One of the unintended consequences of marketer efforts to comply with the EU’s new consumer data privacy rules has been a push by some to gather even more potentially sensitive data from consumers than they had in the first place. I’ve been hearing this anecdotally for weeks now, but it was a conversation I had late last week with James Aschberger, founder and CEO of One.Thing.Less -- one of many entrepreneurs rushing to help consumers and brands mediate the exchange of personal data and privacy compliance -- that I realized what a paradox General Data Protection Regulation (GDPR) has become.
Aschberger’s approach is a mobile application enabling consumers to simply and quickly understand what kind of data marketers gather about them, how they use it, and whether and how they provision it to others. One.Thing.Less works like a registry, providing consumers with simple, standardized descriptions of each company’s consumer data policies, effectively enabling users to whitelist or blacklist which ones they want to do business with.
The unintended consequence was that some of the companies One.Thing.Less has been working with have been asking for one or two things more when trying to authenticate the consumers whose privacy their compliance was seeking to protect. In other words, they are using it to gather even more sensitive data about people.
In the first few weeks One.Thing.Less has been active in the market, Aschberger has seen some particularly egregious attempts by some marketers to exploit GDPR compliance.
“We’ve now been in the market for three weeks, and we are seeing examples of companies asking for copies of passports, and even powers of attorney,” Aschberger says, citing examples from two airline brands.
In the first example, the airline requested users provide their full name and a copy of their national ID card, as well as a signed power of attorney.
In the second example, another airline requested:
Copy of passport
“They wanted users to provide a copy of their passport with everything blackened out except for their name,” Aschberger recalls, noting the irony is that they were asking users to send it to the company in an insecure way, creating an even greater potential for liability.
Aschberger said the irony is that these airlines do not require anywhere those levels of data to do business with them in the first place, including buying an airline ticket and booking a seat on a flight. At most, he says, all they need is an email address to verify the user’s identity.