[dantheman0207]

> There are supposed to be all sorts of other GDPR protections, about rights to be forgotten, about being able to access and selectively remove personal data from an online profile, that I have no idea how to activate.

You don’t have to do anything to “activate” these rights under GDPR. You can just email the website in question and ask them to send an accessible copy of your data, or remove some or all of it from their servers. GDPR simply requires companies to adhere to certain consumer demands about my own data and respond within reasonable time frames.

Also I disagree with your analogy. Companies are allowed to track users for internal purposes Uber GDPR. But they are not allowed to sell your data to third parties without consent. The reason all these pop ups and consent forms are so complicated have nothing to do with GDPR, and everything to do with the fact that companies are trying to nudge you into making a choice against your own best interests.

[andrewla]

> You don't have to do anything .... just email the website ...

Okay ... let me try this.

> TO: cnn.com

> SUBJECT: Remove my data

Okay, let's send it!

> gmail: The address "cnn.com" in the "To" field was not recognized. Please make sure that all addresses are properly formed.

Oh. I've been around the block; maybe I can try admin@ or support@ or look at whois data, or browse around their website for a "Contact us" link, and maybe I can figure out how to properly assert that I do in fact own the account in question whose data I wish to remove, assuming I even have an explicit account rather than just a tracking cookie and a "shadow" profile. But isn't the GDPR supposed to be consumer-focused? What earthly consumer is going to go through these steps?

[icebraining]

What earthly consumer is going to go through these steps?

I have requested the removal of my personal data from multiple business, and I can assure you I'm quite earth-bound. Copy-pasting a template and filling in my name and account ID is not that hard.

[andrewla]

I'm going to go out on a limb and guess that you are a fairly technical user. My snarkiness in the previous reply was excessive, but reflected my frustration with being told that something is simple that is actually a multi-step process with questions that are not easy to find the answer to.

I guess the problem with email for this process is that you have a number of questions, all of which may not have an easy answer.

1. Identify an email address -- is this standardized? Searching "GDPR address for cnn" gives nothing, and similar more general queries yield little information.

2. Identify a template -- is there a standard one? I see a bunch of websites that claim to have them, looks like 'datarequests.org' is a good(?) one? It seems to have only a small set of sites that can be submitted. The template is incredibly verbose and it isn't clear how to request specific information; would that typically happen as part of a dialog?

3. Identify an account number/user name/verification of identity -- is there a standardized process for this? Could someone else send a request to remove my data? What is the process for this and how can I activate it?

4. Email is not a structured medium. I don't want to get into a whole conversation about this; I want to see the data about me and be able to remove bits of it.

Note that as a software developer #4 sounds kind of ridiculous to me, since user data can be represented in a variety of site-specific manners, and the existing pre-GDPR protections put in place for PII make this almost impossible. But to an end user it feels like it should be a natural thing and having to deal with a number of complex bespoke systems sounds like a pretty heavy load.

I can see the GDPR in this sense being useful for celebrities and the wealthy, who can afford managers or consultants to take this action on their behalf, but not for people like my parents, for whom even step 1 is daunting.

[icebraining]

I'm going to guess you're a technical user :) my parents would never think to search for standardized or GDPR-specific email addresses. What they did was find some generic way to contact the company (phone number, possibly Facebook or email) and ask them "where should I send a request for you to delete my data?"

Regarding the content, they would find some template they can mostly understand, then change/add a paragraph to include whatever specifics they need.

As for verification of identify, they would not even think much about it. They would sign with their name, and of course send from their email. The company would have to reply back to ask for whatever they need to verify it properly.

[Faark]

> 1. Identify an email address -- is this standardized?

Interesting, wasn't that addressed by GDPR? For that reason does german law requires information like this to be easily accessible, aka "Impressumspflicht". Lets compare for example amazon footers links.

Amazon.com

> Conditions of Use | Privacy Notice | Interest-Based Ads | © 1996-2018, Amazon.com, Inc. or its affiliates

Amazon.de

> Conditions of Use & Sale | Privacy Notice | Imprint[0] | Cookies Notice | Interest-Based Ads Notice | © 1998-2018, Amazon.com, Inc. or its affiliates

[0] https://www.amazon.de/gp/help/customer/display.html/ref=foot...

[TeMPOraL]

https://opt-out.eu/ is a service run by AFAIR someone on HN (spotted it today, can't find the source comment). Select a company, fill out a form, and you're done[0].

This is the template they seem to be using for erasure requests: https://github.com/opt-out-eu/opt-out/blob/master/src/email-....

--

[0] - Maybe. I'm not endorsing it, I just found it today. I wish someone (maybe the author) could say something more about the validity of such process, and whether this kind of e-mail is enough in practice.

[yoaviram]

One of the authors here. Thanks for mentioning us! I personally use the service and can testify it works. Just used it last week following the Apollo breach to have them remove me from their database. The service is free and open source. Happy to answer any questions!