Hacker News new | past | comments | ask | show | jobs | submit login
Cloudflare keeps sending emails over a year after account was cancelled (shkspr.mobi)
242 points by edent on Sept 27, 2020 | hide | past | favorite | 152 comments

They are definitely not managing their mailing lists efficiently.

My case is somewhat different, not that I want to unsubscribe but at one point they started addressing me as Dick in all their mass marketing emails. That's despite the fact that my name is not Richard or any variation thereof, nor have I used that name to sign up for anything at Cloudflare. It began immediately after I shot down one pushy salesperson's "invitation to arrange a call or videoconference" for a product that I already told them would not work for me. Could be just a coincidence, though.

Wow. That’s some serious passive aggressive BS, if that really is the reason. Their sales team is really obnoxious and pushy from my limited experience. But that’s pretty true of most sales teams I’ve interacted with.

I’ve also had a bad experience with Cloudflare’s sales team. I was testing out their workers platform very shortly after its initial release when I got an email from a guy at Cloudflare claiming to be looking for user feedback on workers. I agreed to talk to him and he continued to pretend it wasn’t a sales call.

The minute the call started it was clear he didn’t want to hear anything I had to say about workers and began pressing me to tell him where I worked. I told him and the conversation immediately turned into “what can I do to get you guys a contract for workers?”

The whole interaction was unsettling for me. Seems like a pretty sleezy sales tactic.

I can also echo this. I was interesting in one of there products (can't remember which) and after a call where I said I was interested, and they never emailed me back, even after I sent a follow up.

The self-serve platform is great and I wish all products were self-serve, because dealing with sale teams is very annoying when you're just trying to evaluate a product.

Same experience here. He didn't listen to my feedback and didn't answer any of the Workers-related question i emailed him on his request.

Same interaction for me too. I think this is a widespread tactic on their sales team.

Sounds more like said pushy salesperson didn't realize the OP would actually get email with that name attached.

yes. do not register for any of their webinars with your work email.

We've got tons of non associated domains that we've single spam inboxes on. We then put aliases on them as needed. That way when some demos / trials require a valid domain we have it but we can also get away.

Life Pro tip, do this for conference registrations otherwise you'll be crushed.

If not for tons of useless business spam, what are work emails for?

I was downvoted last Cloudflare thread when I said I don't trust them.

Why is the CTO deleting tweets? But because the last thread was about archive.org I love the fact that the tweet is archived on archive.org

Sadly data protection agencies are understaffed and overwhelmed with requests. So if not hundreds of people complain about one company there will be no action (none of my complaints up to now has resulted in anything but notifications that I'm in a waiting queue - in some I'm for over a year now).

"Our mission to help build a better Internet is rooted in the importance we place on establishing trust with our Customers, users, and the Internet community globally. To earn and maintain that trust, we commit to communicating transparently, providing security, and protecting the privacy of data on our systems."

He seems to automatically remove all posts after a certain time (3 weeks or so), which isn't that unusual to do on Twitter.

It's the reasonable thing to do when context collapses so easily on tweets.

Not when you’re the face of Cloudflare, or any other company that large.

It looks very deceitful.

Not to me. So long as it's consistently applied, it actually seems like the responsible thing to do when something completely innocuous posted on Twitter could cause damage to the company.

To me it's similar to scheduled stock selling for CEOs, which gets rid of any doubt for whether there's insider trading.

That’s a really fair point.

Just not good enough for me given the circumstances; maybe he should delete them after he resolves them or follows up, especially if he says he’s going to look into it and never does. That’s worse than not responding on Twitter at all IMO — and then the tweets were deleted too. The optics here are just horrible.

Seems more like scheduled shredding or other nonretention of documents.

"which isn't that unusual to do on Twitter."

For you and me yes, but for the CTO [1] of a publicly traded company? YMMV.

[Edit] [1] Officer in the company

A technically minded CTO of a highly technical company? What makes you think they're so different to you or me?

They should not tamper with their paper trail for accountability reasons, e.g. in many countries they are not allowed to delete emails etc.

Papertrail doesn't have to exist in public as far as I know - and mostly relevant for things they probably should be very careful about tweeting about anyways (yes, I know, "everything is securities fraud", but that's a key point), which is why Musks tweets you reference elsewhere became relevant: Since he's not supposed to publish financially relevant things in non-official channels first but he kept doing it, Tesla declared his Twitter as an official channel for notifications.

I think you hold tweets in too high of regard.

Obviously a tweet can be used by court. And Musk tweets can move billions.

It's a tweet, not a public news release.

How is this any different? His tweets quoted in the article are literally representing himself as a cloud flare employee (the CTO even) to the public. I fail to see any difference between a public tweet discussing cloudflare business and a post written by him on their website (or a press release). It would be different if he didn't discuss company business in Twitter, but at the point of saying he will look into customer support issues in response to complaints about the company, it certainly seems reasonable to assume that his tweets represent the company.

For example, at no point on HN have I even stated who my employer is, much less responded to a customer and said I would take action on their behalf. The reason is that, once I did so, it wouldn't be unreasonable to assume that anything I post under this account represents a company position.

I mean if Cloudflare made a blog post and decided to remove it in 3 weeks is that a problem? Why can't an employee decide to remove their tweets too?

So why were Elon Musks tweets regulated then?

(In part) Because Tesla told investors in a November 2013 official filing: "For additional information, please follow Elon Musk’s and Tesla’s Twitter accounts: twitter.com/elonmusk and twitter.com/TeslaMotors" [0]

[0] - https://www.sec.gov/Archives/edgar/data/1318605/000119312513...

CEO of Shopify and few others do the same. Although not after 2 weeks, more like 6 months or a year.

I rarely see that and never with a public company account. It is a little strange..

It’s incredible to me how so many people blindly trust Cloudflare to manage their SSL termination while building the apps and platforms that’ll power the next generation of online everything.

it's common but not universal. I emailed the data protection officer of Toyota and got a sane reply from a real human in under 24 hours.

I worked with a few of their execs during acquisition talks. I was really impressed with how concerned they were about continuing good service in a situation where they really only valued the tech.

I'm sorry that OP hasn't received a follow up communication, I've raised that internally to figure out why. But this was investigated and his email has been deleted and an explanation was meant to have been sent. I'm sorry that he hasn't received the explanation.

PS I automatically delete tweets after two weeks. Have done for a long time.

I mean he's had the issue for a year now, and each time you personally say something along the lines of "I'll look into it" or "I've raised that internally" but he waited an entire year before he posted this.

Saying 'sorry, should be fixed now' is kind of unacceptable and more than a little patronizing to the people here.

When you run a company with a lot of users, statistically mistakes are guaranteed to happen.

What would you prefer his response be?

You don't post I'll look into it internally multiple times and don't bother following up. I prefer no response or an honest one. No one benefits from a fake response.

> What would you prefer his response be?

If you get email that you're not supposed to get, it seems like marking it as spam is the logical option.

So the way for Cloudflare to really care about this is to end up on HN frontpage right? Otherwise...

No, the way to get to someone at Cloudflare who cares is HN.

Sending an email or support ticket ends up in a level 1 support agent who cares a lot less then the CTO.

> No

I'm confused, don't you go on to say the same thing as GP?

The comment you replied to implies that if you reached the CTO by other means, your problem would also get fixed, even without publicity.

Can we expect this issue to now be resolved completely for all users, for example, if someone decides to delete their Cloudflare account today?


Are you sure about this? Do you need a reminder in a year?

Why? What guarantees can you give us?

Not sure why you’re getting downvoted.

He’s said this to OP multiple times and done nothing. You’re totally in your right to ask...

None. This is a PR operation, not any real change in policy. If it were a real change, there would be text about GDPR reports to all affected users.

You see this with nearly every SaaS provider. There's clearly a split between the email/pii in the control plane (admin dashboard) for your account, and then separate (often third party) spam tooling that they "sync" with, where the syncs work maaaaayyyybbeee 80% of the time. Department A handles the cplane (tech) and Department B handles the spam (marketing) and they try to go about their day/month/quarter with as little interaction as possible. The end result is how your data/email is handled in one is different than how its handled in another and they can often ping pong or feedback off each other in automated ways that make trying to unsubscribe a confusing game of playing byzantine generals with other peoples products.

Now, just because I understand and sympathize with how things got this way, doesn't mean I'm not glad this guy is holding CFs feet to the fire for doing something about it. This emergent anti-pattern/"worst"-practice needs to improve, who better than the poster child for consumer tech saas.

I find the post to be pretty unnecessarily unforgiving; if you've worked in this industry for more than a minute, you understand how this sort of stuff happens. This is clearly not a marketing list - it's a compliance list on the first one, and a statuspage style one on the other. To call them spam is disingenuous, and to draw a line from "my email is on multiple lists and taking my name off one doesn't take it off all" to "Don't trust this company with your personal data" is really only fair if your email address is firstname.lastname.momsmaiden.childhooddog.bankaccountnumber.birthdate@gmail.com.

Edit: I'm aware that GDPR considers email as confidential PII, but my post isn't legal advice. I just don't see my email as confidential.

I once sent a 20-ish page written letter of complaint about British Airways to the UK regulator before they finally unsubscribed me

OP, make a complaint to the ICO, it actually works

He could take the route that some people take with telemarketers. Take them to small claims court[0].

I remember reading about someone who went a step further. When they got a default judgement against a company and the company didn't pay, they put a lien on the owner's home so he couldn't ever sell it until he paid up. I don't know what that takes to do, but it sounds fun!


(Of course Cloudflare shouldn’t spam people who have quit their service).

But I think posts like this explain why I’m not a huge GDPR fan yet.

On the one hand we have enormous tracking empires, who most likely are maliciously compliant with GDPR. They have probably not lost much precision / revenue due to the legislation. Mostly business as usual.

Then on the other side we have “normal” companies who are doing mostly “normal” crappy stuff all larger enterprises do. Clouddlare aren’t maliciously spamming people, they’re just incompetent handling their email lists. And sure it’s not a great look, but keeping someone’s email address around is probably not something governmental agencies should get involved in, in most cases.

The tone used in this post would, for me, be appropriate if Cloudflare did something horrible with your data. Selling traffic infi to data-aggregation firms, having lax security for accessing your customer portal, beeing hacked and leaking data etc.

Not “just” being sloppy with ther mailing lists.

"Oh, my private data got leaked all over the darkweb, but it is fine because the company that collected it is merely incompetent rather than malicious", said nobody ever.

Comments like this one are probably not helpful in the overall scheme. The people who agree with you (like me) already agree with you, and I strongly disagree with the way of thinking by the person you're responding to, especially wrt this piece:

> Then on the other side we have “normal” companies who are doing mostly “normal” crappy stuff all larger enterprises do. Clouddlare aren’t maliciously spamming people, they’re just incompetent handling their email lists.

... but your comment seems to be mostly self-serving and geared towards points-scoring.

> And sure it’s not a great look, but keeping someone’s email address around is probably not something governmental agencies should get involved in, in most cases.

Why not? They are unwilling or unable to do it without government intervention. I agree that for an honest mistake you don't need the government to step in. But after a year and multiple tries and broken promises, it's not an honest mistake, it's either intentional or gross incompetence.

I especially like that they keep stuff despite GDPR to "comply with internal policies and legal obligations". Making up an internal policy has no relevance to GDPR whatsoever (otherwise it would be quite easy "sorry, we have an internal policy to keep all your data forever"). Sounds like they simply don't care about GDPR.

Cloudflare isn't the only one with this sort of problem. I continue to get email from FedEx every month instructing me to update my credit card information. The information they have on file is from a card that expired over 10 years ago, and I closed my account with them 12 years ago. I called them last month to ask them why they continue to send me these emails, and asked them to stop. Their response was that they cannot stop the emails. Even when I pointed out that my having no business relationship with them, and them not offering a way to opt-out is a violation of the "Can Spam" act, they shrugged.

You should call their bluff and file a complaint on them under the act

I’d bet they’d fix it really quick once regulators get involved

I got into gmail during the beta and have a first-initial-last-name address that other people tend to use for signing up for services. There is a bank (PNC) that sends me emails all the time with no unsubscribe option. I don't have an account so they won't talk to me. It seems like a CAN-SPAM violation but I havn't bothered to look into how to actually sue for it.

Edit: correct "PNY->"PNC"

PNC refused to abide by my opt-out preference for pre-screened offers of credit. Multiple complaints to multiple people in the company didn't achieve anything. It wasn't until the CFPB stepped in, that they pledged to have fixed the problem (although I received 3 more mailings afterwards, but nothing for a while).

i'm kinda in the same spot.

I have "${lastname}${firstname}@gmail.com" and i routinely get emails directed to "${lastname}.${firstname}@gmail.com" (notice the dot in the middle).

This was no big deal for me. But I received important documents (sometimes even legal document) that were not directed to me, at all. They were meant to be delivered to people in other areas of the country.

This is because Google has moronically and unilaterally decided that the dots are not meaningful and that they are smart enough to understand who is the actual recipient of an email (spoiler: they are not).

This also means that somebody else is also getting mail directed to me. This is super scary and made me distrust gmail as an email provider.

Nowadays I keep my gmail account for my android phone only.

But knowing I cannot trust the email address I am not confident to, for example, start using Google Cloud Platform with my private account.

I don’t think it is possible for someone to register a gmail account name that contains dots. Therefore the mail you are getting is just people sending it the wrong address.

I also have a "${lastname}${firstname}@gmail.com" email account and experience misdirected emails somewhat frequently. I wish more websites supported a “delete and recreate your account” feature, because some of my account were principally created by someone else and I can’t edit the details (Hulu).

You can register a Gmail account that contains dots -- mine does -- but you can't register an address that collides with another address if you remove all the dots.

Not sure how these restrictions evolved over time, but the fact stands that I almost routinely get emails that are not meant for me.

That's just people filling in your email address instead of their email address. Nothing to do with Google.

Does Google keep track of your address with the "preferred location of the dots"? Can you sign in with the dot removed?

> Does Google keep track of your address with the "preferred location of the dots"?

Yup! Both the account switcher and the "From" address on emails I send include the dots.

> Can you sign in with the dot removed?

Hadn't tried it before, but yes I can. (In fact, you can try this at home: it also works if you add dots.) Signing in this way doesn't change what Google thinks my "canonical" email address is -- after logging in, the account switcher etc. still shows the dots in the places they were when I first registered.

I have the same problem. It's just people mistyping addresses. When I chase it down, it always turns out that they're looking for "${firstname}.${initial}.${lastname}" or they left off some number. Gmail doesn't allow people to register accounts that would collide with someone else modulo dots.

My solution: create a filter that matches "to:${firstname}.${lastname}@gmail.com" and archives those emails in a separate folder.

> This also means that somebody else is also getting mail directed to me.

By what mechanism do you think that's happening? There is no account with same username as yours, except with a dot, and never has been. Guaranteed. So just how would your emails be going to somebody else?

It seems like your mental model of how this is working has to be incorrect to have that fear.

Before suing you could try the abuse contact for the sending email server and then escalate to the abuse contact for the adress space of that server if needed. In my experience that gets you of spam lists from any "legitimate" business.

Probably worth looking into. Sounds lucrative since PNC has money.

I had a positive view on Cloudflare until recently. I started using it for my project about 3 months ago. I was impressed by the available features and even started planning to spend more in the future (I have only been on the free plan).

You can set-up a lot of things and even have a load-balancer. I was also impressed by the smooth and easy onboarding process.

Unfortunately, after starting to use it I realized that my site was extremely slow for everything that is not cached. Cloudflare was adding 250ms of latency to every request to my server. I certainly did not expect that much. When you try to send a support ticket, they aggressively try to make you not do it. My support ticket did not receive an answer for 2 months.

I stopped using it last week and will certainly not look back.

Please do notify your country's Data Protection Authority. This is unacceptable.

The UK's ICO is remarkably ineffectual, sadly.

Doesn't hurt to try though - at least there will be a paper trail (plus public shaming) documenting their ineffectiveness.

Nothing surprising here.

Company like Cloudflare , Netlify etc... are generally built for Sale or to IPO.

People in charge of this type of Startup care about two things Growth - ARR.

It’s very common for those business to have multiples teams with their own « Mailing List » because it’s just faster and simpler to operate this way rather than having one single mailing system.

Add to that Software Turnover and your good for some trouble just to get rid of something that should have never been a problem in the first place.

They send emails without an unsubscribe link? What do people do when they get emails like that? I just mark as spam in Gmail, they go away but that's surely the last thing an email sender would want to have happen.

There are unsubscribe links on all their e-mails and I think the automatic unsubscribe feature too.

What I really want to know is if the OP actually tried to unsubscribe or just went directly to twitter about still receiving e-mails after cancelling his account for that nice twitter/HN buzz?

They do? I have tried that in Gmail but it seems some domains are whitelisted so you can't mark them as spam.

I care about privacy as much as anybody, but why make such a big outcry over such a minor infraction? An email address is one of the least private and most non-consequential pieces of information that could be retained about someone in this day and age. Which many other companies flagrantly abuse all the time with no shame. Yet compared to many other large companies, Cloudflare has been a company with at least a respectable reputation and track record. Does that not warrant treating them a little bit better than this? Is the fact that they were unable to unsubscribe a user really something that warrants alarming the HN community over? Is there such a dearth of hills to die on right now that this is what we should be outraged about today?

If they don't have such a simple mechanism as unsubscribing from a mailing list, what else have they fucked up? I would rather not take any chances.

> Yet compared to many other large companies, Cloudflare has been a company with at least a respectable reputation and track record.

Has it? See the following page (which also contains complaints about unsolicited e-mail, among others): https://codeberg.org/themusicgod1/cloudflare-tor

> over such a minor infraction?

It might be minor if it's only affecting one person, but the OP seems to suspect (on fair grounds) that there might be a lot of people affected by the same dubious corporate practice.

Email is a pain to deal with and unwanted email saps attention and time from one's day. One of the reasons I use individual email aliasing for every company[1] is because I wanted to avoid wasting cumulative hours or days over my lifetime managing unwanted emails.

Lots of companies (big and small) don't unsubscribe me properly and I end up getting emails a year or two later. It's nice to have the nuclear options of deleting the alias if needed.

So yes, it's relatively minor compared to internet infrastructure products and tooling that Cloudflare is responsible for, but it's still an issue that erodes trust in a company.

[1] Detailed here: https://jonpurdy.com/2020/06/using-email-aliasing-to-detect-...

Isn't reporting them as spam, or just blocking them, a lot more time efficient?

Isn't reporting them as spam

If you are using an e-mail provider that does something about it.

I have a GMail address that receives spam from several specific companies regularly. I've marked the messages as spam every month for at least five years. They keep coming, and GMail keeps showing them to me.

Yes the obvious answer is you can click once to Mark as Spam and be done with it forever.

IMO this is just a weird form of grandstanding.

> click once to Mark as Spam and be done with it forever.

That doesn't always work.

I receive spam from a major US university to a Gmail account. Marking it as spam for over a year has done nothing.

That’s a bug with your email client then. Marking as Spam should be the same as a Block plus a Spam Report.

Whether they keep sending you email or not, you should never see a message from the same address again.

A decent client would give you the option to block the whole domain.

That’s a bug with your email client then

Don't blame the victim. GMail does this. I have the same problem, and I only use GMail's web interface.

First, I wasn’t blaming the user at all, I was blaming the software. Second, I don’t see any “victim” here. It’s an occasional email sent in error. It’s a special kind of privilege to be able to write 500 words complaining (and threatening retribution) for something like this.

Email clients do need to be able to successfully handle spam, it’s a pre-requisite for using email. I would absolutely blame the email client software before shouting into the void.

Where's the threatened retribution?

Talk about GDPR, ICO, SEC... calling it a “breach”. Calling out the CTO for deleting old tweets, the comment “I assume that JGC doesn’t like his personal data being misused.” could be interpreted as a veiling threat but it’s borderline.

Talk about the GDPR isn't threatened retribution. It's just something that happens when you violate the GDPR. That's like saying that talk about tax law and the tax office and calling something “tax fraud” is a threat.

I do understand about the tweets, though. Calling out perceived hypocrisy, especially when there are legitimate reasons it's not hypocrisy, is a threaty sort of thing.

"Cloudflare has been a company with at least a respectable reputation". No they don't. They have the kind of rep where in the future if they are caught spying everyone would go.. I figured that was happening.

So you're basically saying we should give them the benefit of the doubt on not complying with GDPR because they have a good track record?

It would be one thing if OP was receiving cookie-cutter responses from CloudFlare's support team, but the CEO repeatedly personally intervenes and makes assurances that simply aren't true (and he's already made the same promises in this thread). How can those promises be taken at face value when it's still a problem a year later?

No, I'm not saying anything about "doubt". I'm saying if a nice friend (or a non-friend for that matter) takes your pencil and insists for the next year that he'll return to you despite never doing so, maybe there's a better way to deal with this trauma than to crucify him in front of 7 billion people.

I mean if you want to go out of your way to portray the company in the best possible light and OP in the worst possible light, sure.

Most people wouldn't consider a multi-million dollar corporation that is beholden to federal regulation their 'friend' though. And if we're continuing your painfully hyperbolic analogy, if said friend kept insisting that they had or were in the process of giving me back my pencil any time I asked them over the course of a year, I would have some grounds to complain.

Oh, my bad. By complain on a small independent forum I really meant 'crucify him in front of seven billion people'. My mistake.

For someone experiencing "pain" at "hyperbole" I hope it doesn't pain you to realize that the forum you're calling "small" has some five million monthly readers...

I mean you're the one who called this independent blog post a 'public crucifixion in front of 7 billion people' but sure, let's make this a "no u" thing.

If that person is a publicly-traded company with hundreds of millions in revenue, and "taking your pencil" is failing to adhere to their obligations under privacy law, yeah, maybe public shaming isn't too bad.

I mean, I know in America, corporations are people and even have constitutionally-protected religious beliefs, but I'm sure Cloudflare will, with enough counselling, cope with the trauma of some mild public shaming.

A better way, such as? You mean like writing email / tweet requests directly to those responsible? What's this magical alternative method? FWIW, this method seems to have worked where the reasonable and common methods clearly failed. He bought his own nails and cross when he promised action would be taken but failed to execute.

> A better way, such as? You mean like writing email / tweet requests directly to those responsible? What's this magical alternative method? FWIW, this method seems to have worked where the reasonable and common methods clearly failed. He bought his own nails and cross when he promised action would be taken but failed to execute.

Is shaking your head, maybe adding an email filter or reporting as spam, and moving on with your life too traumatic an experience to go through? Is your life not worth living at that point unless you pull the fire alarm, evacuate the whole building, and publicly obtain vengeance?

So the bad behavior can continue?

I run into this all the time at work. We're at the point where we've spent 5 whole minutes talking about some software-driven bad behavior. Nobody is sure if this is the first time we've been affected by it (maybe it's the fifth time already, but it is starting to feel like deja vu.)

Someone suggests it isn't really a problem and we should ignore it. This person is very effective at their job and gets lots of stuff done once we've decided to take action. But there's a problem, actually tons of them, they're piling up now and we still have daily conversations about how they aren't a problem, (on a big long rotation so nobody seems to recall if we've seen this one before on any given day.)

No. Nobody said don't deal with the problem. Nobody said it isn't really a problem either. I'm saying go ahead and deal with the problem as best as you can, privately. If you still can't solve it at the source, then mitigate it on your end, and move on. Just because ∃ a problem and you encounter it for a long time, that doesn't mean you need to alarm people across the planet over it, or to publicly crucify someone in the process.

Nobody is being crucified. Nobody said they can't solve it at the source. They seem to want to solve it, at least outwardly. You're forgetting that only this forum seems to have the capability of reach, to reach those who are empowered to fix the problem.

If it was just a problem for this one person, well that would be a real anomaly. But adding a filter rule to always block is ignoring the problem, in the context of my work-life analogy, not fixing it.

Seems a bit overdramatic. Just mark as spam or make a filter. I know it's the principle of the thing, but still, a bit over the top.

Obviously not the real solution, but at that point it's time to just mark their emails as spam as they would squarely fit the definition by then.

Same thing happened to me, but with Heroku/Salesforce. You can read about it here: https://news.ycombinator.com/item?id=21969358

Account was suspended about 10 months ago (for no reason given). I sent Heroku, Salesforce, their data protection officers emails asking them to remove my account, databases, codes, everything on it.

I kept receiving notifications that an active account would receive. And their DPO lied to me that they have closed the account.

Another US company doing that is not really a coincidence.

Look, memory synchronization is hard. Some operations might take a decade to achieve consistency.

Just push the consistency date past any human life span and the problem is solved.

I made a GDPR data deletion request to a certain large website like a year ago. There was some caveat about retaining some data that they legally have to hold on.

About 11 months after they confirmed that my data had been deleted, they sent me an email informing me about their changed Terms of Service. So I guess my email at least wasn't pruned. Who knows how much more data they are holding on.

> Who knows how much more data they are holding on.

The safe assumption is that any data a company has ever had on you is still stored by them no matter what they say to the contrary, and will be until the end of time. Apart from being a hermit living in a cave in Montana from birth to death, there is no guarantee of data privacy in the modern world. Anyone who tells you otherwise is trying to get and sell your data.

I’ve had this like 3 times already. You had to mail customer support for data deletion, and after that, you got a mail with ‘are you satisfied with our help?’. Well hell no, because you still store my email adress.

If they need the e-mail address for legal reasons then you can not withdraw consent, as consent was not the legal basis for storing this data in the first place. They also correctly inform you about changes in the terms of service, as this likely affects the data they store on you (e.g. they might have another legal basis for storing it).

>If they need the e-mail address for legal reasons then you can not withdraw consent, as consent was not the legal basis for storing this data in the first place.

No, I can widthdraw consent as much as I want. If they have a legal basis for storing my email address, then they can keep it regardless of my consent. However, I have no way of knowing if they actually have a legal basis for storing my email address or if they are just holding onto it.

That's what I said. Your can withdraw consent (which you never gave), or tell them that you like color purple more than you like red, but it will have no effect since it's not the basis for processing it. The privacy policy should list what data they collect and for what reason.

However if they process your e-mail for several purposes based on different legal basis (for instance they also use e-mail for marketing purposes), they should stop using it for these reasons which you requested (for instance - all applicable) where consent was the basis for processing.

Their "legal reasons" can go jump off a cliff when someone else signs up for something with my email address. I didn't agree to any of this, including their ToS in all forms. Unsubscribe means unsubscribe. Any further email will be marked as spam.

What you wrote is based on emotions and not on law, and will be disregarded. The law allows many more reasons for processing your e-mail or other personal data without your consent.

Not by a random private company. The parent comment seems to talk about cases where somebody signed up with somebody else's email address. There are plenty of that kind of stories around, and a few have made front page here.

A company that does not validate that the email address actually belongs to the person/entity they have consent from does not have any reason to store and process that email address. The same goes for other PII.

If I sign up with your data, you've never consented, and whatever terms I accepted with a click or two have no relevance to you. Companies just usually don't bother with validation unless they need it for billing purposes, because it's a hassle and might make the customer reconsider.

Just want to emphasize how correct this is. Legally, despite but you nay want, they can still store info like thus for narrow reasons. This is Beardsley and normal.

I'm usually decent at mental-typo-correction and typically won't point it out, but is 'Beardsley' supposed to be 'ordinary?'

Even if true, neither you nor the person you're responding to see a distinction between:

1. retaining information because of a legal requirement and acting on their legal obligations as is necessary from time to time

2. retaining the information as above while saying that there's no such thing?

How would a change to the terms of service change the legal basis? When the contract has been terminated, changes to TOS no longer apply to you, as you don't have a contract.

The only way I see that to matter is if their TOS said they'd save more data/ save it for longer than legally required. Changing their TOS would then affect what data they'd store on ex-customers if they retro-actively applied it. However, their TOS would be irrelevant in that case, as they'd violate GDPR.

There might be a new law which requires data on customers in germany to collect your transaction data for 10 years rather than 5 years. They can't apply it retroactively to data which they already had no right to process (for instance 7 years-old transactions at the time when the law required 5 years), but they can (and have to) apply to a transaction you did 3 years ago (which will now be held for 7 years rather than 2).

They might also lessen the amount of data they hold on you, maybe after a review of what they actually needed.

I agree they should not send you anything if they store no data whatsoever, but if they do - they should probably inform you about changes in their privacy policies, even if they don't affect you personally.

> but they can (and have to) apply to a transaction you did 3 years ago (which will now be held for 7 years rather than 2).

Are you sure? Laws that compel you to do something usually don't go into effect retroactively. They're like price-hikes in that regard: you can't just unilaterally decide that your customer's monthly subscription fee has doubled since three years ago.

In any case, it wouldn't have anything to do with their TOS or privacy policies, and I don't think they'd have to inform you about their compliance with the current laws.

> they should probably inform you about changes in their privacy policies, even if they don't affect you personally

You're not a customer at that point, why would you be getting information that only concerns customers? Updating someone on the TOS changes implies that they either requested to be updated or are a customer.

I understand the idea behind preferring to err on the side of informing too many people rather than too few, but we should value the recipient's time and attention as well. And once we do that, I believe it's clear that the sender has to spend the extra time to figure out who should receive this email and who shouldn't.

Just mark as spam. I actually mark everything as spam. I don't even click unsubscribe.

I'd cut them a little slack time-wise to track down where they have your address. In a large organization it's common for many products to have their own sets of PII records (and mailing system) and no way to query them all, so if they don't know what product captured the address, it can take time to find it.

It's also interesting just how many regulations deal with e-mail addresses. https://www.absolute.com/blog/are-email-addresses-confidenti...

> I'd cut them a little slack time-wise to track down where they have your address.

More than a year?

There are constraints in GDPR as to how much slack they are cut. Deletions such as this one should take days at most, and complaints have to be handled within 4 weeks, another 4 weeks as an extension if exceedingly difficult. A year for a mailing list unsubscribe and the related complaint isn't just excessive, it is totally illegal.

If the company's processes are not set up to handle the proscribed faster timeframes, it must not handle personal data at all. Doubly shocking since this is cloudflare, where a large percentage of the internets personal data passes through...

It's definitely fairly shady. For what it's worth, they seem to have deleted my account. I say "seems" because I don't recall receiving a confirmation email; my login eventually just stopped working.

At any rate, demanding that customers send an email to have their account deleted is ridiculous. Put a damn button in there already. And before any claims are made to the contrary, invoking "security" here is nonsense; if someone hacks my login, having my account deleted is the least of my problems.

> When we receive a request for account deletion, we may retain the email address on the account up to a year to ensure that we comply with internal policies and legal obligations.

On this specific aspect, they're not wrong. For example, they might keep that info to contact past clients about breaches, tax compliance issues, etc.

Sure it would be better if this issue was explicitly spelled out and maybe more specific, but it is not wrong. (Sure, using that email to warn about a downtime is outside of that scope)

This post is a little bit harsh, but I can understand writer’s point of view and feelings. Anyway, if confirmed, it looks like cloudflare needs to fix some dem target lists. Moreover, none of these emails were marketing or personal stuff (except rcpt email address). IMHO we have GDPR in order to punish intentional bad behavior, not to prosecute incompetence.

> we have GDPR in order to punish intentional bad behavior, not to prosecute incompetence

Nope. It is to protect users.

Users are harmed by both intentional bad behaviour and incompetence. This is the same principle as strict liability for product faults.

If incompetence is an acceptable excuse, every company interested in this tactics will become remarkably "incompetent".

GDPR is intentionally set up to punish incompetence: GDPR 5 1 f: Personal data shall be [...] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)."

Nothing in there limits responsibility, damages or punishments to intentional behaviour. Incompetence, be it organisational or individual, is not excluded. And a company can be punished for not implementing appropriate controls for individual incompetence or malice towards personal data.

> we have GDPR in order to punish intentional bad behavior, not to prosecute incompetence

That was exclude any data breaches though, wouldn't it? Because they are always incompetence rather than intentional bad behaviour on the part of the breached companies.

Data breach will not disappear thanks to GDPR. GDPR tell you that you must, if possible, notify in case of data breach.

Correct but incomplete: GDPR also tells you to use appropriate measures to prevent breaches. And of course if there was a breach, your measures were not appropriate so you need to change them.

Once a scam company always a scam company. File a lawsuit.

GDPR does exist but should GDPR exist so people can cry about an odd email. No.

The 'odd email' is just irrefutable evidence of Cloudflare's retention of the poster's email address, which is considered personal data under GDPR.

If Cloudflare is unable to even remove a deleted account from a mailing list, how do you know they have actually deleted ANY other information?

General Data Protection Regulation don't exist in vacuum, other laws are regulating data handling. Most importantly, accounting related regulations. So, if you request your account deletion, all billing related information is still hold - that is probably 7 years in all EU countries. Sending unwanted mail for those addresses is different issue though, but having contact data as part of billing data is legal.

Yes. But for all personal data the purposes for which it may be used is limited: generally[0] only the original reason for collecting the data or the legal basis for keeping the data dictate the uses. So anything kept for use in filing taxes or other bookkeeping obligations must only be used for those purposes.

[0] it is possible to use data for other purposes than originally collected in some circumstances, but I'm not sure if there are many legal precedents for that yet.

If Cloudflare can't get an email unsubscribe process to be GDPR compliant, should you trust them to handle the many far more privacy-relevant things they offer as a company...?

Yes, if they cant unsubscribe people. I could not care less, it bothers me more this guy crying about getting an email.

I have no dog in the fight (I'm not connected or loyal to Crowdflare whatsoever), but this is a non sequitur.

Companies work to priorities lists based on how important things are for customers. So it's perfectly plausible that the very reason they're not flawless at removing cancelled users from all their email databases is that they're too busy focusing on, as you put it, "the many far more privacy-relevant things they offer as a company", which they regard as far more important.

I'm not saying that's definitely the case here; I have no idea of any specifics. But I've definitely seen things happen that way in other companies/teams I've observed.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact