My inbox this week has been one long apology. Every company I've ever handed an email address to has, all at once, discovered it cares deeply about my privacy and would I please re-confirm that I want their newsletter. GDPR comes into force on the 25th, and the deadline has done in a fortnight what years of polite suggestion never could.
The cynical read is right but incomplete. Yes, half these emails are theatre, a re-permission ask dressed up as concern. But behind the inbox spam, something genuinely useful is happening in the engineering. Teams I know are, for the first time, actually drawing a data map: what we store, where it lives, who it gets shared with, and crucially, how we'd delete it if someone asked. Most of them did not have a clean answer to that last one a month ago.
That's the bit I find quietly encouraging. "Right to erasure" sounds like a legal phrase until you try to implement it and discover your user data is smeared across a primary database, three caches, a search index, a pile of log files and an analytics provider you forgot you signed up for. The deadline is forcing people to know their own systems, and you can't delete what you can't find.
So I'll grumble through the re-consent emails like everyone else. But I'll take the regulation that made a hundred engineering teams finally write down where the data actually goes. That was always the hard part. It just took a deadline with teeth to make anyone do it.