I wonder whether that's GDPR compliant. If I give you permission to contact me on me+alias@example.com and you strip off +alias and then contact me on me@example.com, you've inferred data about me I haven't explicitly given you. One could argue that's in a similar ballpark to running a geoIP lookup and then sending me mail through the post.
It seems rude (like if I told you to drop off a package at my back door and you put it by the front door), but I given the existence of RFC 5233 I don't see how this would be "data about me I haven't explicitly given you".
Also, if you try to mail people based on GeoIP data, you're going to have a bad time.
It's about permission. If I give a company a certain set of contact details, and they run some process to find other ways to contact me that seems unfair and beyond what I've given permission for. The fact that it's trival to find my real email from an alias I think is irrelevant - it's still an abuse of trust. Like I say, I can see a correlation with more invasive methods of finding other ways to contact me that I hadn't granted the company (imagine if they start contacting you on social media just because they could look up your profile from your name).
You could argue that a major feature of the GDPR is to legislate that just because a company can do something, doesn't mean it's allowed to do it.
The 'detail' is optional, and doesn't infer any privacy.
It's kind of like if you get mail delivered to:
nprateem, office 2, university of ycombinator
and instead they only store:
nprateem, university of ycombinator
Odds are, mail will still be delivered to you, but it might not come to office 2, and might come to office 1 instead. It's not what you wanted, but there's absolutely no impact to your privacy by them stripping away additional details.
If you decide you no longer want to receive email from user+detail@domain.com it's easy to set up a blacklist filter. If they circumvent that and email you at user@domain.com you've lost that alias and easy way of blacklisting them. And presumably if someone had wanted to be contacted at user@domain.com they would have provided that email in the first place. So I don't think your analogy holds.
Fair, the analogy doesn't hold onto the functions provided, but RFC 5233 is very clear that the user+detail separation does not provide any privacy protections, nor can it.
The 'user' part is still public information, as is what it's used for. There should be no expectation of privacy for information being used per specification design.
The usability trade-off is a shame, but the solution was half-baked at best, and is primarily useful when combined with privacy-sacrificing public email providers. When you have greater control of your email, distinct 'user' parts can be used, which does provide the privacy aspect desired.
we’re a B2B app, it’s unlikely a random user will sign up for our service as it’s quite expensive and contract negotiations happen before the account is activated. we also never send marketing blasts or sell (or even collect) any information about our users. we also don’t operate in any country requiring compliance with the GDPR.
> we also don’t operate in any country requiring compliance with the GDPR
You know it's nothing to do with the country you operate in but the nationalities of your customers though don't you? You could only have a presence on the moon but if you had any EU customers you'd still be bound by the GDPR AFAIK.
