> > Your comment and others talk about what is reasonable or necessary. And I agree, this seems like common sense. But it's a point of view, and not stated explicitly in the statute. I would not be surprised if a company's legal&compliance department decides that it's safer to just forbid storage of email addresses.

> It is in statute: this is classic GDPR Article 6.1(f) "legitimate interest" [1]. You need to be able to communicate with the users and email is the normal way to do that.

The thing is, there's nothing stopping you seeking to collect and store as much PII as you like, *as long as* you abide by the rules! I work as an analyst for an online retailer, I'm also a volunteer for a charity maintaining a (e- and snail- mail) mailing list. As such I'm subjected to a lot of compulsory training, including GDPR.

And as I see it, PII falls into two categories. If you can come up with a *good* answer to the question "Why do you *need* this info?", you can collect it no problem. That "are you 16?" question - you need to know the answer in order to comply with the law - you can collect it no problem. But if SUSE say wanted to know our home address - why? - they need to get *informed* consent to collect it unless they're mailing us a DVD or something. (Like SuSE did to me many moons ago :-)

The other thing about informed consent is it has to be voluntary - "we won't do business without it" can NOT be informed consent, but with informed consent you can collect anything you like. You can think up any excuse you like, and if the customer buys it, no problem (unless, of course, you fall foul of "but it wasn't informed consent, the detail was in a filing cabinet behind a locked door with a sign saying "beware of the leopard", on Alpha Centauri").

The corollary of collection, of course, is storage and processing. You are allowed to keep it for as long as you *need* it, or the subject's permission lasts. And you must keep it safe, and dispose of it as soon as whichever of those conditions ceases to apply. That "I am a minor" reply? You can process it, your web server responds "I'm sorry you're under age, go away", AND YOU DELETE ALL TRACE OF ANY PII.

Part of the trouble, I believe, is what has been pointed out before. American law says what you must do, American lawyers want to be able to tick off a list that says "we followed procedure" (past tense). European law is much more involved with results, we have a "do our procedures achieve the desired aim" (current tense) mindset.

The correct approach to the GDPR is (1) Are we asking for more information than we need? If so, (2) are we making sure we get permission? (3) EVERY time it is accessed, is it for necessary purposes, or within the subject's grant of consent? And (4) are we running cleanup processes regularly to get rid of stuff we no longer need? Everything there is present tense, anathema to an American lawyer. But really, it's not hard, and if you're up-front and honest about what you're doing you'll find it hard to go wrong. Secondly, the chances are the regulator will come around and have a quiet, off-the-record chat and give you a decent opportunity to put things right, but firstly the chances are your customers will put you on the straight and narrow pretty quickly! Just don't give the regulator the impression he's being played. Things can get nasty pretty quick. The law is intentionally vague to make it easy to catch "breaking the spirit of the law". But it plays the other way too - the regulator won't go for someone trying to play fair, because it's too easy for the Judge to let them off.

(And (2) includes implied permission - if they *choose* to interact with our services, I won't say that authorises *everything*, but it's hard for them to argue they didn't agree to the server showing their posts to all and sundry, for example - that's what servers do!)

(Just note how I worded (3) - that includes unauthorised access! So you just don't allow unauthorised access :-)

Cheers,
Wol