I'm pretty careful with my personal information. I'll never fill out an online form with real details unless it's absolutely or legally necessary. I'll think twice about ordering a taxi from my home rather than a small walk away. I haven't really used a cellphone in years, and instead churn through versions of the iPod Touch. I've put fake emails and phone numbers when booking a haircut, only to turn up to the barbers with them saying they've been trying to reach me to say they had to cancel. I have packages delivered under a friend's name, and I don't have my own details on my doorbell.
All of that work may have been undermined by a cheap mattress.
Out of apparent necessity, I ordered a mattress from an online company to my home address. I've already been told off for taking liberties with getting things delivered to the office to protect my personal address, and I didn't think the staff here would appreciate a mattress arriving on their doorstep. To get notifications on the delivery, I used my personal email address, something I don't usually do. The plan was to delete that information from my online account with the company later.
"Unfortunately, we do not have a way to remove this information from the previous orders placed and this data will be stored indefinitely," a customer support representative from the company wrote in an email after I asked them to remove my details. They added that the data "will not ever be shared with anyone outside of the company, barring a legal dispute."
That isn't really what I was going for with trying to get this data deleted. Exactly a year ago I wrote that lots of people can use the European Union's General Data Protection Regulation (GDPR) to demand that sites or services delete their personal information. I've successfully done this for fast-food websites, as far as I know scrubbing my orders and delivery history from the company's servers. The idea was that if I could remove my information from a website or service before it almost inevitably gets hacked, then at least my data won't be included in the subsequent data dump on some low-level hacker forum.
Do you know about an instance of data selling? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
As Neil Brown, a lawyer focused on the internet and technology at specialist law firm decoded:Legal explained to Motherboard at the time, if the company is established in the EU, U.S. citizens can ask for information to be deleted. Those in the EU can also ask U.S. companies to delete their information, but success can be hit or miss. Lots of tech giants have dedicated tools for streamlining the process of at least being shown what data each holds on you, and in some cases remove it as well.
The GDPR and services' privacy policies can give you some reassurance that the data which took you all of three seconds to enter into an online form won't be preserved on someone's server for years or decades to come. But that didn't work for this mattress company, and now I just have to hope, essentially, that it doesn't get hacked or leave its customers' data exposed. At least before I move.
Subscribe to our new cybersecurity podcast, CYBER.