PSA: HelloFresh doesn't delete data when asked, only changes the email address
Asking HelloFresh to delete your data will simply result in them changing the email address on your account to hellofreshcustomer-<customer id>@hellofresh.de
Your account showing your name, address, credit card, etc can still be accessed whilst the token stored in the cookie is still valid
53 comments
[ 3.0 ms ] story [ 85.5 ms ] thread""" “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” if one of a number of conditions applies. “Undue delay” is considered to be about a month.
"""
The only issue here is HelloFresh not properly telling its customers how long it takes for them to actually delete the data.
For accounting/tax purposes, you need data up to typically 7-ish years ago, but isn’t that data typically online nowadays so that it will end up in today’s backup?
Even if they still have the bits from an old backup, they should have thrown away its encryption key.
If you're keeping data for years, it's an archive and not a backup.
It's better to disassociate the customer info and maintain the other links - unless there is an obligation to do so otherwise (unfamiliar with gdrp nuances)
Randomizing multiple foreign keys at the same time is interesting though. Is it really necessary if the company isn't intentionally being malicious trying to maintain and advertise to the requesting individual ?
Data is (at least a big part of) their business and they don’t further that end by removing data.
Of course it’s shitty, but it’s industry standard practice. It’s similar to the Facebook shadow profile you have when you don’t even have a Facebook account: you can ask them to delete your direct data, but they’ll never remove the implications they learned from that data.
Atlassian maybe could have used that ...
It does bring up an interesting idea, how many people use unique emails for each company to track spam. If something like that was possible for shipped goods (wouldn't work well for food but that is the exception). I would gladly add a couple days of transit time and pay a bit to catch the companies selling my information.
https://www.usps.com/business/web-tools-apis/
Probably not a lot, but Apple's "Hide my Email" feature is now native to iOS and should in theory make this fairly easy to do. I do this _occasionally_ when signing up for new sites.
Doesn't fix everything that already has my email, but I am hoping it helps to expose companies that sell data more. It is hard to hide behind "well maybe you accidentally did it" when I don't think there is a way on iOS to use the same email in multiple places?
But then you start to realize what happens to your info. If I buy running shorts from Nike I'll start getting junk mail from running and fitness brands to my home address. If I back something on Kickstarter I get spam coming from other Kickstarter campaigns.
Lately I've started reading privacy policies more than signing up. Here's something from Pelotons policy on what they collect:
> Voice and Likeness: Your visual image, likeness and voice recording (e.g., via photographs, video and/or CCTV) if you visit our studios and/or showrooms or participate in live studio classes. Additionally, Peloton fitness equipment and the Peloton App may contain a camera, microphone and voice control features. These features are in use only when activated by you, for example, to use the Peloton Guide, to take a Peloton user profile photo or to initiate or accept a video chat from another user and, for usage of the Peloton App, any device settings that you have activated.
For gmail and fastmail, you can use jim+xyz@gmail.com and change the xyz for every new email signup.
Also it would be very easy for a scummy site to just remove the +yyy part and the rest will still be a valid gmail address.
Catch-all are working but still WIP for the primary domain part due to a bug with the Google workspace provider. https://github.com/politician/barissat-infra/issues/2
Did you try reaching out to HelloFresh about this? At our company all GDPR requests are manually serviced. You can likely get a human being to respond.
I wonder if engineers who built and have knowledge of these systems could anonymously disclose/leak details of violations to a site pairing them with other engineers. The other engineers could submit a GDPR forget-me request, which the company wouldn't be able to fulfil, and then people could complain to the national regulators with specific instructions on how to find said not-actually-deleted information. Obviously it would violate non-disclosure agreements, but I'd imagine that would get companies to clean up their act fairly quickly, or at least it would if the national regulators had more teeth.
A disgruntled former employee makes a GDPR request, etc.
Suppose HelloFresh found out they should give you a refund after you deleted your account. Would they need the credit card to do that?
Or they could call you and ask.. oops now they need your phone number
etc
A one way hash of PII, salted, stretched, this is enough to verify identity but also doesn't keep the PII directly (I know only 8 billion people on earth is not enough entropy. Still you make a legal effort and segregate it from your network)
However OP talked of master data. That should be removed when user asks to delete their account.
No, it's not uncommon to "tombstone" data, but when you do that, you should remove data you have no rights to any more. Order numbers, accounting, payments that sort of stuff is all fair game (for limited time), but the point here is it appears they're not deleting anything, they're just moving it to be inaccessible to the user.
They keep the data. And that's a) scummy and b) illegal in several jurisdictions.
> Your account showing your name, address, credit card, etc can still be accessed whilst the token stored in the cookie is still valid
> name, address, credit card, etc.
Convenient and interesting as they are, you have to do your own maths and adjust portion sizes accordingly. By the time you've done that, it's easier to just cook something you're used to cooking @500kcal.
https://twitter.com/oliw/status/1490985345521172482
They do the same, and you can check, go make an account with your e-mail, and then ask to delete it, they just change it to name@domain.com-wrongpleasefix
You can no longer log in and the account is still there.
Since I have an catchall for my own domain I received spam on those addresses after they lost customers data.