This company deliberately deleted its customer email mailing list. Maybe you should too

JD Wetherspoon rids itself of toxic data.

This company deliberately deleted its customer email mailing list. Maybe you should too

Here’s the problem.

You’re a pub chain, with almost 1000 outlets up and down the UK and Ireland. Over the years you’ve collected masses of data about your curry-loving clientele, or at least those who have bought purchases online, connected to your Wi-Fi, or signed-up for your newsletter.

Why’s that a problem?

Sign up to our free newsletter.
Security news, advice, and tips.

Well, that data is toxic if you can’t be confident you’re protecting it properly to keep it out of the hands of hackers.

JD Wetherspoon, better known as “Wetherspoons” to its regulars, seems to be taking matters into its own hands.

The company, which is presumably still nursing something of a hangover after discovering in late 2015 that it had suffered a data breach involving the personal details of some 656,723 customers, has decided to delete its email database.

As Wired reports, JD Wetherspoon sent an email last week to members of its customer database saying that it would no longer be sending out newsletters, and would be permanently deleting their records:

JD Wetherspoon email

Dear Customer

I’m writing to inform you that we will no longer be sending our monthly customer newsletters by e-mail.

Many companies use e-mail to promote themselves, but we don’t want to take this approach – which many consider intrusive.

Our database of customers’ e-mail addresses, including yours, will be securely deleted.

In future, rather than e-mailing our newsletters, we will continue to release news stories on our website:

You can also keep up to date by following our Facebook and Twitter pages, using the links below.

Thank you for your custom – and we hope to see you soon in a Wetherspoon pub.

Why doesn’t JD Wetherspoon want to email you anymore?

TrashcanWell, they might be truthful in saying that recipients find the emails intrusive, and perhaps it’s not proving to be an effective way of promoting their special offers anymore.

But sending email is really cheap, so I find it hard to believe that it would be prepared to switch off the taps like that for those reasons alone.

No, I suspect JD Wetherspoon might have other concerns.

Such as the fines that the Information Commissioner’s Office (ICO) has recently imposed on the likes of Honda and Flybe, after determining that those firms had not properly received users’ consent to be sent marketing emails.

Honda, for instance, was unable to cough up any evidence that its customers had ever given consent to receive emails. Ironically, the car firm was caught out after sending 289,790 emails which attempted to clarify whether customers wanted to receive marketing emails or not.

In the ICO’s view, the firms should already know (and be respecting) that all of the recipients in its email list had knowingly consented to receive emails from them.

So, maybe JD Wetherspoon is worried that it has a huge number of email addresses – which it sends newsletters to on a monthly basis – but has never asked (or simply lost) explicit permission.

In such a scenario, maybe it makes sense to wipe the email database.

And with much tougher data protection regulations coming into force in May 2018 in the form of GDPR, it may be a canny move to securely wipe such information sooner rather than later.

You can hear us discuss more about GDPR, and its impact on businesses around the world, in this recent “Smashing Security” podcast:

Smashing Security #030: 'GDPR – The good and the bad'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “This company deliberately deleted its customer email mailing list. Maybe you should too”

  1. Mike

    We vote to leave the EU, to avoid their draconian 'Regulation' monster and we are still obliged by their regulations.

    Sorry people, in addition to this, the EU are secretly merging our Armed Forces with the EU. Brexit was an illusion and the globalists will have their freaking NWO.

    We could of just amended the UK's Data Protection Act instead if really necessary.

  2. Pete

    You can't legislate stupidity out of existence. Attempts to do so engender a police state, wherein everything that is not required is forbidden. That's not a solution.

    In my experience, many people act like morons with regard to the protection of their own personal information. They don't even question whether companies and other organizations (including "government" agencies) handle their data securely. And they provide information they should never provide.

    For example, many websites require customers to provide their date of birth to "prove" they're old enough to purchase or use various products or services. That's idiotic. An identity can be stolen if the thief knows your date of birth. (It happened to me.)

    Why not just ask users to confirm that they are at least (x) years of age? The answer to that yes/no question is much less harmful if it gets into the wrong hands. Yet, people hand over their date of birth routinely, without question. It's idiotic. If a company wants my business, they had better ask the right questions.

    Now the state is getting into the act, punishing companies that don't get in line with coercive rules that do absolutely nothing to repair damage that already has been done, or prevent future damage by people or companies who are going to behave irresponsibly anyway…not because they're evil, but because they're naive or downright stupid.

    The solution is proprietary, secure data management services to which companies and their customers can both subscribe, operating competitively in a free market, where success depends on competence, not on compliance with arbitrary coercive rules imposed by bureaucrats who have no stake in providing solutions that actually work in the real world. More legalized coercion won’t solve anything.

  3. Genie

    It is not a crime to approach somebody out of the blue and offer them a service or product, whether that is by email, letter, phone, social media, television ads, flyer handouts, branded trucks, Football short sponsors, Billboards, Blimps, flash dance troops, radio jingles, free stickers, … . What is GDPR supposed to be protecting us from – an overwhelmed email inbox??!!! I use Weatherspoons and I am happy to receive the newsletter.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.