Some discouraging anecdotes on how services handle account deletions

I&#x27;ve worked for several companies and let me tell you the truth:<p>* accounts are never deleted, period *<p>At most there&#x27;s a column in the table which specifies whether the account is alive or not. That&#x27;s it.

&gt; 2 services moved my account to a different email address instead of deleting it. I was only able to detect this because they changed the mailbox part (the bit in front of the @ sign) but left the domain unchanged. I capture all incoming emails to my domain, so I saw email-change confirmation emails and other emails arriving at the new unexpected addresses.<p>That&#x27;s sketchy, especially if you don&#x27;t own the domain but you&#x27;re on a multi tenant domain like Gmail

I still get mountains of crap from a google workspace account I deleted a year ago<p><pre><code> - google play developer updates - google cloud service updates - your billing info has expired! update it now or else! </code></pre> despite the fact I can&#x27;t log into the account because it doesn&#x27;t exist<p>I suppose actually deleting anything goes against google&#x27;s DNA

Before requesting an account &quot;deletion&quot; for an account you have anywhere, <i>always</i> go through every single field and enter fictitious data. This includes adding fictitious photos and the like. The service may keep the previous iterations of the data, sure, but that&#x27;s less likely than them keeping the latest version of the data, which is almost a certainty.

The app I&#x27;m writing does this very well.<p>That&#x27;s because Apple requires it. They won&#x27;t approve my app, unless there&#x27;s a &quot;full-fat delete&quot; option.<p>If a user of the app deletes, it completely nukes their entire account, down to the last byte.

This is super duper common. Most companies that I&#x27;ve run across don&#x27;t actually have a mechanism for properly deleting accounts.<p>My anecdote: Collage.com - I tried it, was unsatisfied with the results so I requested that they delete my account under CCPA (being a Californian). They said they completed. My account was renamed from email@domain.com to email@domain.com-deleted12344843223432 . My session wasn&#x27;t even terminated, so not only could I see this, I could still see my not-deleted photos AND all the sharing links still worked.<p>I fought with them at length and their support insisted it was deleted and that this was just something on my computer. Logout&#x2F;clear cookies&#x2F;cache&#x2F;reboot and it&#x27;ll be all good. I know that&#x27;s BS.<p>Even when they &quot;escalated&quot; the issue to a manager who said &quot;Your account has been deleted and will not be reopened.&quot; - I could still take screenshots of my account homepage. At which point they stopped responding to me.

Is it name and shame time? Cause I know Walgreens doesn&#x27;t even have the option to allow you to request deleting your online account. Not an online option nor even calling them on the phone.

The company I know handles account &quot;deletions&quot; by pseudonymizing data, which is utter BS, any half-competent engineer can recover who the original person was. The engineering lead in charge realized he can get promoted by calling pseudonymization &quot;anonymization&quot; thereby fooling most, and not losing the data for the company. Those who knew he was making a mess were not included in the data deletion project, likely because it was inconvenient to hear the truth.<p>So that&#x27;s how a huge company deals with &quot;data deletion&quot;. I hope the DPA will come down on them <i>hard</i> but of course this clown will then just go and do this circus at another company, now promoted to high heavens.<p>I hate that privacy and security are full of snake oil peddlers, and it pays of extremely handsomely to be a snake oil peddler. It&#x27;s not in anyone&#x27;s interest for you to get caught (who wants to advertise their security is bad&#x2F;they don&#x27;t abide by GDPR?), so even if it becomes painfully obvious you&#x27;ve been selling snake oil, you&#x27;ll only be asked to hand in your resignation, allowing you to do the same (but at an even higher level) at another company.

Is no one mentioning how you cannot delete your account on HN? :)

The post paints a discouraging picture overall, but it does have some interesting double standards if you consider these three separate quotes:<p>&gt; It would seem there is no end to how far businesses can take white-labeling and outsourcing.<p>&gt; I’m sure engineering time to manually delete data must be more expensive in the long run than creating processes and tools for customers and customer support representatives to handle delectation requests.<p>&gt; 11 of these were smaller niche online stores.<p>If I&#x27;m a &quot;niche online store&quot;, am I somehow excused from these rules? I would think there would be a market for white-labeled online stores for niche online stores, but that&#x27;s somehow Bad™? But having an in-house engineering team develop the platform and respond to development needs as they arise (to handle the first account deletion request) is also Bad™?

Had a similar terrible experience with crypto.com. After the MFA and stolen digital assets debacle earlier this year, decided to [hard&#x2F;soft] delete my account with them. The company has a very complicated process for account deletions which involves having the account owner send a picture of themselves holding a sign. The picture must meet several criteria in order to be accepted.<p><a href="https:&#x2F;&#x2F;help.crypto.com&#x2F;en&#x2F;articles&#x2F;3640569-how-to-close-crypto-com-account" rel="nofollow">https:&#x2F;&#x2F;help.crypto.com&#x2F;en&#x2F;articles&#x2F;3640569-how-to-close-cry...</a> (note: as of today the link to their selfie requirements is dead)<p>The entire process took 45 days to resolve because their e-mail support is fucking terrible.

I had a service provider delete the hosted graph databases I used for my startup demo that even had some past consulting client data in them, while still continuing to charge me for several months for the service. Since I didn&#x27;t believe anyone actually deleted data, I asked for a download of it, and they insisted it was actually deleted. It was absolutely shadey. Tainted my view of that technology as well.<p>Valuable lesson was next project I will likely have to figure out how to effectively shard and round robin containers across diverse cloud providers, as I don&#x27;t forsee ever affording to be able to be treated that poorly again.

I guess it can get complicated, but most of the software I&#x27;ve written I gracefully handle missing user relationships so that it&#x27;s possible to delete the user. I wouldn&#x27;t be surprised if a lot of these circumstances are just because the software can&#x27;t handle a missing user relationship, nothing nefarious. Stupidity before malice and all that.

My favorite in the bad old days was ETrade. They wanted money to delete your account - $80! Fortunately they had an &#x27;ETrade checks&#x27; feature, so I wrote myself a check on my account for the entire total, directed their email to the trash and threw their snail-mail away for 2 years before it dried up.

Thanks for that overview! I still don&#x27;t get it how businesses even in these days can make it hard for you do delete your account.

&gt; The last successful request was processed 71 days after the first email. The GDPR doesn’t define “without undue delay”, but I’m fairly certain that it requires companies to not stall for over 10 weeks.<p>Having worked at a couple of cloud companies... the GDPR deletion timeline within our systems was 90 days. I assume that legal had vetted that timeline.

I wonder how this is supposed to work with workplace apps such as Slack, especially with regards to GDPR.<p>Say I am leaving my job, and want my personal information to be purged from this 3rd party service (Slack). They say [1] <i>&quot;Primary Owners of a workspace or org must contact Slack to request deletion of a deactivated member&#x27;s profile information.&quot;</i>. What if I contact the &quot;Primary Owner&quot; before leaving my job and they ignore my request, or better yet I have already left my job and I don&#x27;t know how to contact them or who they are? Why can&#x27;t I request my personal information to be deleted from a completely 3rd party American company&#x27;s database myself?<p>[1] <a href="https:&#x2F;&#x2F;slack.com&#x2F;help&#x2F;articles&#x2F;360000360443-Delete-profile-information-from-Slack" rel="nofollow">https:&#x2F;&#x2F;slack.com&#x2F;help&#x2F;articles&#x2F;360000360443-Delete-profile-...</a>

Data once out is out. Period.<p>Try telling a friend a sufficiently spicy secret and then tell me there&#x27;s a delete. It&#x27;s just as much a falsehood as imagining you can un-break a window.

It’s software not magic. We focus on the happy path … there is rarely maligned intent here it’s just a matter of focus… I’d say if gdpr did any good it was in forcing many to be like fine we’ll devote resources to deleting data we’d otherwise probably only brother to if our db size became too big to deal with… it’s the build big and sell to someone else to deal with problem … we just don’t focus on the negative less fun problems

Part of this is leftover tech culture from Facebook&#x27;s early focus on Growth, Growth, and more Growth. Allowing for easy deletion of accounts was fundamentally at odds with user growth.<p>It&#x27;s refreshing to see that tech is now heading in a more socially responsible direction, but the industry still has a long way to go.

Is it possible in Germany to file a GDPR violation against vendors who outright refuse deletion or fail to comply otherwise?

Many companies just as some bodyguards to the login email

It is a function of incentives and punishments. The nature of the company you are in and the risk the org is willing to bear plays out. I work for one that puts in a lot of effort to get rid of all the user data if they request a deletion based on the laws of the country they are from which we can expand to any user as needed. Whenever we have found gaps in our existing data storage, we go back and really try to clean it up. However there is a lot of legacy that surfaces out time to time.<p><pre><code> The reality is doing this is messy and is going to remain so for some time. One cannot suddenly start after years of no incentives in the online economy to do this and get to cover all areas without huge cost. This requires giving up competitive advantage today. Mid to small organisations that were beyond startup state but not yet having 1000&#x27;s of engineers, which have to balance growth and operational aspects are left in the most difficult situation. As the laws started taking hold, their incentive structure is still not fully aligned with this as the digital economy does not yet reward them for this enough nor does enforcement create a large enough risk yet. Same thing plays out with some of the larger orgs, just that they have more lawyers to help them stall this as humans are always biased to keep the status quo if it is beneficial to them. Personally I think we&#x27;ve had a start but its going to take some time to get to where we need to be. I really applaud the idea of the privacy laws and the intent behind them. Its just that one has to recognise we won&#x27;t be getting to a state of good behaviour within a few years after a couple of decades of not having those requirements baked in from the get go. Old habits have to be replaced as well. The enforcement is hard and that will be something that has to be bubbled upwards from the ground up by users themselves to create a digital economy where consumers&#x2F;users reward those that respect their privacy. It is just not yet that way today, so why would the organisations change? The risk is low as enforcement is hard and the user demand is not enough. Most successful would be attempts by large organisations such as Apple and laws like GDPR which forces developers and companies to change their thinking. By asking for change and continuing to iterate on that you can start seeing a slow move towards development practices that will have privacy by default. You need the whole chain of actors to move towards this: The product managers, the engineering leads and architects, the decision makers, the risk assessors. Once enforcement is more steady alongside more demand from users the balance will come. All of this moves slowly whether we like it or not. </code></pre> (edit - grammar and made some long sentences shorted)