Whistling into the wind, a.k.a. controlling your personal data
Finding myself stuck at home for most of the year, frustrated with companies inventing excuses to start pestering me again — not to mention the constant drip-drip of data breaches which is gradually turning into a steady flow — I decided it’s time for a clear-out of unused online accounts.
In case you think this would be easy, what with all that fuss about GDPR, prepare to reset your expectations. In this post I will share my learnings from trying to delete dozens of accounts. Offenders will be named and shamed.
Lesson 1: Your data gets everywhere
Imagine dropping a tub of marbles in the middle of a crowded shopping centre. You watch as they roll across the shiny floor, slipping between feet, down the escalators and into the hands of curious children. Do you think you could get them all back?
Your online activity ought to be more controlled than that, but in my experience it is not. For a start, you probably never owned as many marbles as you have online accounts. We use the Internet for so many things now, especially during the Covid-19 pandemic when most of us have moved even more of our life online.
I don’t know how many accounts you have, but I can tell you with depressing accuracy about my own situation. As it happens, I have been providing each organisation with a unique email address for the last twenty years, with only a handful of exceptions. Having my own domain name allows me to just make up any name for the part before the @ sign, so I include the name of the organisation I’m signed up for.
For example, if I place an order with Some Company, I would use:
me.somecompany@example.com(Of course, example.com is not my real domain.)
I do this for the purpose of detecting and containing data breaches (more on that below). If an organisation leaks my address to spammers, the culprit is clear to see and I can block the affected address using email filters.
This also proved handy for auditing my online accounts. As my email domain is handled by Gmail, I only needed to download my archive (they provide a Mailbox file) and use various Unix command line tools to extract a definitive list.
It turns out that I have dished out around 1,100 unique addresses over the last 15 years. That’s a lot of accounts to delete!
Prevention being better than cure, I also decided to try and cut down how many new accounts I set up. By “account”, I mean any time I give my contact details to a new organisation, for whatever online purchase or service, given that these details will almost inevitably be retained.
Since July, I have created a further 25 accounts. These cover health, gardening, politics, immigration, entertainment, clothing, food, coffee, travel, visiting attractions, virus scanning software, employee benefits, finance, flowers and controlling the lights. Ironically, a few instances are for services used to help protect privacy, or to complain about privacy issues.
Most of the goods and services were optional, but in all cases these things could not be obtained online without sharing any personal data.
Lesson 2: Data breaches are more common than you might think
A significant percentage of companies end up having their database compromised and I usually find out in one of these three ways:
- The spam folder. Remember all those unique email addresses I share? Isn’t it funny how, after selling a few items on eBay this year, I started getting spam sent to (something).ebay@(something). It’s an address I only ever shared with eBay, and the format is not easy to guess.
- The website ‘; — have i been pwned? provides the facility to search your email address for known data breaches. It also provides an API and a tool to search your whole email domain.
- Reports in the media. Some of the more high profile cases make the news, although most data breaches go unnoticed.
Based on this, the following are just some of the companies I provided unique details to and later found a breach involving that email address. It’s important to say that I have not proven all these companies are directly responsible:
LinkedIn, Secret Sales, Tigerline Ferries, Pine Solutions, Black Lane, Crumpler, Komedia, eHarmony, Mankind, 500px, Facebook, FairFX, Last FM, Lifehacker, Tumblr, Warehouse Express, Loqax, Fox & Sons, Whitewall, It’s Magic, Marriott, Monster, Pixmania, Amazon, eBay, Scan.
That’s over 3%, including a few I omitted, affecting companies near and far, large and small. In other words, at least one data breach for every 40 organisation. How many have you shared your data with?
Lesson 3: Companies hang onto your data for longer than they claim
It’s easy to hope that organisations will delete your data when it’s no longer needed. If you stop using some service and forget all about it, eventually they’ll forget about you. While this might be true in geological and astronomical timescales —even if the disks containing your data survive the next ice age, hopefully they’ll get wiped when the sun explodes — don’t expect it to happen in your own lifetime unless you ask for it to be deleted.
A quick look easily found a few accounts older than a decade lying around. For example Voiptalk —an Internet calling service I last used in 2008. My account — easy to access after they emailed me a new password in plaintext — still bears my name, email, phone number and order details.
The main culprits tend to be services outside of the EU that I have used over the years. Internet services (telephony, hosting, domain names) or travel (hotels, transport, WiFi hotspots). Closer to home, GDPR seems to have helped as I can find fewer accounts still active, with some notable exceptions.
Jessops is one example. I last ordered from this photography retailer in May 2010, but that doesn’t stop them from keeping an online account with my name, email, password and address. There is no delete button. Worst of all, they are not following their own privacy policy:
Where you have purchased goods from us, we will retain your data for a period of 6 years for legal purposes, to ensure that we are able to assist you should you have any questions, feedback or issues in connection with a product you have purchased from us or if any legal issues arise.
Perhaps they run a scheduled clean-up task every 6 years, and I just missed the last run?
Lesson 4: Just because they say they’ll delete your data, doesn’t mean they actually will
If you ask to be deleted, “fire and forget” doesn’t cut it.
Sometimes they simply drop the ball. In September 2016 I asked Marks and Spencer to delete my Sparks account once I learned that use of the service was conditional upon receiving marketing emails — a practice thankfully since outlawed by GDPR. They replied with the usual “sorry to see you go” and a promise that my account would be deleted within 48 hours. This August, lo and behold a fully functioning Sparks account (and rather tediously, with no self-service delete).
I’d sleep more easily if Marriott Hotels (also Starwood Hotels, Sheraton) took more care over customer data. Following a data breach spanning four years, I sent them a clear request for erasure back in 2018. Unfortunately I didn’t spot the ambiguity in their reply, which starts with the text:
We acknowledge your Data Subject Request.
But later goes on to say:
“Requests […] can be made securely by completing our form”
So, did they acknowledge my request or not? I found out the answer earlier this year, when they started sending me Covid spam. Their Data Protection Officer (DPO) insisted that I fill in a form in order to be deleted (hint: there is no such requirement in GDPR) and when I refused, proceeded to do this on my behalf resulting in a torrent of emails before I finally managed to extricate myself from their mess. This earned them a complaint to the Information Commissioner’s Office (ICO).
Companies will often take a shortcut known as “soft delete”, marking your account as inactive but keeping most of your data. If their database is stolen, do you think the criminals will look at the “active” flag?
Occasionally the soft delete is incredibly sloppy. Take LEAP for example, a firm that holds documents for lawyers. The conveyancing solicitors for my recent house sale and purchase used this company to share my documents and yes, of course, yet another account was created in my name. Clean-up after the event should have been straightforward; my solicitors are the data controller and well, they should be reasonably good at navigating legal issues, right?
They needed a few nudges but eventually passed on my complaint to LEAP who claimed to have deleted my account. It’s a pity they didn’t really delete it though. A quick password reset and there was all the data, as if nothing had ever happened.
Now I always schedule a reminder to check, although this won’t catch the cases where data is inaccessible to myself but still held and at risk.
Lesson 5: You cannot count on a reply to your data subject request
Article 12 of the GDPR states it clearly: data controllers have one calendar month to reply. In complex cases they can ask for an extension up to three months, but still need to respond within the first month.
Reality is a different picture. A surprising number of organisations simply ignore and stonewall.
Scan used to be a pretty decent retailer of computer parts, until the email address I provided them ended up in the Onliner Spambot Dump, so I tried to get deleted. As they have no DPO contact details, I was forced to use their online support portal, but received no reply.
In frustration at finding the lack of contacts, I looked at their job portal and found some contacts there. I sent the same email to several people, who turned out to be on holiday. Without concern for exposing their employees to phishing, I received several out of office emails providing further contacts. So I forwarded on and on. Eventually someone told me my request would be looked at, but a month later still nothing.
After that I sent another request to customer services, and randomly this one did get acted upon.
Beers of Europe has also gone decidedly flat. After discovering that they’d emailed my password in cleartext, I decided to remove the account. My request from August went unanswered, as did my follow-up that was emailed to several people at this organisation. My next step will be complaint to the ICO.
Lesson 6: Your data is shared with many data processors, and they often have a mind of their own
A quick recap, simplifying somewhat: a data controller is the organisation you provide your data to and have an agreement with. A data processor is another organisation who they share your data with for various purposes. For example, the marketing department will probably copy your data into Mailchimp or similar.
While the data processor is jointly liable in the event of a data breach, the fact that they hold your data increases the chance of this happening in the first place. Fewer processors = less exposure to risk. Also more processors = harder to pin down the source of any particular data breach.
Amazon is surprisingly bad at this. To suggest this enormous retailer leaks personal data like a sieve would be a mischaracterisation. If you have ever poured water through such a device, no doubt you will have observed the sieve does, albeit slightly, impede the flow. I wish this were true of Amazon when it comes to my email address.
I have three ongoing complaints regarding Amazon:
- After purchasing a Fitbit, I received an advertisement for Amazon Alexa. This is unusual for Amazon; I tend to rely on this site as a spam-free zone. Had there been an unsubscribe link, I would have let this slide, but this clearly violates PECR regulation 22.
- On further digging I discovered that one of my purchases from 2009 had actually been from an Amazon Marketplace seller. Amazon tries to make it look like one shop so it’s easy to accidentally order from a third party, although there are ways to filter these out. This particular seller, Kikatek, had created an account on my behalf and, unnoticed by me at the time, emailed the password in plaintext. Eleven years later, the account remained active.
- In June this year I received spam, sent to the email address that I had only provided to Amazon. It was from “ITest Team [some obscure address]” with the subject “Welcome To Test New Product”. The body was pretty garbled and seemed to be inviting me to test something.
Ordering from Amazon routinely involves my email address being shared with marketplace sellers and couriers. In the case of the spam, it could have been caused by a data breach of any of these. I have since updated my Amazon email address and am considering using a new email address for each Amazon order, just so I can catch out any courier or marketplace seller.
As for Amazon’s response to the above complaints. I received numerous holding emails from “Executive Customer Relations” passing the case between one another, and the overall response was so garbled and disjointed that it’s going to take me a day’s work to piece it all together. The last email stated “we will not be entering into any further correspondence regarding this matter”, so I guess having sellotaped all the fragments together it’s going to be a complaint to the Information Commissioner’s Office.
TrustPilot presents its own unique challenges. There is a special place in hell reserved for this so-called reviews site. Firstly I don’t, well, trust it. Comedian and consumer champion Joe Lycett explains some of the scams; I can attest to the third of these having had a perfectly legitimate review suppressed after phone harassment by the vendor failed to change my mind.
Also, I suffer an allergic reaction to the email subject “A reminder to review <site>”. It is not my job to write reviews, I never agreed to do this and certainly do not need to be chided with reminders. Usually I avoid doing business with any website displaying the TrustPilot logo, but some businesses share data with them anyway, with nary a mention in their privacy policy.
The fact that Trustpilot has an unsubscribe mechanism is insufficient, because it doesn’t stop them from storing your data, nor does it help if you have more than one email address.
I recently had an exchange with Superdry about their Trustpilot spam. While they declined compensation based on the claim that Trustpilot is “genuine market research” (I hope you weren’t drinking anything while reading that), they did eventually agree to remove my data from Trustpilot.
So far I have found no effective vaccination against this particular disease, but the cure rests in Article 21 of the GDPR, and a reminder that when claiming so-called “legitimate interest” (Article 6), the burden of proof lies with the data controller that their interests outweigh yours. If they refer you to Trustpilot, after they shared your data with that organisation, they are plainly and simply wrong.
It isn’t only Amazon marketplace sellers who try to “acquire” customers from interactions with the data controller. After I purchased tickets from the website of a British tourist attraction, Eventbrite took it upon themselves to set up an “account” in my name and send me a marketing email about it (no consent by the way; companies need to remember that GDPR applies in addition to PECR, not instead of).
Eventbrite have clearly overstepped their role as a data processor and are trying to engage customers directly. When I put it to them, they claimed the marketing email was a “transactional email” (a common fib from the DPO toolbox, easily set straight by section 122(5) of the Data Protection Act), even though I’d already received a perfectly good booking confirmation, and assured me that while they store my data on behalf of the controller, they have not created an account. I suspect that if I had tried to access or delete my “account”, they might have created one. It all seems very murky.
Having put this to the actual data controller, they too have been unable to make sense of it and have instructed a law firm to handle the case. I’m now in discussions with that firm about why I don’t want to send them a copy of my passport. Meanwhile, my data remains in Eventbrite long after the event. What a mess!
Lesson 7: Attempting to delete your data often results in it propagating further
One thing companies often outsource is helpdesk software, with Zendesk being a popular example.
This doesn’t interact well with the other problem already mentioned, the lack of self-service delete. Picture the situation: you have your data stored with company X, and want it deleted to reduce the risk of data breaches. You ask them to help so they open up a support ticket with company Y containing your personal data and now the very data you tried to delete has propagated into another organisation’s database.
Given how sloppy many organisations are at managing their own databases, it seems unlikely they’d go to the trouble of deleting it from the likes of Zendesk afterwards. So I have to remind them to do that, and hope they do.
In the worst cases, I have been forced to create a separate support account, complete with email and password, in order to request deletion of the main account. DNS Made Easy are guilty of this, which is a shame as they’ve provided many years of good service.
Nevertheless, Namecheap wins the top prize for screwing this one up. They are yet another service provider with a missing delete button. I have to log a ticket with support and wait. But that’s only the half of it.
Their support system has its own authentication method, which relies on knowing the account username, email and a 4-digit PIN. Given the short expiry time of the PIN it’s probably just about secure enough, but after submitting my support request I got an email saying I’m registered on their helpdesk — with a password for the same in cleartext! For a company that sells SSL certificates, such a casual lack of regard for security is astonishing.
It’s extremely frustrating that I had to create a new (support) account in order to delete my old (main) account. This too lacks a self-serve delete button, so I had to send another support request for deletion.
Lesson 8: Updating your data is no better
If you move house, you can usually update your home address. But many companies use your email address as the primary key to identify your personal data, and they do not like changing it one bit.
In this regard, out of all the online supermarkets I would like to congratulate Tesco for being the most inconvenient and least secure.
All I wanted was to change my email address to my new domain. Their online account made this impossible without entering my ClubCard number. I thought I had ditched ClubCard years ago, but I was told ordering groceries online created a virtual one with a number not disclosed to me, which is required for me to update my data.
This forced me into phoning them, which I hate because it leaves me with no searchable record of the exchange (they might record calls, but I do not).
It only took 10 minutes but I was taken aback by the lack of security. They only asked for my postcode, surname and the new email address. A postcode and surname are incredibly easy to obtain, so anyone wishing to access my Tesco account only needs that information and to select a new email address of their choosing.
The call resulted in a password reset email being sent to the new email address, and nothing was sent to the old one. Had it been someone else trying to take over my account, they would be able to easily access all my personal data held there without my knowledge.
Dominos point blank refused to change my email address. When I pointed out that in GDPR Article 5(1)(d) the information needs to be “accurate and, where necessary, kept up to date”, their reply only addressed the first part:
Unfortunately, we cannot swap email addresses when a data subject wants an alternative email address on their account. The information is an accurate record of what was provided at the time.
Well that’s that then. Delete and go elsewhere seems like the best response.
Incidentally their privacy policy is as sloppy as their toppings, with misleading information about their joint controller relationship with the franchisee (hint: yes, you can send a GDPR request to Dominos in relation to the franchisee that actually processed the order if you need this; don’t let them fob you off).
Summary: How to delete old accounts
So, how do you actually get your stuff deleted?
Occasionally companies get it right, so it’s worth trying self-service as a starting point. You log in, go to “My Profile”, click Delete Account and poof, it’s vanished. They’ll probably need confirmation to prevent mishaps, and might respectfully ask for feedback. I’m not always deleting because of a problem so I try to give brief, positive feedback where it’s due. Finally, I prefer to receive a confirmation email for my records.
If this even works for you a third of the time, you are a fortunate soul indeed. Usually when building an online service, the ability for customers to leave is thoroughly neglected. After all, there’s no commercial incentive.
So in most cases, you need to send a request in accordance with GDPR Article 17 (“right to erasure”). I have a Google Docs template which I fill in and save as a PDF, asserting my rights as a data subject, but a simple one-line email ought to work just as well. According to the Information Commissioner’s Office:
The GDPR does not specify how to make a valid request. Therefore, an individual can make a request for erasure verbally or in writing. It can also be made to any part of your organisation and does not have to be to a specific person or contact point.
A request does not have to include the phrase ‘request for erasure’ or Article 17 of the GDPR, as long as one of the conditions listed above apply.
You’ll usually find the Data Protection Officer (DPO) email address in the company’s privacy policy. That is the address you should use. If they list their main customer service address there, expect an inept response (lately I have stopped signing up to companies that lack a dedicated DPO address).
Sometimes companies try to put up hurdles to discourage you from exercising your rights. The most egregious of these is the Subject Access scam — asking you to provide sensitive documents such as photo id and proof of address knowing that it takes you time and effort, and that you might not want to share such documents. If you did not need to provide photo id when signing up — as might be the case for financial services and the like — it is not reasonable to expect you to provide this additional data now. Most DPOs will relent if you reply as follows:
Requests for ID must be reasonable, in line with Recital 64 of the GDPR. I have not previously provided you with photo ID or proof of address and I will not do so now. Please respond within one month of my original request, using the data I have already provided as a means of identification.
The bit about responding within one month is a reference to GDPR Article 12; as mentioned above, the data controller usually has one month to respond. Some of them falsely claim that the clock only starts once you have provided photo id, your life history, blood samples and the like. It does not.
In short: try self service, try emailing the DPO, don’t accept the DPO’s first response as more than half the time it will be wrong. If that doesn’t work, you could just try contacting another part of the organisation — when internal processes are inconsistent, they might just do the right thing by accident.
Parting thoughts
Deleting your data is hard. Ridiculously hard. Perhaps the most important lesson I learned is not how to delete data, but why it’s so important to avoid sharing it in the first place.
