Open zecamigo opened 3 years ago
I routinely see "Cancelled" accounts with access to full private personal data.
Thanks for the heads up. We're aware that some websites might not be doing exactly what they're claiming, but sadly it's a bit out of our reach. Do you have a suggestion?
@tupaschoal
My suggestions are
@tupaschoal "some websites might not be doing exactly what they're claiming"
Under GDPR, for example, the request must be clearly and correctly formulated. One thing is requesting "close my account", or clicking 'cancel my account', or "deactivate", which allows them to keep your data. Another thing is "delete my data", or "under GDPR I request to delete my account and all associated information" which must be respected. Two separate procedures.
Another thing: some platforms will transparent enough to tell you they will keep the information required by law, or to prevent fraud. This is common practice and they should not be classified lower for this. For example gig economy platforms where people will meet in person, or dating sites have a legal and legitimate interest in keeping some data for some time to keep users safe.
E.g. for whatsapp https://www.datarequests.org/company/whatsapp/
direct people covered by decent data protection laws (GDPR, CCPA, etc) to the right channels (e.g DPO), instead of using the "delete" feature might not work to effectively delete your data even on major, law complying platforms.
I think that it might be hard to cover every ground.
add a disclaimer that it may not work (or only in appearance), and a link to a relevant digital right organization for others users (for campaigning for better rights)
I think that fits right into our footer, wanna give it a try to PR a suggestion in there?
i can confirm i once tried to delete my account on a site called Keypost, and they confirmed me my account was deleted, but trying to login on it after a day worked completely fine and all my info was still there
Along these lines, it might be a nice idea to at least codify in the contributing documents or readme whether the project aims to list methods of deleting just the account or to delete as much associated PII as possible (I figure the latter is always preferable) as there are cases where two different paths of action result in one or the other and contributors may want some clarity when adding entries.
That's a good point, I think we strive for as much as we can get in terms of information. If a given person has only gone as far as getting how to delete the account, that's fine, but if they also have all the steps on how to delete all the personal information, even better.
TL;DR My account wasn't deleted, as I was led to believe, but rather disabled. After chatting with support, I (think) it was deleted.
TL;DR 2 I suggest we make a general guide on how to account for these scenarios.
I recently tried to have my account at Reservio deleted. After doing as instructed by their support, I had seemingly succeeded in deleting the account. Some hours later, though, I start getting e-mails from their system, which means I must not be deleted. When trying to log in, the login page just refreshed upon submitting my details, which seemed off to me. Figured I'd try the password reset, and just as I had expected, I was sent instructions on how to reset the password of my account — which should no longer exist. After resetting the password, I still couldn't log in, though, so my suspicion was correct: my account was merely deactivated. I contacted their support, and they quickly deleted my account. Or so I think, at least.
If this was simply a mistake or by intent, I don't know, but below are my suggestions based on what I usually do.
Here's what I usually do, and would recommend others do.
Disclaimer: This will in no way make you certain, that your data is completely gone, but will make it harder to process for the services you're trying to quit.
You cannot know for certain, that your data is actually permanently deleted — although it must be according to the law in most countries. As such, it's a good practice to manually edit any information you have submitted to the service before requesting the account's deletion.
Below is a list of data I usually look for, which I personally don't wanna leave floating around for no reason.
There's an easy check to quickly check if your account has been deleted or simply made inaccessible for you.
We should maybe add something about why we think, that you should care about not leaving personal data behind. I bet most people care if they're actively trying to delete the accounts, though. However, this can become quite political, and we might not be interested in that.
Thanks for the comment, I think one such section would be useful, and it would probably be very close to what you've written. It should probably reside in the About section, or somewhere close to that, my only concern is if people ever get there.
Quick and easy blog post, mentioned at the top of the site, with a link to services like "simplelogin.io", "anonaddy.com", "fakenamegenerator.com" would be a great solution for this problem indeed. The only issue then would be, keeping it up to date. Maybe instead mentioning a website like "thenewoil.org", would also work great. I know the guy running it, and i trust him. Depends all on what you guys wanna do really.
I'd like to call out that platforms do routinely keep deleted accounts for normal account cancellation requests. This means that you click somewhere "delete account" but this will usually just mean you lost access to your data and it doesn't display publicly.
I know this as an insider.
If your local laws are protective, you might have to direct your communication or write to the data protection officer or the right department. It can also work to mention GDPR or similar law and probably it will reach the right people.
See https://www.mydatadoneright.eu/ for how to contact GDPR officers for protected locals only.
Otherwise you may be misguiding people into losing access to their accounts with no privacy gain.