ompaul , 19 days ago

@pluralistic
https://mailchimp.com/about/privacy-rights/
I gave it a shot.

ompaul , 12 days ago

@pluralistic
I'll break it down.
I've got my list back.
I've some companies that are local so I got signed up once I did a thing with them.

I've requested a few deletes so far, nothing too surprising, but I have a full list of companies that I'm there with.

A couple of companies offered to delete me once they were aware of the request by Mailchimp.

I understand the "we just process" and they'll delete the stuff I told them to remove, but they don't have access to whatever happened downstream. That might be very interesting, that's a lot of privacy policies and cookie policies to be read.

At this point in time it's a curio, depending on the energy it requires I'll go chasing.

The zip file was 246kbs and contains a little table which contains some data.

pluralistic OP , 12 days ago

@ompaul Mine contains >1000 folders with several confusing spreadsheets, each. These have email address for list owners, but not the name of the lists that I'm on, so there's no way to

a) Figure out which lists I want to unsub from and

b) Unsub from those lists

ompaul , 12 days ago

@pluralistic mailing from .fr gets you plausible GDPR SAR.

lightninhopkins , 19 days ago

@pluralistic I kinda doubt it because I think I would have heard of such a thing.

MayInToronto , 19 days ago

@pluralistic No, but you might find this interesting.

I inherited a MailChimp mailing list. Did you know that if you unsubscribed from one such list, you stay on that overall list, but your status is unsubscribed?

As the admin, I cannot remove the unsubscribed people unless I do it manually, and it's REALLY hard to pull a list with that flag.

pluralistic OP , 19 days ago

@MayInToronto Holy shit, how can that POSSIBLY be CCPA compliant?

cstross , 19 days ago

@pluralistic @MayInToronto Not only is it not CCPA compliant it's almost certainly a huge breach of GDPR by Mailchimp—keeping personally identifying information (email addresses) after permission has been withdrawn.

dangillmor , 19 days ago

@cstross Well, now that it's owned by Intuit you can be sure all the bad stuff will be cleaned up. <cough> @pluralistic @MayInToronto

MayInToronto , 19 days ago

@pluralistic To clarity, some of these unsubscribes happened YEARS ago. These numbers are after I last cleaned it up.

finite_state_machine , 19 days ago

@pluralistic @MayInToronto add Canada's PIPEDA to the list of legislation this likely doesn't comply with.

deFractal , 19 days ago

@finite_state_machine @pluralistic @MayInToronto There's some provincial legislation to consider too. For example, BC PIPA §35(2), requires:

An organization must destroy its documents containing personal information, or remove the means by which the personal information can be associated with particular individuals, as soon as it is reasonable to assume that

(a) the purpose for which that personal information was collected is no longer being served by retention of the personal information, and

(b) retention is no longer necessary for legal or business purposes.

deFractal , 19 days ago

@finite_state_machine @pluralistic @MayInToronto It's reasonable to assume that, as soon as someone has opted out of a MailChimp list, (a) and (b) pertain. (The "or business purposes" part of the latter creates some grey area to debate in court; otherwise, this would be pretty cut and dried.)

finite_state_machine , 19 days ago

@deFractal @pluralistic @MayInToronto It seems to me that if avoiding unintended resubscription was the business purpose, it still wouldn't be compliant because it's not minimized: a truncated, salted hash (32 to 64 bits) would certainly suffice.