0

Everything I have been reading on mailto: requirements has been that the company sending the email or using a website form submitting information.

My situation is: on the company website, a lot of information on various topics is presented. The website does have a policy statement on all pages. If visitors want additional information, they use the link to initiate the email to the company email address. The website does use the HTML mailto: to prepopulate the company email address.

Is an opt-out required when the visitor sends the email to the company\ requesting the additional information?

schroeder
  • 123,438
  • 55
  • 284
  • 319
barbaraG
  • 1
  • 3
    I'm voting to close this question as off-topic because this is not about information **security**. You might try at [law.se] which cares about such legal questions. – Steffen Ullrich Feb 14 '19 at 20:59
  • 3
    And In don't even understand the question. The user sends the company an email, and "what" optout exactly should be relevant here? Made when, why who, opting out from what? And what's the relevance of Owasp for your question? – deviantfan Feb 14 '19 at 21:32
  • If you are asking about GDPR requirements, yes, you need to provide opt-in/opt-out controls to the data subject, but in this case it would not be necessary ***if you only use the email you gather only to respond to the question*** and purge the data when no longer needed to maintain the communication. – schroeder Feb 15 '19 at 10:37

1 Answers1

1

As mentioned by @deviantfan in a comment, your premise seems wrong.

So, suppose someone writes you askign for additional information (eg. I am moving to Finland next month, do you have a store there?). Let's assume they have dutifully read your privacy policy, which is nevertheless unlikely.

What is the opt-out you think may be required? IANAL, but it seems trivially to me that (unless there is some weird case that needs to be taken into account) you can reply to them (No, sorry, we have no local presence there).

Were you perhaps going to add that person into a mailing list so they get daily/weekly/monthly mails about your products, despite having expressed no desire for that (or only implicitly by sending you an unrelated mail)? I don't recommend doing that, but in that case, I certainly would mention in the reply that they would start receiving your spam unless they opted-out. Are you even automatically adding to such mailing list any mail that you receive? (even worse, since the email could be spoofed)

If you don't use that address for a mailing list (the most common context for including an opt-out… link?), there would be no need to state how to opt out of such non-existent mailing list. You may wish to state nevertheless that the provided data is being stored according to the regulations of EU directive 2016/679 and they may access, etc. by doing XYZ (probably not needed at all, but your legal department may wish you to include such reminder anyway).

And all of this has no relationship at all with OWASP. The OWASP Top 10 Application Security Risks, published in 2017, were

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging & Monitoring

As you see, none of them is relating to opting out. You seem to be confusing two completely different lists of recommendations.

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • It took me a while, but I see what the OP is asking. When gathering emails, under GDPR, at least, you need to provide opt-in/opt-out controls to the user. I *think* that's what is being asked. – schroeder Feb 15 '19 at 10:36