The use of my private information has long bothered me. I probably rank high on the scale of those who take measures to push back against recommendation engines and online advertising. However, I have not done much about the right to be forgotten. Never did anything, that is, until I took the OpenMined course “Our Privacy Opportunity”, provided by a skillful team led by Andrew Trask and Emma Bluemke of Oxford University, and containing masterful guest appearances by academics and business leaders.
One of them is from the CEO of saymine.com, Gal Ringel, who gives a succinct and pithy overview of GDPR and its effect around the world. He piqued my interest. I am very aware of GDPR and CCPA, and have exercised several times my right of access to personal information — most recently, downloading all my pictures from Google Photos. But I’ve always found it a bit daunting to exercise the right to be forgotten.
Ringel explains that some 350 companies and institutions hold information about each citizen on average, and in the US, that figure climbs as high as 550. I am careful about my “PII”, personally identifiable information, and try to clean up after one-off transactions by deleting my profile. But frankly, there’s quite a bit of friction involved, so I knew that my internet contrails were many and long. I decided to use saymine.com and investigate.
Sure enough, in my case the number of companies having my email address was 320. Saymine.com offers automation to request and track the right of erasure, and claims to have handled over 1.5m successful erasure requests, so I ploughed forward. In less than half an hour, I completed my analysis. There were some organisations that I still need services from — online services like Slack and Amazon, a handful of financial and utility companies, plus a long tail like Starbucks, OpenTable and Toastmasters. There were approximately 100 of these still-useful organisations — a number that feels high, but it’s real — but the other 220 were no longer useful, providing nothing but 220 security risks, and some of which I remembered nothing about. And so I started to trigger 220 erasure requests.
It’s been quite an experience so far!
Firstly, a lot of companies have not replied — some 50 of them. There may be genuine reasons for that, for instance they may be out of business or perhaps saymine.com sent the request to the wrong email address. Dealing with these is going to take time, something I have not prioritised yet.
But the vast majority did reply, and in many different ways. The slickest were those with automated systems that provided full and clear instructions to exercise the right of erasure. Examples are Dropbox, Mathworks, Twitch and Zillow. Mathworks, by the way, was a blast from the past. I tried MATLAB eons ago, and I forgot I had an active profile with them. Kudos to this group of organisations for their automation and expediency.
There were several others who did not have automated reply systems, but who facilitate the right of erasure professionally and smoothly. These include airlines like easyJet and Qantas, and hotels like NH and Meliá. All provided impeccable service, including a useful explanation of any flight or pernoctation data that they were obliged to retain and for how long.
Then, there was a large set of companies who triggered a manual support ticket that landed on a support rep. There were companies with excellent and prompt replies composed by skilled reps, like Amadeus and Scoop. But the majority put me through a litany of time-consuming steps, and I am in the middle of dozens of them. For instance, Disney, after some delay, sent me a length reply where I had to select the right hyperlink to a microsite that I had to navigate to get to the right form. That triggered another email where I had to click and go through four captchas until they only acknowledged having received my request of erasure. Not great, particularly since I absolutely detest annotating traffic lights and crosswalks free of charge. HPE and Cisco put me through a similar process, and HPE’s is broken: I have twice received an acknowledgement followed by an error message. Netflix at first did not reply, and upon chasing they sent a manual reply indicating that my PII had been removed.
Next, you have the clueless. I hesitate to name names because my intention is not to shame anyone, but there is this car rental company that tries harder indeed because I have been put in contact with three different departments, all trying to find where my PII is stored. And then there is a top class Californian university, named after a XIX century railroad magnate, who initially asked for my help to try to find my information in their many databases holding PII (“were you an employee? were you a student? undergrad?” etc), and then advised me that they do not have to grant the right of erasure because they are a non-profit institution. Talk about a cop-out (they are technically correct under CCPA; no such exception exists under GDPR). Both organisations are courteous and responsive, but unskilled and unprepared to deal with the right of erasure.
And finally, you have those who do not respond, processes are broken or do not understand their obligations. Iberia hasn’t replied yet. Priceline’s hyperlink to request the right of erasure got me a “404” page not found. Moneygram replied tersely that my request had been denied, without explanation; after a strongly worded reply, they provided one.
In summary, exercising the right of erasure and protecting our privacy takes effort. Many companies are unprepared, staff is not trained and processes are brittle. But when it works and I receive a confirmation that my PII has been removed, I get a sense of lightness, like progress has been made. Fighting for my rights is going to be a journey, and I’m glad I got started.
PS: Have you exercised the right of erasure yet with any companies? If you have a story to share, please include it in the comments below.