It's a horrible way companies try to discourage data subjects from exercising their rights.
This is not lawful under both the GDPR and the CCPA. If Triplebyte follow through with their request against an EU or California resident, they'd be breaking data protection laws.
If comments here are any indication, too many people, being unaware of their rights, may fall for it though.
This is not lawful under both the GDPR and the CCPA. If Triplebyte follow through with their request against an EU or California resident, they'd be breaking data protection laws.
IANAL, but they may already be in violation of the GDPR with the 30 days processing time. While the GDPR states 30 days as the upper bound, the article about erasure also states:
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies [...]
Notice the phrase undue delay. It seems that the legal interpretation of undue delay is as soon as possible [2]. Since the sign-up for Triplebyte seems to be immediate (you just create an account), they could also remove an account with a simple delete account button (remove some rows from a SQL database). So in the case of most web services as soon as possible seems to be with the click of a button to delete an account itself. Allowing a few more days for changes to propagate through storage systems and backups.
For anything longer, they should probably come up with damn good reasons when this is brought to court.
At any rate, they will have more serious problems if they make citizens public for people in the EU. They'll open up themselves to a huge liability. You are simply not allowed to use data for other purposes than what the data subject gave explicit well-informed consent for. And no, burying somethings in the terms and conditions is not explicit consent.
> This is not lawful under both the GDPR and the CCPA.
INAL, but from my understanding that's exactly what GDPR itself suggests to do:
> The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.
Thats mainly because [2]:
> There is a very real concern of fraudulent requests from bad actors, who might use a customer’s data for nefarious purposes.
While it's great to know that noone else is able to delete my account, it still feels shady af.
That's only true if they don't have another way to verify your identity, not if you're logging in to an account using your username and password in order to delete it.
Is there a privacy preserving alternative to sending a scan of your drivers license/passport? Can you get a notary to attest your identity, and you send them the notarized request?
Ah yes, the classic "send us more of your PII to delete your information." I've ran into that too many times.