Thursday, June 30, 2022

You may Unsubscribe, but give me your Personal Data

I signed up for some online three-hour class two weeks ago. It was good, and the instructor did end it with the usual upsale you expect in some of these classes. I cheefully turned it down.

Also as expected, I started receiving emails from this instructor about new classes and programs. I ignored them for a week until last Monday I decided I was getting too many sales emails from him and wanted to cut it down. So I clicked on the "click here to unsubscribe to this list," which is a trackable link as expected: I would expect the link to know I am the one who want to be removed from that list.

Well, the link led me to the following page; I did remove the top banner identifying the 3rd party company being used and my name and email, which were automagically autofilled. But below is what the form looks in all of its glory:

This form caused a few questions to pop in my head:

  1. Why is there no reference to the instructor, his business, or something that refers to the mailing list? It is not like I erased that before posting. This sure looks like a great phishing page, but what do I know?
  2. Note that it asks for my address and phone number. Why does it need that? I mean, when I signed up for the class I did not need to provide either; so why now?
  3. Who is collecting this information: the instructor or this third party?
  4. Why is it called Update Information? I am here to unsubscribe to a mailing list!
  5. Why is a button called Update Information the default choice in a page you supposedly use to leave a mailing list? This is a classic example of Dark Pattern in use, steering the user to select a less privacy conscious option.
  6. Why would I want to update personal information to unsubscribe to a mailing list? In fact, let me put my GDPR hat and say there is no lawful case for this form to collect (and process) personal data beyond email (Articles 5 and 6, and recital 39). I have belonged to many mailing lists that either require just the email or an username/password pair to leave them.
  7. Given there is no lawful case to collect the personal data mentioned in the previous question, the only other option is consent. GDPR Article 7 is very particular about how consent should be given and taken away. Does this form's request for consent is presented in a clear manner, distiguishing it from other items in the same form (Art 7.2)? And, does it indicates a way to withdraw this consent in a manner that is easy to do so (Art 7.3)? Finally, is it freely given (Art 7.4)? Looking at the form I have no idea if I am freely giving it or I am required to, so the answer is no.
  8. Besides the company's banner, which is not a link to their website, and the buttons below, is there a way to interact with this website (say, to contact someone) and its owner? As far as I can see, none.

Given all the questions raised above, it seems that the safest and most privacy-conscious way to leave this mailing list is to tell my mail client to label amy future email from that list as spam.

Moral of the Story

If you are going to provide some kind of mechanism for people to unsubscribe to your newsletters, please keep it simple, clear, and transparent. If it also doubles as a way for users to update their info, label what is required for unsubscribing and what is used for updating profile/account info. And, do not try to sneak collecting of personal data in.