This is part 2 of a blog about a personal data experiment we undertook. In part 1, we downloaded our Facebook accounts in order to find out which companies held data about us.
The next step was to contact those companies and exercise our data privacy rights under GDPR. I'm sure by now you know all about GDPR - right?
'Advertisers with your contact info'
In the Ads section of my Facebook download, there were a number of companies listed as having my contact info (whatever that means).
Most were companies I had never knowingly signed up to or purchased from, and none were listed in Facebook ads I had clicked, so I was curious why they had my data at all.
The first step was to find out how to get in touch with them, as Facebook provided no links or contact information.
Round 1: tracking them down
I googled each company and looked for their privacy statements. These are usually one of those links at the bottom of a website that no-one ever reads. It was interesting to see which companies performed well in this first step, as part of GDPR is making it easy for customers to find and understand their data rights.
There's a maximum score of 3 in this section:
- 1 point for having a privacy policy at all on the website
- 1 point for clear and easy-to-understand wording in the privacy policy
- 1 point for a dedicated point of contact for data access requests
This is how my advertisers measured up in the first round:
- Bed Bath & Beyond: 3
- Deliveroo: 3
- Demi Lovato: 3. I'm clearly not a fan as I had to check who she was! The privacy policy on her website links to Universal Music Group, who I contacted.
- Fiverr: 3. Just! The privacy policy is a bit on the long side at over 4000 words.
- Just Eat UK: 3. The privacy policy is over 4000 words but it's detailed and specific.
- thredUP: 3.
- Airbnb: 2. Yes, they have a privacy policy and an email contact, but it's at the end of 13,000 words of legalese which doesn't count as easy to understand for me.
- CareerBoutique: 2. Not a very user-friendly privacy policy, and the contact was a generic info@ address.
- Fabletics (including Kate Hudson and Fabkids.com): 2. The privacy policy is easy to find and clear enough, but the contact details are a street address. I would have deducted an extra point if I'd had to write them a letter but I was able to contact them through Twitter.
- Spotify: 2. Their privacy policy is long but fairly clear, the main problem is there's no point of contact - you can only exercise data rights by logging into an account. I didn't have an account (as far as I was aware) but Facebook was telling me that they had my details.
- Ahalogy Partners: 1. This is one of those brands that get my back up straight away because I don't know how to pronounce it: Aha¡ogy. I couldn't find their privacy policy by browsing their site, I had to google for it. The privacy policy was fairly brief but didn't tell me a lot, and their contact was a generic info@ address.
- PediaSure US: 1. Facebook said that it was the US company that had my contact info, but their privacy policy only applies to US residents and their contact route was a form which required lots of personal details including name, address, phone and email. Ironic for a query about personal data, no? I contacted them through Facebook instead.
- JobHat.com: 1. The privacy policy looks suspiciously like the one on CareerBoutique and a contact email doesn't count if it bounces back (as does the only other email displayed on the site). Dead end for this one, unfortunately.
Round 2: the responses
I sent a standard message via email or Twitter/Facebook where a contact email wasn't available:
According to the information I have downloaded from my Facebook account, your company has my contact info as a result of previous adverts you ran in Facebook.
As an EU citizen with rights under GDPR I would like to know:
- what information you store about me
- why you are storing or processing it
- how long you will be storing it
Thank you in advance for your co-operation.
In this section, 3 further points are up for grabs:
- 1 point for responding at all
- 1 point for answering my questions
- 1 bonus point available for a detailed response
This is how my advertisers measured up in the second round:
- Bed Bath & Beyond: 3
Full marks for a truly positive experience. After an exchange of emails I was asked to ring a US phone number. I declined, so they rang me and I had a friendly and thorough conversation about how they could have ended up on my list and what details they might have. This took place a mere 7 days after my initial enquiry. Customer Service made a report and passed it on to the IT department who responded:
Thank you for your inquiry regarding whether Bed Bath & Beyond has stored information about you. We have reviewed our records and have not identified any information that matches the personal identifier that you provided to us (e.g., your email address). If you would like us to search for information that may be stored under a different identifier (e.g., a different email address that you might use with Facebook) please let us know. - Demi Lovato (Universal Music Group): 3
Another good experience. Less than 2 weeks after my enquiry I was sent a spreadsheet containing a complete record of my data including my details stored and purchase history that had caused it. It turned out the trigger was buying 'Wallace And Gromit The Complete Collection DVD' and as a result, I had been tagged with genres Pop-Kids and Other-Film Soundtrack. I'm not sure how that led me to Demi Lovato, but there you go. I requested erasure and after a short delay and reminder email, was told:
The request was received and the erasure was completed. I have confirmed that we no longer hold personal data about you with the exception of these emails and our compliance records. These emails will be deleted in approximately six months to account for any follow-up requests or concerns. - Fabletics (including Kate Hudson and Fabkids.com): 3
The most detailed response, and really interesting to find out how advertisers and Facebook share information in order to collaborate. This was top notch customer service which went the whole nine yards to explain how they came to be on my list of advertiser. The extra step of offering to erase my IP address was particularly impressive: under GDPR, IP address and Device IDs are considered personal information.
After some research into our database I can inform you that we don’t directly hold any information on you. Apart from your Name and Email Address which was communicated to us by your request.
What we do use, are technologies, such as cookies, to customize content and advertising, to provide social media features and to analyze traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners, such as Facebook. Through these cookies or pixels IP Address and Device ID may be forwarded to Facebook. The pixel fires the information using a hashing technology developed by Facebook.
If you like I can start the process of having your IP Address and Device ID deleted. In order to do so I would need you to provide me with the ID itself since we don’t have a way to connect your Name to the IP Addresses or Device ID that was forwarded to Facebook. -
Spotify: 3
Although they were difficult to track down initially (I had to tweet @SpotifyCares) the end result was very helpful. Here's a screengrab of my chat (click to see the full conversation) where they explained that I had a Facebook-created Spotify account which they deleted for me. I really liked the friendly, helpful tone of their support throughout. - Deliveroo: 3. Over a month later, and after a reminder email, I still hadn't received a response or even an acknowledgement of my request.
Update #1: 6 weeks after the initial request I received a response:
I'd like to apologise for the delay in processing your request.
We wanted to let you know that Deliveroo has received a huge flood of requests since the GDPR came into force on 25th May, which is why there has been a small delay in our response to you. We want to reassure you that Deliveroo takes your privacy extremely seriously. Thank you for your patience and understanding during this time.
Our team will be in touch very soon to verify your identity and progress your information request.
Update #2: nearly 3 months after the initial request I received another email, this time with all my data. There was a PDF about understanding my data, and a zip file containing 6 spreadsheets containing different types of data and a PDF of my email conversation with Deliveroo. The response took time, but it was fully comprehensive. I would always prefer a carefully considered reply that takes time to collate rather than a quick, meaningless response (compare Just Eat UK below).
I initially scored Deliveroo zero but I've upgraded them to full marks. It would have been nice to have the acknowledgement sooner but I can't fault the data they finally sent over. - Fiverr: 2
It took a few emails back and forth but eventually I received this email which confirmed they held no identifiable data. Their communications were courteous and polite, but they haven't scored full marks because while the explanation is sufficient it's not detailed:
Since you have not opened an account at Fiverr, Fiverr does not have any data or information associated to your e-mail address listed below. Fiverr, as an advertiser on Facebook, may have received certain non-identifiable information from Facebook, but Fiverr is not able to associate such data to you or to your e-mail address. In fact, Fiverr first received your e-mail address upon your request below. - Just Eat UK: 2
After a month I received this bare-bones response which answers the question but no more.
Having searched our systems, we cannot find any information related to the email address provided.
Should you have any further information which we can use to search your details, please feel free to respond with this information in order for us to look into this for you. - CareerBoutique: 2
I grudgingly give 2 marks for this rather sniffy response:
We are a U.S.-based company and provide our services only to U.S. users. However, we are happy to address your question.
We have searched our systems and records for your data and we verified that we do not have any information associated with your email.
We have located in our systems information relating to users who registered with us using a similar email address, but we are comfortable that they are US registrations given the other information provided.
If you have registered an account with us using U.S. information and/or a different name, can you please provide your full name, residential address, and phone number that would help us confirm if any of those registrations relate to you? - Ahalogy Partners: 2
I had to chase, but got this reply which echoed what Fabletics had said about Device IDs. The response was brief, but there's a nice reference about data retention period.
Thank you for your inquiry. We are not storing any information about you beyond what is contained in this email exchange. When we run media campaigns on Facebook the only personal data we receive and process is the individuals’ Devices IDs for audience segments; this data is only retained for the duration of the media campaign and is deleted once the campaign has ended.
- PediaSure US: 1
This is a response, but I don't think it's an answer to my question.
If you would like to provide your email and mailing address we can check our marketing program to see if you're enrolled. Otherwise, we don't have access to your information. You can find out more about how Facebook targets its ads here: https://www.facebook.com/ads/about/?entry_product=ad_preferences - thredUP: 1
I got an acknowledgement and an initial response.
I'm reviewing your request with additional parties and will followup with you as soon as possible. Thank you in advance for your patience, and let us know if you have additional questions in the meantime.
After a reminder email, I received the following.
My apologies for the lack of followup on my end! Please be assured that your thredUP account information was deleted per your request. If I can provide any additional service please do not hesitate to ask.
While I'm glad there's no longer an account associated with my email, I hadn't asked them to delete it (yet). I still don't know how that got set up and what other data was in it. - Airbnb: -1. How is this possible you ask? Over a month later, and after a reminder email, I still hadn't received a response or even an acknowledgement of my request. Now I have an Airbnb account so it should be pretty easy for them to find me in their records. When logged in I can't find any way of downloading my account (there is an option to delete) but while I was going through my settings, I found this sneaky screen which had both boxes pre-ticked. If you have an Airbnb account, I recommend you check your settings! The worst part is being listed on Bing.
Update #1: 6 weeks after the initial request I received a response asking for confirmation that I wanted erasure of my data. No! I confirmed I wanted data access and was told that I needed to send proof of identity. After emails back-and-forth - with me complaining that there was no point proving that I had a name which is shared by thousands of people - I was told:
As an alternative to providing us with a copy of your government ID, to verify your identity as the account holder, please log into your account within the next 3 days.
Apparently, this was sufficient to send personal data to the email address I was corresponding from.
Update #2: a couple of months after the initial request, I received my data from a "Legal Ireland" email address in the form of a password-protected zip file containing a spreadsheet. The password was sent in a separate email. The spreadsheet contains 7 tabs: profile, searches, activity log, customer service, notes, account security and photos/ID. The majority of the data is in a particularly unfriendly format: it looks like it's come straight from a database, field names and all, and the profile data looks to be in JSON. There's no guide as to how to read the data. The only saving grace is the photos/ID tab does include the proof of identity scanned images that I've had to provide to AirBnB.
Based on this, I could amend AirBnB's score to at least 0 if not a 2 out of 3 but it was such a painful process and I'm dissatisfied with the final data so I'm not going to. My blog, my scores!
Final scores
With all the marks in, the final scores out of a potential 6 available points were:
- Bed Bath & Beyond: 6
- Demi Lovato: 6
- Deliveroo: 6
- Fiverr: 5
- Fabletics (including Kate Hudson and Fabkids.com): 5
- Spotify: 5
- thredUP: 4
- CareerBoutique: 4
- Ahalogy Partners: 3
- Just Eat UK: 2
- PediaSure US: 2
- Airbnb: 1
- JobHat.com: 1
Well done to all those with 5 and 6. There's some room for improvement but they gave great customer service.
Those scoring 3 and 4 are scraping by. It's all well and good to have a privacy policy but you have to follow it up with actions.
For the others, do you really need a reminder about the possible penalty under GDPR? Whichever is highest out of 20 million Euros or 4% of annual global turnover.
Conclusion
In fairness, this was a tricky request because it was about data collected via a third party (Facebook), no indication was given about what contact info was being held or how it had been collected it. Many of the advertisers were as confused as I was about how they ended up on my list. The only thing that I had to go on was the email address associated with my Facebook account.
Facebook has met its responsibilities in allowing account holders to download their data, but the Ads section raises more questions than it answers. Facebook needs to be clearer in explaining how our accounts relate to advertisers.
In checking for my personal data, many of the advertisers valiantly checked their records and some went the extra mile to suggest ways that they could have ended up on my list. However, responses across this small sample were really varied and several responses (or lack thereof) were totally inadequate.
For companies like Just Eat and Airbnb, I'm particularly disappointed to find that they aren't yet ready to deal with data access requests in an acceptable manner. That could be a costly mistake if it's not addressed soon.
I recommend downloading your Facebook account (if you have one) and making data access requests under GDPR (if you are an EU citizen). It's your data and your legal right, so take control!