E-mail is one of the ways that the internet provides us to be able to register on websites. Until something else is invented, it is usually the most widely used medium. Anyone, knowing your email or by mistake, can register on a website. And this can cause an email without verification to expose your privacy.
One of its big problems is that the privacy of your data can be broken if someone uses your email and you end up receiving spam. In this article I talk about something that happened to me and that today is not resolved. I received by email, my email an invoice that was from someone else.
Arrival of spam
It all started with the arrival of an email sent by a U.S. hotel. The mail was addressed to a certain Patricia Alvarez. Either he made a mistake giving his email or he gave a random email.
E-mail without verification with an attached invoice belonging to someone else
The mail sent has an invoice in pdf format attached with data of the original customer, as well as data from the establishment itself.
Email Confidentiality Note
The email has a note of confidentiality. Indicates that the sent e-mail includes attachments that may contain personal information. In this case it is so, since it is a pdf invoice from someone else. The note asks us to respond to the sender and to delete the original email.
Please consider the environment before printing CONFIDENTIALITY NOTICE: This email transmission, including any attached files, may contain confidential information and is intended only for use by the individual(s) to whom it is addressed. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy the original transmission and attachments without reading or saving in any manner. Thank you.
Replying to the email to report the error
While trying to contact the sender he gave me a returned mail message.
Gives a remote server response with code 550, 5.1.0. address rejected. It doesn’t make much sense for the privacy note to ask you that if you receive the email in error you reply to the sender if the sender himself does not allow the response.
By not asking the hotel for permission to reproduce this information I have hidden all the information that can be used to know who they are. The thing ended like this in 2019, I could not contact to inform them of the error and the mail remained in my mailbox.
Requesting to delete the data they have about me
Our personal data is very important and email is one of them. Only you have access to it and you have all the power over it. Using Mine (see Mine, claim and protect your digital data). On the list I saw this hotel and I didn’t remember that in 2019 they had contacted me with another client’s bill. I contacted them to delete all my data from their database, because they are my data.
I sent them this email:
Hello Diamon****** (),
My name is Avelino Domínguez, and I hereby request to erase all personal data that you hold about me.
Please send me an email confirmation of the complete and permanent erasure of the personal data once you have completed the erasure process.
My personal details are:
- Name: Avelino Domínguez
As evidence of my interaction with your company, I received an email on 2019 March 12 that indicates that you are holding personal data about me.
And I got this response:
Hello Avelino Dominguez,
Thank you for contacting us to submit requests under the California Consumer Privacy Act (“CCPA”). We ask that you first provide your country and state of residence so that we can confirm the CCPA applies to you.
Then, in order to comply with your request, we are first required to verify your identity, meaning that we need to make sure that you are the person about whom we may have collected personal information. The verification process requires you to provide three pieces of information that are unique to you and that include the following:
· Any address or contact information you have previously provided to us or believe we have
· Information sufficient to identify any two other interactions you have had with us by date, such as:
o When you received marketing materials from Diamond ******
o When you stayed at a Diamond ****** location
o When you purchased timeshare points, or paid related fees to Diamond ******
o When you attended a timeshare sales presentation with Diamond *******
Under current law and guidance, you must provide the requested information to verify your identity within 45 days of your initial submission of your request, or we will not respond further to your request.
As permitted by applicable law, we are placing you on notice that we will require 90 days from the date of your initial request to respond to your request.
Diamond ******* Privacy Team
Being a very large company, it can be difficult to find which hotel sent that email. He asks me for more specific information to know that I am me. I reply that the e-mail is enough to prove that it is me and I ask you again to delete the data. In addition, the mail is unchecked. They respond to me this way:
Thank you for your email.
As previously stated, we are unable to confirm your identity as the email address you have provided, is associated with a different user. To take the action you are requesting would be a breach of our data protection obligations.
If you are able to confirm your identity in accordance with the original email sent to you, we may be able to investigate this matter further for you. Until we can confirm your identity, we are unable to take any further action in this matter.
Email associated with another user
In the reply email I am told that the email I am using, my personal one, is associated with another user. How is this possible? The only answer is that they have not verified the email. The email is unchecked; therefore, they have not ensured that the customer is really the customer.
It is here that I realize that what they are asking me is an email that they sent me and I use the search in the email and I get to the original email, the one that contained the invoice. What I do now is forward that email to the data representative and to this day (it’s been 2 days) I haven’t gotten a response.
Therefore, we can summarize what has happened as follows:
- A hotel sends an unchecked email an invoice in pdf format with someone else’s personal information.
- When trying to reply to the hotel mail gives a rejected email message and I can’t contact them to tell them that this is a mistake.
- I realize that they have data about me and requested that they delete that data.
- After contacting the representative of the hotel chain data they tell me that they cannot confirm my identity because the person who used their services does not match my email.
- I send all the documentation I have, such as the invoice issued to someone else who came to me.
We still have much to improve with regard to the privacy and protection of our data. This is a clear example that you cannot give little importance to the data of your customers. That data you have to use it properly and with the authorization of your customers and not send personal data to another person who has nothing to do with it. You always have to verify the email.