[jve]

> You can't delete your account by self-service, you have to email dang, which is probably non-compliance because it adds friction

GDPR has nothing to do with friction I beleve.

Our lawyer told me that GDPR also applies to paper records, so there is some real-world friction right there.

The important part that there is a right - in whatever good/broken process it is enveloped is irrelevant.

Moreover does HN host PII data? Not if you don't give it to them.

[rcxdude]

Some of GDPR's language around consent for data processing (which, I will note, you only need if you don't have a legitimate and expected purpose for storing and processing it!) has implications for friction: many 'cookie popups' are not compliant because they make not giving consent harder than giving consent.

But deletion requests are not so strong: if you make people really jump through hoops then you might get in some trouble, but the expencted standard is basically at 'sending an email and getting a result within 30 days'.

[jve]

Depending on the data "sending an email and getting a result within 30 days" may not be basis for approving deletion request. You have no way to identify whether the data is associated with the person (if the data is not associated with the email).

So additional validation would surely be subject to friction.