How to not design your data deletion process

Jonathan Haas, Thu Oct 15 2020 • privacy

If Mine is to be believed, I've submitted roughly 300 data deletion requests over the last week or so. From multi-national consulting firms to Taco Bell's merch store, over the years I've given countless companies some amount of my personal data. That said, whether the company is big or small, protections I get as a resident of California often afford me the ability to have some control over how this data is used, and subsequently if and when I can have it deleted.

Mine automates a lot of the deletion process. It's a relatively simplistic but quite brilliant idea - 9 times out of 10 when we sign up for a service, information regarding that service and the relevant levels of data it may request are sent to the inbox. By hooking into the inbox and reading relevant headers, it isn't unreasonable that one could find which services someone uses. A number of shadow IT companies determine overall spend by doing this exact thing. Where Mine really takes aim is by automating the deletion process. Users are given the option to "reclaim" their data, allowing them to request a deletion under GDPR / right-to-be-forgotten / choose-your-favourite-privacy-framework-here.

But Mine (while fantastic) isn't what makes this process interesting, at least for me. Of the many responses I've received, a few critical trends emerged.

Companies largely fell into four groups:

We're a large mult-national who vaguely knows what they are doing
We're a large multi-national who has no clue what they are doing
We're a small company who takes security and privacy seriously
We're a small company who doesn't understand privacy fundamentally

For the sake of this post, examining the companies that know what they are doing is largely out of scope. Many services teams across the globe have managed to build robust privacy frameworks which enable consumers to feel safe about what data they provide when interacting with a company. I spoke with many privacy managers who provided incredibly detailed summaries of what data was held, when it would be deleted, and exactly how this would happen. Many services, such as Dropbox, took the side of user privacy - when submitting a data deletion request as part of a normal flow (e.g. deleting one's account through reuglar means), data is/was deleted in compliance with these privacy laws. Companies adopted relatively robust frameworks, allowing for some level of self-service. Those who did so tended to select a singular provider for this, who for the sake of this blog post I will omit naming.

On the flip side, not everything went this way. Many large multi-nationals had no clue that I could even request this data, bouncing requests between departments until eventually realising that they weren't quite sure how to answer it. Many asked for which data I gave them, which kinda goes against the entire point of knowing what data you possess on people. Asking for a detailed form of my information in order to get you delete any forms of my information... feels off.

I'm incredibly curious what others have seen in this space. Whether you're working in privacy or not, if you've got any ideas, I'd love to hear them!