Leroy Merlin has loyal clients

Dear Claudia,

It’s great you wanted to get the benefits of Leroy Marlin’s loyalty card after your purchase, yet it’s not great if you give me full access to your purchases by providing them my email instead of yours.

Dear Leroy Merlin,

Don’t you think you should verify the email before sending follow ups after registration, especially for an account connected with a loyalty card and related purchases?

Screen Shot 2018-09-21 at 14.03.26.png
  • 2017-06-29 — I receive the first email, seemingly asking to click to complete the registration. I won’t click, hoping that’s a good verification system and won’t proceed further.
  • 2017-06-29 — I was mistaken: in the space of just a minute I receive an email asking to add a password to the account.
  • 2017-06-29 — And later that day, another email, specifying that the account is now active and that I’ve a new card number. What?
  • 2017-06-29 — I try to reply, but the email is from a noreply address (noreply.adesione@leroymerlin.it).
  • 2017-07-05 — I receive a marketing email, advertising free delivery.
  • 2017-07-05 — I reply to both the address of the email (ideapiu@leroymerlin.it) as well as a customer support email I found on their website (vocedelcliente.sede@leroymerlin.it) asking for complete removal of my email, since they weren’t even authorized in the first place. I receive a bounce email, telling me that both the addresses are “noreply”.
  • 2018-06-02 — I receive an email from Leroy Marlin that tells me that since 25 May 2018 the company is complying with GDPR. Ironic, and clearly not the case.
  • 2018-06-02 — The GDPR changed something tho: now there’s an email address for privacy issues (privacy@leroymerlin.it). I write there. No reply.
  • 2018-06-08 — After contacting their customer care on Twitter, where I receive a reply, they tell me to send another reminder email at that same address. No reply.
  • 2018-07-08 — As I haven’t received a reply to the privacy email for over a month, I proceed reporting them to ICO. I also send a new email to them notifying that I’ve reported them to ICO.
  • 2018-07-10 — Leroy Merlin replies telling me they fully removed my email from their databases.
  • 2018-07-10 — I reply to them asking to fix the registration system to ask for consent first. No reply.
  • 2018-09-17 — ICO replies to me with details on how to proceed with the complaint.
  • 2019-01-18 — After some good back and forth with ICO on the best approach to improve best practices, they were able to reach out to Leroy Merlin directly (not through the French authority) and suggest fixes to their email registrations and the personal data handling.

Welcome to Spotify!

Dear… unnamed?

It’s great you want some good music, and Spotify is surely a good choice. Yet, maybe, using your own email instead of mine would work better, don’t you think?

Dear Spotify,

Why do you send an Email Verification email… and then even if I don’t click there you start sending content? I never confirmed it, you’re using it without authorization, yet here we are. There isn’t even a button to tell you quickly “This is not my account”. How disappointing.

Screen Shot 2018-08-31 at 13.34.04.png

  • 2018-08-31 — Received a “Confirm Account” email. I archive it without clicking anywhere. The email is from a “no-reply” account. The customer support requires to login. The privacy policy doesn’t provide any email to contact. They have a Privacy Contact form, but trying to delete data again requires to login. Quadruple ouch.
  • 2018-08-31 — About 1h later, I receive an email that welcomes “me” on Spotify. There’s a “Cancel” link, but apparently it’s only for this marketing email, not for the account.
  • 2018-08-31 — I contact Spotify via email and Twitter.
  • 2018-08-31 — In about 20 minutes they replied to the Spotify email “We’ve removed your email address from our system”. Sorted.


Chris got Twitch… and Amazon!

Dear Chris,

It’s great you wanted to use Twitch, and isn’t it beautiful that now you can connect it with Amazon too in just a few clicks? Shame you used my email address, so now you can’t access neither of the two accounts, and instead… I’ve a new Twitch and a new Amazon accounts!

Dear Twitch/Amazon,

It’s great you send an email to “Verify your e-mail address”, but maybe you should remember to make it actually work? It’s not very useful if the person can then keep using the account, and even connect to a new Amazon account, without authorization.

It’s even more worrying that now I’ve to deal with two separate customer cares because even if the account are linked, of course there is no automated process, and the customer care is separate. Not to mention how not cool it is that to fix this your customer care representative asked me to accept to verify “my” account first, which would bind me to your Terms of Service.

Screen Shot 2018-07-27 at 14.01.04.png

Possible privacy violations:

  • Email stored in a database without authorization
  • Email sent to a partner company and stored in a second database without authorization


  • 2018-06-08 — Received “Please verify your email address” email. I haven’t clicked on it. No automated way to remove the email to the database.
  • 2018-06-08 — Received – 3 minutes later – “New account twitch connected” to a new Amazon account. Again no automated way to stop the operation.
  • 2018-06-08 — I contact “Amazon Twitch” chat support via my personal Amazon account (not the new one created above). They ask me to access the account (which, not being mine, is a breach of privacy) and verify it before they can close it (“I need to verify the account to close it”), which would also bind me to their Terms of Service. I point out they are using my private data without authorization, to which they then instantly suggest to switch to the Fraud Department. At least, they “Unlink” the Twitch and the Amazon accounts.
  • 2018-06-08 — Amazon Twitch replies also via email. They ask me again to contact them through the email associated with the account in order to delete it — which would require again for me to login. I reply to that email from the email associated with the account to be deleted. No reply.
  • 2018-06-08 — I also manage to contact Twitch support itself.
  • 2018-06-11 — Twitch replies they have deleted the account, but they note they have no way to delete also the Amazon account. They also confirm “there isn’t a verification that is required before proceeding with the registration of a Twitch account”.
  • 2018-06-11 — I reply to Twitch support telling them it’s a privacy violation to not require email verification. No reply.
  • 2018-07-27 — Apparently Twitch is still allowing registration without authorization, as a colleague of mine had the same issue. See tweet here.
  • 2018-07-27 — I tried to reply again to my latest email (which didn’t get any reply) and I got back an automated reply that the issue was closed. I then opened a new chat, and they told me they can’t do anything, but they escalated to the right department (which I suspect it’s the one that never replied above) and I will get a reply in 24h.
  • 2018-07-28 — Amazon replies via email with a standard email telling me the account is “secure”, ignoring completely the reason of my request.
  • 2018-07-28 — I replied explaining yet again what the problem is.
  • 2018-07-28 — I now tried a different approach, contacting customer support by phone, which is an option if I manage to get the “right” type of inquiry on the customer support form. I was told that the account was made on “.it” and as such they can’t do anything from “.co.uk” customer support.
  • 2018-07-29 — I receive an email from “Primevideo” about “My Twitch Inquiry” telling me that my inquiry has been forwarded to Amazon.it. No further follow up.
  • 2018-08-01 — I contact Amazon.it in chat, which tells me again to access the account (again: accepting their T&C and violating someone else’s privacy). When I mention that they suggest to send an email to a direct email address with the problem. I sent that email.
  • 2018-08-01 — I’ve received an email stating that the account has been closed.


Roby is looking for friends

Dear Roby,

I know, dating is hard, and services like Meetic look like they can help but they quite instantly try to make you pay. Granted, if you use my email to register, it’s even harder.

Dear Meetic,

I know it’s hard to onboard new users. I assure you that however violating the privacy by registering and activating an email that never authorized you is not a good way to proceed. Sure, everyone makes error, but not even a link to remove the email? That’s bad practice, don’t you think?

It’s even worse because… we already had this discussion in August 2017. And your customer support told me that they were to fix the issue. Why then are we still here, GDPR and all, and my email is getting used without authorization?

Screen Shot 2018-06-02 at 00.07.43.png

  • Prologue: this is the second time. Meetic wasn’t validating the emails already in August 2017, where someone registered an account with my email and I had to jump through loops to get it deactivated. At the time took them about a day to reply.
  • 2018-06-01 — Received an “Activate your Account” email. I don’t activate.
  • 2018-06-01 — Received an “Your photo has been approved” email. Clearly the account is active and the email has been used without authorization.
  • 2018-06-01 — I try to check the account. Password recovery works – again, clearly representing that the email is active in the database.
  • 2018-06-01 — I gain access to the profile, but the “email” field can’t be edited. I try to edit the profile because it’s moderated and maybe some humans will see it. I’m stuck.
  • 2018-06-01 — I contact their customer care from inside the service, from the email reply account, and from their Terms of Privacy email contact.
  • 2018-06-01 — I click on “Stop contacting me” on the email that contained the “Activate your Account” link.
  • 2018-06-01 — I receive a new email that my update to the profile wasn’t accepted. Clearly again the email is still active, and the request to not receive emails anymore isn’t respected.
  • 2018-06-01 — I look for support documentation, and I figure out that even for some reason I can’t update the email address, I seem to be able to close the account. I close the account.
  • 2018-06-01 — To cross-check if closing the account worked, I try to do yet again a password recovery. I get a message that I’m going to receive an email: it looks like my email is as such still in their database unfortunately.
  • 2018-06-02 — Their support team replies confirming that the account has been deleted, but they also add “That’s not an issue with our systems, someone probably played a prank on you”. So I registered their customer support email to their own service.


Max wants to play epic adventures!

Dear Max,

As a long-time player of Unreal and Unreal Tournament – the originals! I know! – I understand how amazing Epic games are. Yet, I think it would be better that you use your email address to register, otherwise you will have some major problems later to keep your scores and your game profile. I know very well how precious they are.

Dear Epic,

I understand you want to have as many users as you can – growth! right? – yet if I never click on “Verify Your Email”, why is my email still in your database? I really hoped you were going to do the right thing… yet we are. A month later, and my email is still recorded.

Screen Shot 2018-05-09 at 18.00.09.png

Possible privacy violation:

  • Email stored in a database without authorization
  • Contacting for privacy issues requires sending a physical letter. No other contact detail. Privacy policy is here.


  • 2018-04-07 — Received “Verify” email, I archived without clicking.
  • 2018-05-07 — I receive an email warning me of multiple attempt to login to “my” account (note: I do have an Epic account, but it’s associated to a different email). I double check to be sure, this time it’s the email address I never authorized.
  • 2018-05-07 — I try to access the account to contact their customer care. I contact them, asking to delete the account associated with my email.
  • 2018-05-09 — I receive a reply that to proceed with the deletion I have to… verify the email first.
  • 2018-05-09 — I reply asking to remove my email as they are not authorized to store it.
  • 2018-05-09 — Epic answers that the account seems “verified” already (WAT?!?) and they are “escalating” to the “next step”. It also adds: “Please await our email, as any response to this ticket will reset the escalation process and may lead to a delay in handling your request”.
  • 2018-05-23 —Received an email warning me of multiple attempt to login to “my” account. Again.
  • 2018-05-23 — I now reply to the “escalation” email above, since it’s now two weeks since then!
  • 2018-05-31 — Received an email warning me of multiple attempt to login to “my” account. Again.
  • 2018-05-31 — Finally Epic updated their privacy policy and now it includes an email address to contact. I’ve now sent another email with their privacy team in CC.
  • 2018-06-01 — Finally Epic deleted the account (was it necessary? couldn’t have they just changed the email?). Case closed (even if it seems they still allow users to register without authorizing the email, and the email address can’t be updated).
  • 2018-06-13 — Unfortunately, even if Epic confirmed the account deletion, I received yet another email providing details on how to secure my account (“Mantieni al sicuro il tuo account”).
  • 2018-06-17 — I contacted them back at both support and at their privacy policy email again (dpo@epicgames.com). Notably, the support email is a “no reply” account, and as such they replied I’ve to contact them through web support. Which means additional hoops before I find a contact form.
  • 2018-06-18 — They replied they haven’t my email in their database. Yet I received the email, so they asked for more details.
  • 2018-07-01 — After a couple emails, I send them the email header of the latest email I received from them.
  • 2018-07-19 — They now confirmed they have now “updated a few things on our side” and I shouldn’t receive emails anymore.
  • 2018-12-07 — I receive another marketing email for Fortnite.

A healthier lifestyle with Yazio for Angela

Dear Angela,

I don’t know you, but I think it’s great you decided to try out an app to track and improve your diet. Unfortunately, I’d also have appreciated you used your own email instead of mine.

You see, Yazio isn’t asking for authorization when you registered, so now my email has been added without authorization in their database. Unfortunately, Yazio as of today does’t seem to have even a Privacy Policy linked in the footer of their website, so I really had an hard time finding a contact email… ah yes, because of course the sender used in the email I received bounces back.

Screen Shot 2018-04-15 at 15.01.52.png

Possible privacy violations:

  1. Email registered without authorization
  2. No-reply sender for the emails sent
  3. No privacy policy in the website footer


  • 2017-04-15 — Received email.
  • 2017-04-15 — Sent email to coach@mails.yazio.com (no-reply, bounced back), help@yazio.com, kanzlei@lex.tm (their legal firm).
  • 2017-04-16 — Customer care replied, they removed the account. They ignored in the reply the request to fix signups and privacy policy.