"opt-out of data sharing by snail mailing us more information about yourself"

thats gold. EU sic 'em!

The GDPR explicitly allows companies to verify the identity of the requestor for the purposes of fulfilling a data access/erasure request.

The problem with the GDPR is that it was written with the assumption that companies are willing to abide by the regulation, and thus any data provided during the course of identity verification will not be used for any other purpose and so there aren't any problems with companies requesting more PII for the purpose of deleting PII.

Of course in reality certain companies are not willing to abide by the regulation, and entire industries are built on top of not abiding by the regulation, so much so that they're better off operating in breach and lasting for as long as possible (until investigations & fines shut down the entire business) than complying early. We're already seeing this with Google & Facebook that claim to comply with the regulation despite being in breach in various ways (the recent Google GDPR consent prompt is absolutely not compliant) and they are betting on the fact that 1) enforcement will not happen for a long time and 2) when enforcement does happen, the consequences will be less than the profit they made in the meantime.

The same thing applies with for example Facebook (or similar) analytics and pixel tracking. They claim they respect the GDPR and will erase any data upon request (in this case the request will need to come from the data controller, ie the entity that runs the app which embeds the tracking SDK), but does anyone actually believe that they will delete anything and that data is not also used for other purposes (shadow profiles) in way that's hard/impossible to detect from the outside?

The GDPR does not allow the processing of personal data at all without out a legal basis, and the prevention of unlawful data processing does not require that you submit any identifying details at all!

A company may verify the identify of a person making a deletion request for data processed under a valid legal basis, which seems unlikely to be the case here.

why do requestors need to be validated at all? if a request comes in to delete some data, just delete it. it's not the harvester's data in the first place. in what circumstance is it the harvester's right to gatekeep on others' data?

There can be a legitimate need to validate requests, for example let's assume I don't like you and email the HN mods pretending to be you and asking to delete "my" account.

I agree when it comes to bullshit like advertising/marketing where fraudulent requests cause no harm to the real data subject.

GDPR article 12[0] explicitly permits this:

> Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

Article 17 deals with requesting the deletion of data and article 21 deals with objecting to the processing of your data.

In fact, not verifying the identity of individuals could be legally dangerous because you are in effect allowing an individual to tamper with another individual's data.

[0] https://gdpr-info.eu/art-12-gdpr/

GDPR does not allow disproportionality in the verification process.

For citizens of the EU, it would be useful to also include the contact address for requesting what data they already have on you. If I were going to spend effort on this, I'd rather report them to my local watchdog than play along with their game.

I just looked at a few of these for the services I use. So far I wasn’t able to actually opt out of anything. One service resulted in an error, the rest are just links to their policies where I couldn’t find any actionable links to do anything just them explaining that they’ll keep sharing my data. One explained to me how to unsubscribe from their mailing list with a screenful of text. So “Simple” is not what I would use for these links.

Hmm, I wonder if that opt-out error is by design? "We offer the opt-out so that we are compliant. It's not working? Hmm, it works fine in all of our testing. One moment while I look into this." <checks personal facebook feed> "Yeah, it's working on our end."

That's been my experience with Equifax's mandated services.

I maintain the site. So that I can improve the links or the instructions, could you tell me which ones you tried?

(If it's easy for you to send sanitized screenshots or longer explanations of what you did, https://simpleoptout.com/#additions-and-updates are also monitored.)

Opt-out is the wrong approach. Opt-in is the correct approach.

Why is that so difficult to understand for law makers?

Agreed. Though unfortunately the way we have it now is technically opt in, just through dark patterns or extortion.

Make an account? You are opting in via those T&C

Have an account and the T&C change to allow data sharing? Delete your account and deal with that pain and frustration or accept it.

Forgot you made an account? Well you agreed to be bound by the T&C that they changed to allow sharing even though you didn't know it happened.

They've made it so that legally you opted in in those dang documents that they make impossible to read. Super frustrating.

It's not difficult at all. The corporations pay lobbyists to influence this process.

They understand, they just know who their bosses are and it ain’t us.

Once upon a time, we were going to have a Do Not Track setting in our browsers...

probably because so many are now convinced that the whole internet would fail if there wasn't advertising revenue everywhere.

Do you want me to opt in to that view or opt out of the opposite one?

Twitter allows you to disable personalisation...without being signed in. Yep. I'm sure that tickbox definitely totally does something behind the scenes. We promise.

>Paypal Cannot opt out

And this is EU law compliant how please?

Twitter also runs software that website owners can embed so maybe it's something like Google's opt-out addon?

Ignoring the poor usability of these grey opt-out workflow patterns, how can we ensure the opt-out persists as ToS are updated? We need an OSS community-maintained scraper that can poll for cloud status.

Opt-out by default is illegal when interacting with EU-based customers under the GDPR, opt-in by default is required by law.

Seriously, I hope lists like these will assist regulators to systematically address the offending companies to phase out this practice.

The fact that opt-out is default is a symptom of how badly law makers have allowed these companies to exploit the public. Those that implement dark patterns (no opt-out, or intentionally frustrating the process) ought to receive additional fines and more (i.e. consider it criminal behavior).

There's no reason I shouldn't be able to go to the cookie policy services like OneTrust themselves and opt out of every one of their customers forever.

Could we git to some kind of standard like /.well-known/opt-out or something? Is there any existing guidance?