Legal theory that obligatory disclosure of email address violates the GDPR minimisation principle
Legal theory that obligatory disclosure of email address violates the GDPR minimisation principle
Utility companies, telecoms, and banks all want consumers to register on their website so they do not have to send paper invoices via snail mail. When I started the registration process, the first demand was for an e-mail address.
Is that really necessary? They would probably argue that they need to send notifications that a new invoice has been prepared. I would argue that e-mail should be optional because:
- They could send SMS notifications instead, if a data subject would prefer that.
- They need not send any notification at all, in fact. Reminders is why calendars and alarm clocks exist. A consumer can login and fetch their invoice on a schedule. If a consumer neglects to login during a certain window of time, the data controller could send a paper invoice (which is what they must do for offline customers anyway).
They might argue that they need an email for password resets. But we could argue that SMS or paper mail can serve that purpose as well.
Does anyone see any holes in my legal theory? Any justification for obligatory email address disclosure that I am missing?