GDPR and trying to delete 137 of my online account
Over the years like most people I have gathered a long list of online accounts, a digital fingerprint spreading across the internet. Some of these accounts I was forced to create to purchase a single item, as far back as seven years ago, and with no easy way to delete these accounts, they sat there dormant.
Before we found out social networks were losing our data, governments were tracking everything and elections were being manipulated, it was a social faux pas to be privacy-minded and wanting to protect your online data.
Then 25th May 2018 came, and it was privacy party time.
Thank you GDPR 🎉
GDPR is a mandate from the EU to any business that serves EU based customers. The actual mandate is a long read, but an essential part is that companies have to offer you the ability to delete your data. If there is data they wish to keep they need a good reason for doing so; a valid example would be an invoice for services rendered.
As the fines for failing to implement the requirements of GDPR are substantial, combined with some media scaremongering, companies filled our inboxes with double opt-ins for marketing materials and data privacy officers were very busy.
The most secure data is no data
I’ve got 137 accounts…
Every day we hear about how another online service that has been hacked, data turns up on the dark web or social phishing campaigns, resulting in millions of online identities becoming compromised.
Having gathered hundreds of accounts over the years, it was time for a cull; the first round was to delete 137 online accounts, it was much harder than I thought.
Easy to delete
There are companies that make the process of deleting your account extremely easy (surprisingly not that many). By just logging into my account, I was able to navigate to settings, scroll to the bottom of the page, tap “delete my account” then read a confirmation message to type “yes, delete”. I would get logged out of my account, and it was deleted.
Some of the services deleted in this way would require email validation, so when confirming the deletion, you received an email with a confirmation deletion link to finalise the process. This would action the deletion either straight away or advise the account would be deleted within 72 hours.
So many emails
The accounts that didn’t offer an easy deletion option within the ‘my account’ section meant searching FAQs, privacy policies and submitting messages to generic contact forms. This was the most time-consuming part of the process as many sites didn’t make it clear how you delete your account.
One thing I found with several services was their ‘delete my account’ button didn’t work; some went to pages that 404’d (page not found) and others didn’t do anything (literally, when inspecting the code). You would hope this was just a bug, though after reporting I wasn’t offered a ‘we will fix it’ or an apology. This is possibly out of their embarrassment though it does make you think negatively of the company in question.
Asking for ID
Several of the websites on my list had outsourced their GDPR needs to third-party services, these services were a pain and made the process ten times harder than it needed to be. Once re-confirming my details, I was asked for my government ID to validate who I was. This I still don’t have an answer to why they require this ID, I am sure it is just ticking boxes for ticking boxes sake.
The worse site was a requirement to store my government ID for 180 days after my account has been deleted, but not to worry because the data “is safe and encrypted securely” 🙄.
When a company says they have deleted your account, don’t believe they have deleted your data. Some sites would have five confirmations to delete your account and then on the final confirmation it would say “your account has been deactivated”. Deactivated, what does this mean?
There were three different types of wording I encountered:
1. Delete your account
2. Deactivate your account
3. Disable your account
It is understandable that services will need to keep a record of your account, purchases or events for auditing purposes. Looking through the small print of privacy policies and contacting the services it was clear that many services were still trying to preserve data and they were just disabling or removing marketing details (Not deleting my data).
I was surprised to the wording of some emails I got asking me to confirm my deletion “you may not be able to create a new account if you delete your details”, was this a threat to deter me in deleting my account? I understand this point is there to discourage people from closing an account to creating a new one to be eligible for discount codes, using the discounts, then deleting the account and then potentially repeating the cycle. Maybe the communication language could be improved for those not trying to screw the system.
Remember when you are deleting your account, you could also be deleting other data such as licence keys, therefore, companies may ask you repeatedly to confirm the deletion. This was annoying with one site but understandable. Deleting 10 licences is different to deleting 1,000. They are making sure you are doing what you intended too.
2 factor fun
Out of all the accounts I had, one account has 2 factor enabled, but I had lost the 2-factor code as I hadn’t used the service for a few years. Contacting customer services I was advised my delete request couldn’t be actioned with 2 factor enabled.
Now, this is an excellent security practice; the follow-on was to ask me ten questions about my account to validate who I was. If I had used this account recently, these questions would have been easy to answer, but I couldn’t answer at least half. Without this, the service refused to assist me further even though I have a backup mobile number on file that I could be validated against.
I understand they are protecting the security of their accounts, but sometimes the automated responses or scripted process doesn’t cover all use cases. Sometimes you do need to be able to speak to a person… (I am still waiting for this one to be resolved).
The process of deleting all these accounts has taken much time including the back and forth. The good news is businesses seem to be taking note of this EU legal change and adding deletion into their services.
The bad news is there are companies that aren’t implementing deletion well and I can only guess it is because they want to hold on to subscriber numbers as a measure of a KPI (though this is just a guess). These are the companies the will send you a marketing message three days after your deletion was “actioned”.
The problem is, and someone needs to resolve it, is you never know if your data has been deleted. I am waiting for a www.haveibeenpwned.com alert of an account I have “deleted” in the coming months as they have just deactivated my account not deleted it.
My question is, will this start to change the way services and their development teams build their technology with privacy in mind and ask themselves:
a) do we need that data now
b) what happens if we get hacked, did we need to store that data.
GDPR for all its bad press is pretty awesome, and the whole world has the EU to thank for it. I could have written 10,000 words on the experience as there were so many moving parts and it continues now as I get marketing emails from accounts have deleted or have I deactivated but at least I now have the option to even delete.
I am putting a talk together that goes into my GDPR deletion experience if your interested in hearing this talk at your meetup/event/conference, please send me a message to firstname.lastname@example.org.