storage of personal data, even if it only serves the purposes indicated above, is not without problems under the GDPR, in force for about six months.

google loves me workshop banner

The situation is delicate: on the one hand, you are no longer authorized to send messages to an email address which has made an unsubscribe request; on the other hand, you can’t even remember this address anymore to guarantee just that. But there is a solution. Hash function algorithms are used to generate fingerprints from an email address, which can be easily traced back to the email address. The digital fingerprints are then saved in the block list and compared to the fingerprint of each address to be imported. If there is a match, the address is blocked and should not be contacted.

The system works, but it has its pitfalls: first, the algorithms that the hash generates are caught up by technical development and are no longer considered safe at any given time. The second weak point is what are called “rainbow tables”: ingenious minds use common hashing algorithms to generate huge lists of input values ​​with fingerprints generated from them.

In these lists, you can search for fingerprints as in a lexicon and reconstruct the background entries, i.e. e-mail addresses. There is a cure for both of these problems. Fingerprints generated with an algorithm that is no longer secure can be hashed again with a modern and secure algorithm. And against the “rainbow tables”, help comes from salting (“salt”), that is to say a value which is added to the value to be coded, therefore the email address, before the hash is product. In this case, a separate rainbowtable should be created for each possible salting in order to find the email addresses, which is theoretically possible, but practically impossible.

So much for technical practice.

What about legal theory?

The general data protection regulation (GDPR) only applies to personal data. Email addresses are part of personal data, but what about hashed email addresses? According to the legislator, it depends on whether the encryption of (personal) email addresses using hashing algorithms is pseudonymization or anonymization.

Since the first simple hash method allows you to easily and effortlessly go back to your personal email address, this is just a pseudonymization. The fingerprints thus generated therefore continue to be considered as personal data and are therefore subject to the GDPR.

The second method is different: personal data which has been hashed several times with modern and secure algorithms and which has been provided with a salagene can be assigned to an e-mail address only with considerable effort . Data encrypted in this way is therefore considered anonymous and is not subject to the GDPR.

Experts from the Certified Senders Alliance (CSA) therefore recommend the second procedure, a little more complex, for the implementation of blocking lists, so that the GDPR is not applied. These legal and similar issues will also be discussed at a legal law workshop on April 12. The workshop is part of the CSA 2019 Summit program from 10 to 12 April 2019 in Cologne. Detailed information on the subject of blocking lists is also available here.

The Certified Senders Alliance CSA is a joint white list project of the ecoe.V. electronic commerce association in cooperation with Deutsche Dialog Marketing – DDV, the German association for marketing dialogue. For more information on CSA’s work, CSA certification and the technical and legal aspects of email marketing, visit https://certified-senders.org/de/.