One of the unintended consequences of marketer efforts to comply with the EU’s new consumer data privacy rules has been a push by some to gather even more potentially sensitive data
from consumers than they had in the first place. I’ve been hearing this anecdotally for weeks now, but it was a conversation I had late last week with James Aschberger, founder and CEO of One.Thing.Less -- one of many entrepreneurs rushing to help consumers and brands mediate the exchange of personal data and privacy compliance -- that I
realized what a paradox General Data Protection Regulation (GDPR) has become.
Aschberger’s approach is a mobile application enabling consumers to simply and quickly understand
what kind of data marketers gather about them, how they use it, and whether and how they provision it to others. One.Thing.Less works like a registry, providing consumers with simple, standardized
descriptions of each company’s consumer data policies, effectively enabling users to whitelist or blacklist which ones they want to do business with.
advertisement
advertisement
The unintended consequence
was that some of the companies One.Thing.Less has been working with have been asking for one or two things more when trying to authenticate the consumers whose privacy their compliance was seeking to
protect. In other words, they are using it to gather even more sensitive data about people.
In the first few weeks One.Thing.Less has been active in the market, Aschberger has seen
some particularly egregious attempts by some marketers to exploit  GDPR compliance.
“We’ve now been in the market for three weeks, and we are seeing examples of
companies asking for copies of passports, and even powers of attorney,” Aschberger says, citing examples from two airline brands.
In the first example, the airline requested
users provide their full name and a copy of their national ID card, as well as a signed power of attorney.
In the second example, another airline requested:
- First name 
- Last name 
- Street address 
- Zip code 
- Country 
- Email address 
- Copy of passport 
“They wanted
users to provide a copy of their passport with everything blackened out except for their name,” Aschberger recalls, noting the irony is that they were asking users to send it to the company in
an insecure way, creating an even greater potential for liability.
Aschberger said the irony is that these airlines do not require anywhere those levels of data to do business with
them in the first place, including buying an airline ticket and booking a seat on a flight. At most, he says, all they need is an email address to verify the user’s identity.