It’s great you wanted to get the benefits of Leroy Marlin’s loyalty card after your purchase, yet it’s not great if you give me full access to your purchases by providing them my email instead of yours.
Dear Leroy Merlin,
Don’t you think you should verify the email before sending follow ups after registration, especially for an account connected with a loyalty card and related purchases?
- 2017-06-29 — I receive the first email, seemingly asking to click to complete the registration. I won’t click, hoping that’s a good verification system and won’t proceed further.
- 2017-06-29 — I was mistaken: in the space of just a minute I receive an email asking to add a password to the account.
- 2017-06-29 — And later that day, another email, specifying that the account is now active and that I’ve a new card number. What?
- 2016-06-29 — I try to reply, but the email is from a noreply address (firstname.lastname@example.org).
- 2017-07-05 — I receive a marketing email, advertising free delivery.
- 2017-07-05 — I reply to both the address of the email (email@example.com) as well as a customer support email I found on their website (firstname.lastname@example.org) asking for complete removal of my email, since they weren’t even authorized in the first place. I receive a bounce email, telling me that both the addresses are “noreply”.
- 2018-06-02 — I receive an email from Leroy Marlin that tells me that since 25 May 2018 the company is complying with GDPR. Ironic, and clearly not the case.
- 2018-06-02 — The GDPR changed something tho: now there’s an email address for privacy issues (email@example.com). I write there. No reply.
- 2018-06-08 — After contacting their customer care on Twitter, where I receive a reply, they tell me to send another reminder email at that same address. No reply.
- 2018-07-08 — As I haven’t received a reply to the privacy email for over a month, I proceed reporting them to ICO. I also send a new email to them notifying that I’ve reported them to ICO.
- 2018-07-10 — Leroy Merlin replies telling me they fully removed my email from their databases.
- 2018-07-10 — I reply to them asking to fix the registration system to ask for consent first. No reply.
- 2018-09-17 — ICO replies to me with details on how to proceed with the complaint.
It’s great you want some good music, and Spotify is surely a good choice. Yet, maybe, using your own email instead of mine would work better, don’t you think?
Why do you send an Email Verification email… and then even if I don’t click there you start sending content? I never confirmed it, you’re using it without authorization, yet here we are. There isn’t even a button to tell you quickly “This is not my account”. How disappointing.
- 2018-08-31 — About 1h later, I receive an email that welcomes “me” on Spotify. There’s a “Cancel” link, but apparently it’s only for this marketing email, not for the account.
- 2018-08-31 — I contact Spotify via email and Twitter.
- 2018-08-31 — In about 20 minutes they replied to the Spotify email “We’ve removed your email address from our system”. Sorted.
It’s great you wanted to use Twitch, and isn’t it beautiful that now you can connect it with Amazon too in just a few clicks? Shame you used my email address, so now you can’t access neither of the two accounts, and instead… I’ve a new Twitch and a new Amazon accounts!
It’s great you send an email to “Verify your e-mail address”, but maybe you should remember to make it actually work? It’s not very useful if the person can then keep using the account, and even connect to a new Amazon account, without authorization.
It’s even more worrying that now I’ve to deal with two separate customer cares because even if the account are linked, of course there is no automated process, and the customer care is separate. Not to mention how not cool it is that to fix this your customer care representative asked me to accept to verify “my” account first, which would bind me to your Terms of Service.
Possible privacy violations:
- Email stored in a database without authorization
- Email sent to a partner company and stored in a second database without authorization
- 2018-06-08 — Received “Please verify your email address” email. I haven’t clicked on it. No automated way to remove the email to the database.
- 2018-06-08 — Received – 3 minutes later – “New account twitch connected” to a new Amazon account. Again no automated way to stop the operation.
- 2018-06-08 — I contact “Amazon Twitch” chat support via my personal Amazon account (not the new one created above). They ask me to access the account (which, not being mine, is a breach of privacy) and verify it before they can close it (“I need to verify the account to close it”), which would also bind me to their Terms of Service. I point out they are using my private data without authorization, to which they then instantly suggest to switch to the Fraud Department. At least, they “Unlink” the Twitch and the Amazon accounts.
- 2018-06-08 — Amazon Twitch replies also via email. They ask me again to contact them through the email associated with the account in order to delete it — which would require again for me to login. I reply to that email from the email associated with the account to be deleted. No reply.
- 2018-06-08 — I also manage to contact Twitch support itself.
- 2018-06-11 — Twitch replies they have deleted the account, but they note they have no way to delete also the Amazon account. They also confirm “there isn’t a verification that is required before proceeding with the registration of a Twitch account”.
- 2018-06-11 — I reply to Twitch support telling them it’s a privacy violation to not require email verification. No reply.
- 2018-07-27 — Apparently Twitch is still allowing registration without authorization, as a colleague of mine had the same issue. See tweet here.
- 2018-07-27 — I tried to reply again to my latest email (which didn’t get any reply) and I got back an automated reply that the issue was closed. I then opened a new chat, and they told me they can’t do anything, but they escalated to the right department (which I suspect it’s the one that never replied above) and I will get a reply in 24h.
- 2018-07-28 — Amazon replies via email with a standard email telling me the account is “secure”, ignoring completely the reason of my request.
- 2018-07-28 — I replied explaining yet again what the problem is.
- 2018-07-28 — I now tried a different approach, contacting customer support by phone, which is an option if I manage to get the “right” type of inquiry on the customer support form. I was told that the account was made on “.it” and as such they can’t do anything from “.co.uk” customer support.
- 2018-07-29 — I receive an email from “Primevideo” about “My Twitch Inquiry” telling me that my inquiry has been forwarded to Amazon.it. No further follow up.
- 2018-08-01 — I contact Amazon.it in chat, which tells me again to access the account (again: accepting their T&C and violating someone else’s privacy). When I mention that they suggest to send an email to a direct email address with the problem. I sent that email.
- 2018-08-01 — I’ve received an email stating that the account has been closed.
I know, dating is hard, and services like Meetic look like they can help but they quite instantly try to make you pay. Granted, if you use my email to register, it’s even harder.
I know it’s hard to onboard new users. I assure you that however violating the privacy by registering and activating an email that never authorized you is not a good way to proceed. Sure, everyone makes error, but not even a link to remove the email? That’s bad practice, don’t you think?
It’s even worse because… we already had this discussion in August 2017. And your customer support told me that they were to fix the issue. Why then are we still here, GDPR and all, and my email is getting used without authorization?
- Prologue: this is the second time. Meetic wasn’t validating the emails already in August 2017, where someone registered an account with my email and I had to jump through loops to get it deactivated. At the time took them about a day to reply.
- 2018-06-01 — Received an “Activate your Account” email. I don’t activate.
- 2018-06-01 — Received an “Your photo has been approved” email. Clearly the account is active and the email has been used without authorization.
- 2018-06-01 — I try to check the account. Password recovery works – again, clearly representing that the email is active in the database.
- 2018-06-01 — I gain access to the profile, but the “email” field can’t be edited. I try to edit the profile because it’s moderated and maybe some humans will see it. I’m stuck.
- 2018-06-01 — I contact their customer care from inside the service, from the email reply account, and from their Terms of Privacy email contact.
- 2018-06-01 — I click on “Stop contacting me” on the email that contained the “Activate your Account” link.
- 2018-06-01 — I receive a new email that my update to the profile wasn’t accepted. Clearly again the email is still active, and the request to not receive emails anymore isn’t respected.
- 2018-06-01 — I look for support documentation, and I figure out that even for some reason I can’t update the email address, I seem to be able to close the account. I close the account.
- 2018-06-01 — To cross-check if closing the account worked, I try to do yet again a password recovery. I get a message that I’m going to receive an email: it looks like my email is as such still in their database unfortunately.
- 2018-06-02 — Their support team replies confirming that the account has been deleted, but they also add “That’s not an issue with our systems, someone probably played a prank on you”. So I registered their customer support email to their own service.
The GDPR is now in effect, so let’s see how much things improve with the issues this blog is tracking about unauthorized registration of emails and the challenges to have them removed.
As a long-time player of Unreal and Unreal Tournament – the originals! I know! – I understand how amazing Epic games are. Yet, I think it would be better that you use your email address to register, otherwise you will have some major problems later to keep your scores and your game profile. I know very well how precious they are.
I understand you want to have as many users as you can – growth! right? – yet if I never click on “Verify Your Email”, why is my email still in your database? I really hoped you were going to do the right thing… yet we are. A month later, and my email is still recorded.
Possible privacy violation:
- Email stored in a database without authorization
- 2018-04-07 — Received “Verify” email, I archived without clicking.
- 2018-05-07 — I receive an email warning me of multiple attempt to login to “my” account (note: I do have an Epic account, but it’s associated to a different email). I double check to be sure, this time it’s the email address I never authorized.
- 2018-05-07 — I try to access the account to contact their customer care. I contact them, asking to delete the account associated with my email.
- 2018-05-09 — I receive a reply that to proceed with the deletion I have to… verify the email first.
- 2018-05-09 — I reply asking to remove my email as they are not authorized to store it.
- 2018-05-09 — Epic answers that the account seems “verified” already (WAT?!?) and they are “escalating” to the “next step”. It also adds: “Please await our email, as any response to this ticket will reset the escalation process and may lead to a delay in handling your request”.
- 2018-05-23 —Received an email warning me of multiple attempt to login to “my” account. Again.
- 2018-05-23 — I now reply to the “escalation” email above, since it’s now two weeks since then!
- 2018-05-31 — Received an email warning me of multiple attempt to login to “my” account. Again.
- 2018-06-01 — Finally Epic deleted the account (was it necessary? couldn’t have they just changed the email?). Case closed (even if it seems they still allow users to register without authorizing the email, and the email address can’t be updated).
- 2018-06-13 — Unfortunately, even if Epic confirmed the account deletion, I received yet another email providing details on how to secure my account (“Mantieni al sicuro il tuo account”).
- 2018-06-18 — They replied they haven’t my email in their database. Yet I received the email, so they asked for more details.
- 2018-07-01 — After a couple emails, I send them the email header of the latest email I received from them.
- 2018-07-19 — They now confirmed they have now “updated a few things on our side” and I shouldn’t receive emails anymore.
I don’t know you, but I think it’s great you decided to try out an app to track and improve your diet. Unfortunately, I’d also have appreciated you used your own email instead of mine.
Possible privacy violations:
- Email registered without authorization
- No-reply sender for the emails sent
- 2017-04-15 — Received email.
- 2017-04-15 — Sent email to firstname.lastname@example.org (no-reply, bounced back), email@example.com, firstname.lastname@example.org (their legal firm).