I set out to purge my password manager for unused accounts and services. I also took the opportunity to request that the companies that stored that data should delete it. The results were quite discouraging.
The General Data Protection Regulation (GDPR) came into force in May 2018. It gave European Union (EU) and European Economic Area (EEA) citizens many new rights, including Article 17: [the] Right to erasure. Article 17 gives citizens the right to have companies delete their personal data.
In late May 2021, I decided to clean my password manager vault of unused accounts and services. I had 421 entries in my password manager and managed to get it down to 297. It took 5 hours and 10 minutes to go through the 124 unwanted entries and figure out how to request their deletion. I also spent at least as much time over the following weeks just following up on deletion requests.
The experience was a mixed bag. I gathered some statistics along the way, and I’ll share some highlights in this article. I won’t name and shame any companies, sorry.
Many services have self-service account deletion tools, but often hide them so well that I failed to locate them without deferring to their customer support. On average, it took 24 interactions (menu clicks, password entries, etc.) after an initial login to request and confirm a deletion request.
87 services deleted my account within seven days without too much fuzz, sketchy practices, or long email threads. That represents 70 % of my account deletion requests. It’s not great, but I’m fairly certain the number would have been much lower before the GDPR.
58 % of emails related to account deletions (confirmations, verification, etc.) went into the spam folder. The primary cause was that the sending-server wasn’t included in their domain’s Sender Policy Framework (SPF). This configuration mistake makes the emails appear forged. These services have paid less attention to these emails compared to other emails.
I’d previously tried to delete 48 accounts in an earlier purge in June 2018. These were still active despite either having been confirmed as deleted or having the deletion request go unanswered. (I didn’t record enough data to separate the two at the time.) Only 9 of them got deleted this time around.
28 services that had confirmed the deletion of my account lied. My username and password still worked one week after the time of the supposed deletion. 27 of these never got back to me when I contacted their customer support departments and re-requested that they delete my account.
24 services kept sending me promotional emails for at least three months after deleting my account. I have never agreed to any of these services sending my promotional emails at any point in time. The number should have been 0 before deleting my accounts, and it should have remained 0 afterward.
21 services ignored my deletion request and never got back to me. I’ve reached out to all 21 one more time after the initial contact, but I still haven’t heard back. 11 of these were smaller niche online stores.
18 services spent 14 days or longer to delete my account. The last successful request was processed 71 days after the first email. The GDPR doesn’t define “without undue delay”, but I’m fairly certain that it requires companies to not stall for over 10 weeks.
16 services automatically created a separate account for me in their customer support system when I requested an account deletion. All but two of them managed to delete my account in the end, but none of them managed to delete the new and unwanted customer support account.
12 services confirmed my request and clarified that it would take some time as their engineering team had to go in and manually delete it from the database. I’m sure engineering time to manually delete data must be more expensive in the long run than creating processes and tools for customers and customer support representatives to handle delectation requests.
10 deletion request emails were met by utter confusion on the other end. The support representatives couldn’t understand my request. No amount of explanation made any difference. Only one of these ended up deleting my account.
8 services responded to support requests to delete the account, but I couldn’t read the reply because they required me to log in to the deleted account to read the reply. It would seem no one has ever tested this process.
6 services replied through a third-party vendor and didn’t identify the service they acted on behalf of. I was able to identify the first-party service because I use a unique email address for each service. It would seem there is no end to how far businesses can take white-labeling and outsourcing.
3 services insisted I didn’t have an account on file with my email or customer number. I was met by radio silence when I sent them a screenshot of the account dashboard clearly showing I was logged in to an account with that email address or customer number.
I rechecked every deletion while writing this article. In the intervening 10 months, 2 services had restored my deleted account. I presume they’ve had to restore from an earlier backup or something. I’ve emailed both service providers about the issue, but haven’t heard back from them.
2 services moved my account to a different email address instead of deleting it. I was only able to detect this because they changed the mailbox part (the bit in front of the @ sign) but left the domain unchanged. I capture all incoming emails to my domain, so I saw email-change confirmation emails and other emails arriving at the new unexpected addresses.
1 service didn’t respond when I confronted them about only having changed the email address on my account. The other explained that they’d “deleted my account” but also “moved it to another email address”. This was in order to prevent me from receiving any emails from them in the future. Their definition of delete seemingly doesn’t involve removing the actual data from their systems. I was fed up and didn’t pursue the issue further at this point.
1 service required me to call them to process account deletion requests. They asked me to confirm my email address and said it would be deleted within a month. Three weeks later, the account no longer worked, but they didn’t email me to inform me about it.
Some positive highlights
AMD sent me an email and required me to click on a link to confirm ownership of the email account. This step adds a level of protection to make it harder to fake an account deletion request. I hope they have a fallback in place for people who’ve lost access to their email account, though.
Hover had a system in place that required support personnel to request access to my account before they could see it. I got an email and had to click a link to grant them access to my account data. This shows that their systems are designed to limit access to personal data.