| > I'm leaving aside the consent piece, because frankly it's unlikely that they ingested this data without receiving it from a third party to whom you did give explicit consent. Well, I definitely didn't. Even if I did give consent for processing my data, sharing with Facebook isn't something I would ever in a million years agree to. An explicit consent should have been specific about it. Evidently Acxiom shared my details with Facebook. But let's leave it aside for now. > You can prove that you have access to that email, but you still need to prove that you're you. That's where the huge imbalance lies, isn't it? They link my email, along other details, and they also share my email with Facebook. Yet, when I'm contacting them, from the same email address, then suddenly it's not enough. But let's say one piece of info isn't enough, they have other pieces? let's match them. Send me a letter, give me a phone call, give me the postal code and ask me to complete the address (or other parts of the address), provide a reasonable way for me to prove my identity. Without effectively asking for my entire address history, or compromising even more data about myself. > it incentivizes companies like Acxiom to be as strict as possible when verifying identities for access requests. They'd much rather be forced to defend the stringency of their access policies than to be strung up by the EC for enabling large-scale identity fraud because they weren't vigilant enough. We completely agree on this one. They're as strict as possible when subjects try to exercise their rights, but loose as a cannon when it comes to sharing data, making sure they get real and explicit consent etc. |