Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Duolingo's “resurrection nudge” goes beyond dark patterns
16 points by adriand 10 months ago | hide | past | favorite | 2 comments
I used Duolingo years ago to start my Spanish learning journey and loved it. I've always been a big fan. I haven't used it in months, however.

Recently I've started receiving emails from the platform that purport to be messages from friends. This is verbatim from the email, except I've replaced the name of my friend.

-------

Subject line: John Doe sent you a message!

John Doe invited you to come back to learn Spanish

John: "Hey adriandz, come back and learn Spanish with me!"

[Start Review]

-------

I messaged "John" and asked him if he'd sent me this message, and he said, absolutely not.

The link for the button goes to https://www.duolingo.com/?email_type=resurrection_nudge&target=start_review&utm_source=email&utm_medium=email&utm_campaign=resurrection

So this is their "resurrection" campaign, and this email is a "resurrection nudge". What kind of total bullshit is this? Leveraging the social graph to deliver outright lies to your users? Does it get much worse than this for well-known and supposedly reputable companies?




I'm really not convinced they have any good reason to do this under data protection laws, certainly not EU or UK (for US YMMV).

This is transmitting personally identifiable info (name) on person B to person A. The purpose of the email is legitimate. Duolingo have a good business motive to get you back into their app after you've signed up and have an active account. In fact they'll want to re-engage you within a certain timeframe before they lose that legitimacy.

But the use of person B's name. They have no legitimate business reason to do so in regard to person B's data protection rights. Person B will not have given explicit permission for this (as you verified in this case).

This is not privacy by design or default, it's the opposite.

Person A is now an unwilling data processor for Person B's data on behalf of Duolingo as the Data controller. That's also a huge fuck up by Duolingo, as they'd need to list Person A in their privacy policy as a named third-party processor (which you obviously can't do as that's another explicit permission instance they'd need from Person A).

If Person B were to now make a deletion request to Duolingo, what do they do? Ask you to delete the email?

Repeating the caveat that mileage may vary for countries outside of Europe but frankly this is the way data protections is going. Incredibly stupid for a big company to pull this tactic anywhere in the world in 2023.


Duolingo overcame historic monetisation proportion challenges in Q4 2022, but almost immediately after that safe harbour, AI came along.

Now Duolingo are close to OpenAI and have collaborated with them, but with the likes of YC funding AI language learning competitors, I am not surprised they have deployed this and other experiments.

That said, Duolingo have a tendency to run A/B tests and regional AB tests. What country are you in OP? This may sound strange but they may have done this test in a country where it is definitely legal in order to measure what in theory would happen doing this organically as a feature in other areas etc.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: