The Right to be Forgotten
The General Data Protection Regulation (GDPR) is, in my opinion, one of the best things to come out of the European Union in recent years. Thankfully after the insanity that was Brexit we copied it over to the “UK GDPR” in an almost exact copy.
Whilst GDPR has it’s annoyances, especially for those in customer services who constantly have to repeat the term “passing data protection”, for me the “Right to be Forgotten” (or since Article 17 the “Right to Erasure”) is something I highly value and simultaneously find incredibly frustrating.
Part of my 2023 goals is to reduce my extraneous online accounts, as a background within 1Password I have over 750 logins. Each of these accounts is secured with uniquely generated, high entropy passwords and 2 factor authentication where applicable. I am not concerned over password reuse and as a result being ‘pwned’ as my security model mitigates this risk. I am more concerned about the amount of locations that personal information such as my address and phone number are located unnecessarily.
For example the website I one bought a cravat from and subsequently returned it, do I really need an account with them? No.
So I started 2023 by creating a “To be closed” Vault in 1Password and have gone off merrily closing accounts on websites I have no intention of using again, processing a few a day in lieu of scrolling social media when I have a few free minutes.
This is where the frustrating element of my description comes in.
I have now closed over 70 accounts, from the likes of BMW to the aforementioned cravat supplier and Shopify, and the results have been… mixed.
Some companies make it very easy to delete you account and associated data, for example Figma and Set App shine here. They make exercising my rights under GDPR a simple, smooth process.
Then we have the middling companies who have a fairly easy process but make you wait 7 days before erasing your data such as Shopify. This is acceptable albeit irritating.
Then we have the bad ones.
My definition of “bad ones” is the companies that have no “Delete my account link”, those that make you dig through a privacy policy or search the web for a contact email to close your account down.
This last category is, sadly probably 50% of the companies I have encountered, I won’t name any names but a number of them have been surprisingly large, EU based companies that really should know better, frustratingly they don’t, and even emailing them is a painful process whilst they redirect you again and again to find the right team.
Just delete my data.
Thankfully there are a few websites that generate boiler plate emails for you with the correct contact details for some companies, but in 2023 these really should not need to exist.