submitted 4 months ago by SnotBubble@lemmy.ml to c/privacy@lemmy.ml

22 comments fedilink hide all child comments

Hello, I wrote a mail template which I send to websites that don't have an easy process of deleting an account.

Maybe it helps you, maybe you will use it too for when you want to delete your unused accounts and maybe you can contribute to it. The better the message gets and the more websites offer an easy way to delete accounts, the safer we'll be online.

If you can influence the deletion policy, please read on. Otherwise, please forward this to someone that can influence this process.

It's better for the business to offer an easy way to delete an account. Ideally, it would be good to delete accounts which weren't active for more than say 5 years, with a mail notification beforehand. Why? Here are the main reasons:

There are higher operation and maintenance costs because you have unused accounts in your databases.
The services load slower, with a performance penalty, because each user-related query has to go through many unused users.
The people opinion of your services decreases, because you don't offer an easy way to delete accounts
People might change their mail to a throw-away address and leave the account open, thus producing more waste than necessary.
In case of a security breach, the amount of compromised data is higher than in case you regularly delete accounts, which might lead to financial penalties.
The information you get out of a database with active accounts is much more precious than the information from a stale database, or one with obsolete data.

I hope this information helps and that you will change your policy of deleting accounts. Each website that does this, contributes to a better, safer ecosystem.

all 23 comments

sorted by: hot top controversial new old

[-] AnEilifintChorcra@sopuli.xyz 23 points 4 months ago

I usually just write

Hi,

Please delete my account and all data associated with this email in accordance with Article 17 of GDPR, I'm an EU citizen

Thanks x

I just assume if they haven't made it easy to delete your account by now then they never will but these are really good points that will hopefully make companies change their policies, especially since its all things that benefit them

[-] lazynooblet@lazysoci.al 4 points 4 months ago

Can't a non EU holder of your data tell you to kick rocks?

[-] Boot@lemmy.ml 12 points 4 months ago

No, because by processing EU personally identifiable information a non EU company becomes a data controller / processor as defined by GDPR and has to comply with its requirements including data subject rights, such as the right to access, rectification or deletion.

Well, they can still tell you to kick rocks obviously, in which case you could report this to your EU regulator as empowered by the GDPR. If a regulator decides action is necessary this would follow the sanctions as set out in GDPR (maximum of 10 million or 4% gross worldwide annual turnover).

[-] lazynooblet@lazysoci.al 2 points 4 months ago

So say a local Australian software company tells you to get fkd. What can the EU regulator do?

[-] Boot@lemmy.ml 5 points 4 months ago

Assuming you’re a EU citizen, you could file a compliant with your regulator. For instance, the UK has the ICO (Information Commissioners Office). They would, based on severity, risks and their own investigative priorities, make a decision on whether or not to actively pursue your complaint. Generally speaking, it would have to be a pretty big issue to warrant an investigation because of the sheer amount of complaints and data breaches.

Assuming they have both their resources and priorities aligned on your complaint, they could

request information regarding the matters in your complaint (proof on way of working, how the matter should be settled, etc)
start a limited investigation (there could be something amiss but it doesn’t seem to warrant a full investigation
start a full investigation with the aim to ascertain compliance with GDPR

The specifics can vary depending per member state and generally speaking are set out in the GDPR. If a company outside of the EU has been processing PII and does not comply materially with the GDPR they can fine them. Furthermore, they can order a stop of any data transfer out of the EU to the company or its sub processors to effectively stop all processing.

Basically, your complaint can lead to a company having the living daylights fined out of them, regardless of wether they themselves operate in the EU.

[-] lazynooblet@lazysoci.al 3 points 4 months ago

Okay, I understand so far.

What I am struggling with is the limitations of duristriction.

So the EU finds the Australian company in breach of their rules. They send a notice of intent to pursue damages to the Australian company. And they tell the EU to kick rocks.

Surely laws made up in one country don't apply in all. The internet makes this a muddy area, as it's fully connected and nothing is stopping Joe in Netherlands from signing up to a service hosted in Vietnam. The Vietnam company can just ignore GDPR, ignore requests, ignore fines.

[-] Boot@lemmy.ml 4 points 4 months ago

That’s a valid point and relates to a nation’s sovereignty. If they don’t recognise an EU legislation, it will be difficult. That’s why overarching legal frameworks exist to allow one country to enforce court decisions in another country. The EU uses this: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A32012R1215. Other countries have treaties.

In other cases, if no treaty exists it could require starting legal proceedings in the country where the company resides. For instance, Australia. And through local arbitration enforce a court decision, based on the legal framework of the country of residence. It needs no explanation this is expensive and time consuming.

I’m not a lawyer and not sure if a EU-Australia treaty exists but wouldn’t be surprised. It’s more complex than just having or not having a treaty.

[-] lazynooblet@lazysoci.al 2 points 4 months ago

Thank you. That is a good explanation.

[-] refalo@programming.dev 2 points 4 months ago

Basically nothing happens in most cases. In your example of a local Australian company, no they are generally not forced to comply with any EU law unless they also do business there in some way.

[+] Upstream7564@discuss.tchncs.de 2 points 4 months ago* (last edited 2 weeks ago)

[deleted]

[-] AnEilifintChorcra@sopuli.xyz 5 points 4 months ago

I spend too much time reading emails so I try to keep mine short, especially when they're going to a generic email like support or privacy.

https://gdpr.eu/right-to-be-forgotten/

The GDPR does not specify what a valid request to erasure entails. An individual can make a request for erasure verbally or in writing. This request can also be made to any member of your organization, not just to a designated contact. As long as a request meets the conditions above, it is valid, even if it does not refer to “Request for Erasure” the “Right to be Forgotten,” Article 17, or the GDPR.

There's no template to follow for a request. Once GDPR is mentioned, they usually just email back saying that they're doing it or its done.

I haven't come across any difficult companies but I've heard some make it as hard as possible and follow the Erasure Request form template in the link above and ask for proof of I.D etc

[-] MNLFNUT8YG@lemmy.world 3 points 4 months ago

And are you really sure they deleted your account? Or just saying?

[-] AnEilifintChorcra@sopuli.xyz 4 points 4 months ago

Every few months I like to clear out my password manager of any accounts I don't need anymore, usually just throwaway emails aliases.

I'll usually attempt to log into any services that I know I've deleted/requested to delete to make sure they're not accessible anymore and so far I haven't been able to log in to any of them so I can only assume my requests are working.

I suppose if a service had a data breach, after my information was meant to be deleted, and I found my information there then I'd make a complaint to my regulator about not deleting my data. I would have proof of my request and their acknowledgement of the request so it'd be pretty silly of them not to delete it after saying they did

I rarely use anything but email aliases and fake information anyway and I never let online retailers save my card information. And if my address in on my account I change it to P. Sherman 42 Wallabyway Sydney before I delete/request to delete my account.

[-] delirious_owl@discuss.online 2 points 4 months ago* (last edited 4 months ago)

Its right to erasure, not right to delete. If they did things right, they won't delete your account but delete most of your data and leave your account marked as "erased per gdpr on x day by account holder request"

[-] SnotBubble@lemmy.ml 3 points 4 months ago

It's easy to say "Del my account per Article 17 GDPR". I wrote this whole template so that other might have an easier time than I do. I posted the template here so it inspires other privacy-aware individuals to do the same. If 1 website changes their account deletion policy because of it, it's still a win.

[-] delirious_owl@discuss.online 2 points 4 months ago

Comma splice.

[-] spookedintownsville@lemmy.world 1 points 4 months ago

Even if I'm from the US, could I mention the GDPR? Would it work?

[-] AnEilifintChorcra@sopuli.xyz 2 points 4 months ago

You could chance it, but they probably have logs of your IP/location data or they bought your data somewhere and so they could check, if they cared enough, but if you're not an EU citizen and you live in an EU country then GDPR applies to you

[-] ssm@lemmy.sdf.org 1 points 4 months ago

Lying to companies isn't illegal (yet).

[-] Agility0971@lemmy.world 5 points 4 months ago

https://www.datarequests.org/blog/sample-letter-gdpr-erasure-request/

[-] SnotBubble@lemmy.ml 2 points 4 months ago

Why this ensures the account is deleted, I wanted to convince the company to improve their policy so that other people will have an easier time to delete their accounts, should they wish this. That is also why I wasn't talking "legal" and mentioned the company benefits from this.

[-] Jumuta@sh.itjust.works 1 points 4 months ago* (last edited 4 months ago)

you can't convince companies that are profit driven. They follow whatever is the best decision for profit, which is clearly not letting you delete your account because they would've done that earlier if it led to profit. This assumes full efficiency on the side of the company but if they are large enough, that means that they are efficient enough to beat the competition already.

[-] Agility0971@lemmy.world 1 points 4 months ago

A company will never do anything that is not increasing their profit. If the profit of breaking law is greater than the fine then they will do it.

What they will do, is create a button called "delete account" which will just block you from logging in. It will not delete your content. Sending an email which clearly says they're getting sued is probably the easiest option. You gotta speak their language.

this post was submitted on 30 Jun 2024

60 points (100.0% liked)

Privacy

31823 readers

118 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS