GDPR and trying to delete 137 of my online account
Over the years like most people I have gathered a long list of online accounts, a digital fingerprint spreading across the internet.
Over the years like most people I have gathered a long list of online accounts, a digital fingerprint spreading across the internet. Some of these accounts I was forced to create to purchase a single item, as far back as seven years ago, and with no easy way to delete these accounts, they sat there dormant.
Before we found out social networks were losing our data, governments were tracking everything and elections were being manipulated, it was a social faux pas to be privacy-minded and wanting to protect your online data.
Then 25th May 2018 came, and it was privacy party time.
Thank you GDPR đ
GDPR is a mandate from the EU to any business that serves EU based customers. The actual mandate is a long read, but an essential part is that companies have to offer you the ability to delete your data. If there is data they wish to keep they need a good reason for doing so; a valid example would be an invoice for services rendered.
As the fines for failing to implement the requirements of GDPR are substantial, combined with some media scaremongering, companies filled our inboxes with double opt-ins for marketing materials and data privacy officers were very busy.
The most secure data is no data
Iâve got 137 accountsâŚ
Every day we hear about how another online service that has been hacked, data turns up on the dark web or social phishing campaigns, resulting in millions of online identities becoming compromised.
Having gathered hundreds of accounts over the years, it was time for a cull; the first round was to delete 137 online accounts, it was much harder than I thought.
Easy to delete
There are companies that make the process of deleting your account extremely easy (surprisingly not that many). By just logging into my account, I was able to navigate to settings, scroll to the bottom of the page, tap âdelete my accountâ then read a confirmation message to type âyes, deleteâ. I would get logged out of my account, and it was deleted.
Some of the services deleted in this way would require email validation, so when confirming the deletion, you received an email with a confirmation deletion link to finalise the process. This would action the deletion either straight away or advise the account would be deleted within 72 hours.
So many emails
The accounts that didnât offer an easy deletion option within the âmy accountâ section meant searching FAQs, privacy policies and submitting messages to generic contact forms. This was the most time-consuming part of the process as many sites didnât make it clear how you delete your account.
Though due to the EU mandate many companies would respond quickly to my request with the subject âdelete my accountâ. Most sites I contacted via their generic email address or a data privacy specific email address deep within a privacy policy.
One thing I found with several services was their âdelete my accountâ button didnât work; some went to pages that 404âd (page not found) and others didnât do anything (literally, when inspecting the code). You would hope this was just a bug, though after reporting I wasnât offered a âwe will fix itâ or an apology. This is possibly out of their embarrassment though it does make you think negatively of the company in question. Asking for ID
Several of the websites on my list had outsourced their GDPR needs to third-party services, these services were a pain and made the process ten times harder than it needed to be. Once re-confirming my details, I was asked for my government ID to validate who I was. This I still donât have an answer to why they require this ID, I am sure it is just ticking boxes for ticking boxes sake.
The worse site was a requirement to store my government ID for 180 days after my account has been deleted, but not to worry because the data âis safe and encrypted securelyâ đ.
WordingâŚ
When a company says they have deleted your account, donât believe they have deleted your data. Some sites would have five confirmations to delete your account and then on the final confirmation it would say âyour account has been deactivatedâ. Deactivated, what does this mean?
There were three different types of wording I encountered:
- Delete your account
- Deactivate your account
- Disable your account
It is understandable that services will need to keep a record of your account, purchases or events for auditing purposes. Looking through the small print of privacy policies and contacting the services it was clear that many services were still trying to preserve data and they were just disabling or removing marketing details (Not deleting my data).
I was surprised to the wording of some emails I got asking me to confirm my deletion âyou may not be able to create a new account if you delete your detailsâ, was this a threat to deter me in deleting my account? I understand this point is there to discourage people from closing an account to creating a new one to be eligible for discount codes, using the discounts, then deleting the account and then potentially repeating the cycle. Maybe the communication language could be improved for those not trying to screw the system.
Remember when you are deleting your account, you could also be deleting other data such as licence keys, therefore, companies may ask you repeatedly to confirm the deletion. This was annoying with one site but understandable. Deleting 10 licences is different to deleting 1,000. They are making sure you are doing what you intended too.
2 factor fun
Out of all the accounts I had, one account has 2 factor enabled, but I had lost the 2-factor code as I hadnât used the service for a few years. Contacting customer services I was advised my delete request couldnât be actioned with 2 factor enabled.
Now, this is an excellent security practice; the follow-on was to ask me ten questions about my account to validate who I was. If I had used this account recently, these questions would have been easy to answer, but I couldnât answer at least half. Without this, the service refused to assist me further even though I have a backup mobile number on file that I could be validated against.
I understand they are protecting the security of their accounts, but sometimes the automated responses or scripted process doesnât cover all use cases. Sometimes you do need to be able to speak to a person⌠(I am still waiting for this one to be resolved).
Summary
The process of deleting all these accounts has taken much time including the back and forth. The good news is businesses seem to be taking note of this EU legal change and adding deletion into their services.
The bad news is there are companies that arenât implementing deletion well and I can only guess it is because they want to hold on to subscriber numbers as a measure of a KPI (though this is just a guess). These are the companies the will send you a marketing message three days after your deletion was âactionedâ.
The problem is, and someone needs to resolve it, is you never know if your data has been deleted. I am waiting for a haveibeenpwned.com alert of an account I have âdeletedâ in the coming months as they have just deactivated my account not deleted it.
My question is, will this start to change the way services and their development teams build their technology with privacy in mind and ask themselves:
a) do we need that data now b) what happens if we get hacked, did we need to store that data.
GDPR for all its bad press is pretty awesome, and the whole world has the EU to thank for it. I could have written 10,000 words on the experience as there were so many moving parts and it continues now as I get marketing emails from accounts have deleted or have I deactivated but at least I now have the option to even delete.