GDPR in Practice: Flattr now deletes your history within 3 months

Since the launch of Flattr 2.0, the micro-payment service has collected parts of your web browser history through its browser extension to facilitate effortless payments your favorite creators and websites. Flattr updated their Privacy Policy mere hours before the General Data Protection Regulation (GDPR) went into effect and they now promise to delete your browsing history after a few months.

Flattr subscribers make a voluntary payment from 3 USD/month, install the company’s browser extension which collects their browsing history, and then Flattr divides their subscription fee out among the creators and websites they spent the most time on.

Just in time for the GDPR deadline, Flattr decided to start deleting the digital toxic waste piles of metadata that they’ve been collecting about each of their customers. The updated Privacy Policy for Flattr states that metadata will be deleted once it’s no longer useful to the service after 1–3 months.

Under their old Privacy Policy, Flattr could hold on to information about your web browser history up to six months after you’d deleted your account. The only way you could remove something from your browser history was to delete your Flattr account every month and then sign up for a new account under a new email address.

I emailed Judith Nink, Flattr’s Data Protection Officer, in and asked whether it was strictly necessary to require subscribers to delete and create new accounts every month to have their old browsing data deleted. I also asked for tools to allow subscribers to delete their own data when there’s no longer any value to them in letting Flattr retain the data. Flattr only needs to know what websites you visit for the duration of the current subscription period to deliver their service. Judith Nink responded with promises of reduced data retention duration once the GDPR went into effect in .

Flattr’s updated Privacy Policy for the post-GDPR world now outline new policies and greatly improved practices for how long Flattr holds on to data about their subscribers. Your browsing history is now either outright deleted or anonymized and disassociated from subscriber accounts within 1–3 months without subscribers having to take any action.

The web addresses and webpage titles collected by Flattr can contain deeply personal data including sensitive data categories such as health, religion, and sexuality. Under Flattr’s old privacy policy, you couldn’t go back even a month in your history to delete a website you no longer wanted Flattr to store a record of you having visited.

Flattr may still retain aggregated data such as the total number of users who contributed to a domain within a certain time period for statistical and business purposes. This data isn’t associated or linked with user accounts, however. The new policy delivers better privacy for everyone and delivers on one of the GDPR’s core principles: privacy by design and default.

I’m happy to see Flattr decide to get rid of old browsing history data as there’s essentially no benefit to Flattr subscribers in Flattr holding on to this data. I’ve been somewhat hesitant to recommend Flattr in the past as I wasn’t too happy about them retaining people’s browsing history indefinitely. However, their updated privacy policy puts my reservations to rest. I’m far less skeptical of a system that records data, uses it, and then automatically deletes it within a short amount of time than any system that clings on to my data forever.

The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. […]

GDPR: Article 25 Data protection by design and by default: Paragraph 2

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay [when] the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

GDPR: Article 17 Right to erasure: Paragraph 1: Point A