Is the implication here that if a company collects your email and send you a message, that’s spam and not considering your privacy?

I’m genuinely curious - I run a SaaS and have spent way too much time ensuring privacy and refusing the use 3rd parties whenever possible. I get occasional emails from folks asking me to delete their email address in our system - we do not send almost any email ever and every email has an unsubscribe link - but I can’t sort out the goal - if you sent me an email so I get rid of your email - aren’t you… giving me your email? I can’t make it into a reasonable position in my head. What is the dream system from your perspective?

Thanks for asking. I'm using a broad definition of spam here although not quite as broad as the one in your question. :)

In ascending order of impact from slightly annoying to serious issue:

1. Sending marketing without consent. In the EU and UK this is unlawful (PECR regulation 22); elsewhere it's still highly unwelcome. This applies to users/customers who have chosen to sign up (just ask when you collect the data).

2. Sending reminders for unnecessary actions such as giving feedback. Reminders should be for genuine problems like unpaid invoices.

3. Missing/broken unsubscribe link or not acting on it. The latter is so common I began to doubt my memory and started saving screenshots. Even years later, marketing often resumes, perhaps after a botched provider migration.

4. Data breaches. Whether sold, given away or lost the effect is the same: too much spam to wade through (when looking for false positives), eventually making my email domain unusable and forcing a migration. I've used a different email address for every company to track this (> 20 years) and around 1 in 25 providers are affected.

Points 3 and 4 might help to explain why people are asking you to delete their data. Even if you have done none of the above, the well of trust has already been poisoned by others.

Companies that win my trust tend to follow a couple of broad principles: be transparent about how you use data (and keep promises), and give the user control.

To your last point, yes it's difficult to fully erase data immediately, especially by email.

By way of example, in cases where GDPR applies, a data controller might need to keep a record of the request for a while to demonstrate compliance. This is provided for in the regulation but the company would need to keep it for no longer than necessary, be transparent about how long that is, minimise what's kept and keep it secure.

In practice, the best thing would be to provide a self-service delete capability. Log in, go to My Account, delete account. Personally I don't mind an email confirmation. Good companies don't try to trap customers, and if I can delete my account easily then I will leave with a positive experience and probably return later.

Failing that, if I have to email you asking you to remove my personal data, I would make the calculation that having my deletion request in your inbox is not as risky as having it in your main customer database, which will likely to be replicated to several other data processors as well. You could always send an email saying you've carried out the request and will then delete the email thread immediately after.

Not saying you should do any/all of the above but I hope it helps.