Obvious disclaimer: this post is my personal opinion and does not relate in any way to my dayjob.
In the Twitter thread that lead to my browser fingerprinting update, I took particular issue about painting the GDPR as only relating to the cookie tracking interstitial warnings that appear on websites. This is a common misconception particularly from non-European audiences who don’t see the other wide effects that GDPR (both EU and UK versions) have on the relationship between data collectors and people.
I have already used GDPR to update email addresses, when EURid nearly banned me from owning my domain of eleven years, with… mixed results. GDPR’s “Right to Correction” was a fairly new concept for many companies at the time, and because many developers are used to it, a number of backend systems just expected email addresses to never change. This time I’m going to be talking about a different right: the right to object — a more established right, that for many countries (including Italy) predates GDPR.
And yes, if you were not aware of this, GDPR wasn’t a complete innovation out of thin air: the regulation itself replaced dozens of different privacy regimes across the Union, bringing laxer regimes up on par with more sophisticated ones. Italian privacy was regulated under dpr 675/96, which itself implemented a 1995 European directive. This meant that fully compliant organizations in Italy had relatively minor accommodations to apply for full GDPR compliance, compared to Irish or UK organizations.
So, what’s the setup of the situation? You may remember that a couple of years back, me and my wife moved, because of horrible property managers that bordered on the fraudulent. The flat we live in does not involve a property management company but, for some reasons, our private landlord is still using an agency to collect the rent — and not as a direct debit but as a standing order, annoyingly enough.
The agency that found us the apartment and originally collected our rent was Thorgills, and it was the least terrible of all the agencies we had tried when looking for a flat, although they still used the slightly smelly marketing tricks of keeping unavailable flats on Rightmove to lure you in, and then show you something else. Nonetheless, they did their job decently, and despite a few back and forth over lease and details like that, we haven’t had significant issues with them over the year and a half we sent them our rent money.
But last year, Thorgills was acquired by the Leaders Romans Group (LRG). Their physical presence and customer relations were handed off to the Gibbs Gillespie brand of the group. We received one email and a physical letter about it, which we nearly completely ignored — the part we didn’t ignore is that they asked us to change the bank account the standing order was made out to, so we confirmed this with our landlord, rather than trusting the letter at face value.
Then a few weeks later, in December, we receive an email branded Gibbs GIllespie all over, trying to upsell us a £8/month subscription to retailers discounts. This was both confusing and fishy, given that from the logos of the retailers shown, it would probably be exactly the same retailers offers that Santander, Natwest, Airtime Rewards, Curve and Revolut provide. And while the right amount to pay for those offers in my opinion is £0, with the financial institutions providing is as a perk of their accounts, and Airtime Rewards literally paying you for your spending habits data, at least Curve offers you something for their subscription fee.
Anyway, let’s get back to the upsell email itself, rather than the offer therein. First of all, we were confused because Thorgills had, up to that point, no real relationship with us: we sent money to them, they sent us a monthly invoice (Gibbs Gillespie doesn’t bother with the invoice.) Given our previous experience with property management agencies, we surely hoped there wasn’t a new saga to start. The email had an “unsubscribe” link — and probably the vast majority of people in my situation would have just either clicked that, or marked the email as spam, and moved on.
But I was a bit bored, and also annoyed at the category from the experience with Dexters, so I went and checked the ICO website, read again our tenancy agreement, and eventually established that we most definitely never provided commercial communication consent to Thorgills in the first place, and even if we had, the acquisition would not have acquired said consent. I tried raising the issue with the person who prepared our agreement the year before, but it turned out impossible: the email address bounced. And since none of the communications of the acquisition provided us with a better address, I had no option but to reach out to the Data Protection Officer (DPO) address provided on the Gibbs Gillespie website. This started a saga that took four months to resolve.
Before we start, I do want to praise LRG for having taken my requests seriously, and addressed them with great care. From their point of view, this is a GDPR success story. Every step of the process, they followed recommendation and went above and beyond addressing issues. So despite this whole story starting with their mistake, I don’t intend to paint them as the bad guys of the situation. Full disclosure, though: we did accept a monetary “good will gesture”, with no strings attached, from LRG about the situation.
Since reaching out to a DPO usually takes a lot of time to resolve, when I reached out I didn’t just object to the use of our contact details for commercial communications (which as I reminded them we never consented to in the first place), I also requested a full copy of our data according to our right to access, including a list of any third party that our data might have been passed on (with another reminder that our lease only authorized Thorgills to share with Experian for the sake of credit rating.) Since this was just a few days before the end of year holidays, I also gave them liberty to take longer than the calendar month required by law — this wasn’t needed.
A prompt response requested my wife to choose whether to join my right of access request or if her details would have to be censored, and at 30 days we received all of the data (which effectively was just a copy of the lease agreements that we signed, together with the various email communication.) No data was shared with third parties, according to the answer.
As for the commercial consent, they confirmed that indeed there was no consent provided by us, and that the upsell email was a mistake, they apologized and stated that it would not happen again. Except that it did just a few days later, so I reached out again. Once again the DPO has been incredibly professional, and while insisting that they definitely recorded we shouldn’t be contacted for commercial usage, asked to forward the full details of the email to figure out where it might be coming from.
And that’s where we encounter a bit of a rabbit hole. The email was not coming from Gibbs Gillespie directly, not even through a mass-mailer service. It came from a third party vendor called Vaboo, that appears to handle marketing and analytics for a number of real estate agencies. This meant that not only the lack of commercial consent was ignored, but data was shared with a third party, which is by all means a breach. LRG admitted to that, and committed to inform the ICO about it as per UK GDPR, which was a great start.
The DPO also informed me that they reached out to Vaboo to delete the data they were provided, to which they immediately complied. A couple of hours after that confirmation, we received a new upsell offer from Vaboo. This didn’t bode well.
Now, at that point in time I had absolutely no idea in which format LRG and Vaboo exchanged data. I have been told something after this point that turned out to match the theory I’m about to describe, which is what I shared with LRG in the first place, but again this is just a theory, and I wouldn’t be surprised if the information I was given is intentionally wrong. My theory is informed mostly from my experience working in the field, and all of it is logical conclusions from publicly available information.
To get to the theory I shared with LRG, you need to be aware of a few more clues. First of all, the email that arrived, a total of four times, was exactly the same, introducing the Gibbs Gillespie branded (but Vaboo operated) rewards platform, and trying to upsell me to the £8/month service. It was not marked a reminder, it always seemed like a first reachout. In addition to that, three of the four messages arrived around a day after LRG’s DPO confirmed our data was removed by Vaboo. The headers also indicated that Vaboo is using a third party mailer service called Active Campaign.
From this, I had an educated guess that Vaboo set up a mailing list in Active Campaign for the “leads” — address of possible new users who have not signed up for the service yet. This mailing list would likely be fed by a data source (likely, a spreadsheet) that they receive from their own customers. Every time we requested for our data to be deleted, Vaboo removed it from the mailing list, but not from the data source. Some regular job (either a cronjob or cloud equivalent) would then re-source the data, add us to the leads mailing list, and the welcome email would be sent.
After I had LRG confirm twice that they asked Vaboo to delete our data, and they insisted they did each time, I asked for contact information with someone at Vaboo who could address the issue (since their website only has a generic info@ address, and no DPO), and I was given the email address of their CTO, who LRG’s DPO has been in contact with.
Just like the previous December, in March I requested to apply my right to access and object, and in particular reminded them that removing our data was no a matter of right to erasure, since they had received our data unlawfully (as we didn’t provide consent.) I gave them the usual calendar month time to comply, although I kind of expected an answer sooner, since according to them they held no data on us. Despite multiple reminders about the GDPR deadline, the calendar month passed with no answer from Vaboo, which meant I forwarded all of the correspondence (one-sided, at that point) to the ICO with a formal complaint about unlawful processing of data. And I informed Vaboo about it.
After this, we received yet another email, this time not a welcome one, but rather a reminder one, which suggests that since the last welcome email we received, they didn’t delete us from the mailing list. So I contacted Vaboo yet again, as well as sent a snarky tweet tagging their social media. One of those two actions seems to have hit the spot because for the first time in over a month, I got a reply back from the CTO.
No explanation of why it took a month to even respond to this, but eventually I was told that they had just expunged our address from their do-not-contact list, and that caused the mail to be sent away. But, you may ask (and I did ask), wouldn’t that mean that the address is still present in a normal list as well, then?
Well, the CTO appeared not to realize he was talking with a software engineer (or maybe he did and didn’t want to reveal some trade secret), so he stayed vague, but asserted that the reason why our contact details kept being transferred to Vaboo was due to a feed API provided by LRG, that still included our address.
That would be a much worse situation for LRG: not only the had a breach in which they provided our data to Vaboo unlawfully (without consent) but they would also have failed to remediate said breach when identified. I immediately contacted their DPO with this new information, who was surprised at the suggestion. Yes, there was a feed, but our data was already not present in it. But, to be safe, I’m told they now stopped offering said feed to Vaboo. I will take their words for it.
For the past month or so, we have not received any more email. I don’t know if this is going to persist, but I hope so. At the same time, I think this story shows clearly that GDPR is definitely not just about cookies, but rather includes a number of other obligations and rights. The problem is that not everybody knows about them (first) and that actually applying them on a small scale is not worth the time you spend on them — LRG’s good will gesture was tiny in the grand scheme of things, for the amount of time I spent chasing their mistake, and it is likely that this exercise has been more valuable to them (for running through a breach that wouldn’t be making any news article) than it ended up being to me.
To be honest, I’m a bit annoyed by the fact that Vaboo didn’t seem to take UK GDPR as seriously as they should, given that their website claims they provide “Insights” to agencies and landlords. As I said, LRG stated they only shared our email address and postcode, and by mistake because we are not part of the group of tenants that would usually be provided to Vaboo (and that would thus need to opt-in the third-party data sharing), so we weren’t provided any data from that service as a sample at all.
I’m just a blogger, not an investigative journalist. But if I was, and I was covering the rent generation, I would actually be curious to see what type of analytics this company is providing to landlords, and whether its users can get a proper GDPR response, given how badly mine went (though thankfully, without having to get lawyers involved.)