I used Duolingo years ago to start my Spanish learning journey and loved it. I've always been a big fan. I haven't used it in months, however.
Recently I've started receiving emails from the platform that purport to be messages from friends. This is verbatim from the email, except I've replaced the name of my friend.
-------
Subject line: John Doe sent you a message!
John Doe invited you to come back to learn Spanish
John: "Hey adriandz, come back and learn Spanish with me!"
[Start Review]
-------
I messaged "John" and asked him if he'd sent me this message, and he said, absolutely not.
The link for the button goes to https://www.duolingo.com/?email_type=resurrection_nudge&target=start_review&utm_source=email&utm_medium=email&utm_campaign=resurrection
So this is their "resurrection" campaign, and this email is a "resurrection nudge". What kind of total bullshit is this? Leveraging the social graph to deliver outright lies to your users? Does it get much worse than this for well-known and supposedly reputable companies?
This is transmitting personally identifiable info (name) on person B to person A. The purpose of the email is legitimate. Duolingo have a good business motive to get you back into their app after you've signed up and have an active account. In fact they'll want to re-engage you within a certain timeframe before they lose that legitimacy.
But the use of person B's name. They have no legitimate business reason to do so in regard to person B's data protection rights. Person B will not have given explicit permission for this (as you verified in this case).
This is not privacy by design or default, it's the opposite.
Person A is now an unwilling data processor for Person B's data on behalf of Duolingo as the Data controller. That's also a huge fuck up by Duolingo, as they'd need to list Person A in their privacy policy as a named third-party processor (which you obviously can't do as that's another explicit permission instance they'd need from Person A).
If Person B were to now make a deletion request to Duolingo, what do they do? Ask you to delete the email?
Repeating the caveat that mileage may vary for countries outside of Europe but frankly this is the way data protections is going. Incredibly stupid for a big company to pull this tactic anywhere in the world in 2023.