Premium 'Recently Registered' email

[SantasBritchesSpelleas]

I had an email advertising Premium saying 'We noticed you recently registered with Mumsnet'. I registered several years ago! Is this an error or is it like moving into a small village where you're still considered an incomer 20 years later?

@DumplingsAndStew

Two screen grabs of comments from *@JustineMumsnet*

One saying that a users details are deleted when they deregister. The other saying that they hold on to the email address of banned posters.
The comment that pre-GDPR they held on to the email addresses of deregistered users, suggests that since GDPR came into effect, this is something that no longer happens.

So what's going on? The actions don't match the claims, and your published Privacy Policy certainly does not seem aligned with how you are operating.

How does what you’re saying square with what Justine said in the screenshots attached to the above post?

How is it being transparent (which is a GDPR obligstion) when you say data is deleted but it’s not?

@TinselAngel

When a user changes email address, it's deleted from their user account. We do need to keep track of changes made to user accounts to prevent abuse, and the details of any email changes are stored in our database in case someone tries to move someone else's account to a different email address and we then need to investigate.

I'm sorry I don't understand this answer it seems contradictory.

If I have changed my email address can you still link the old one to me, or not?

I think what they are saying is that there are two databases and it’s deleted from one and not the other?

I said on another thread that MN Tech seems to be someone's teenage son working out of his bedroom

I think what they are saying is that there are two databases and it’s deleted from one and not the other?

That isn't consistent with accidentally including all email addresses kept for any reason in the mail shot.

Upthread Esther said: This email was meant to go out to people who had registered in the last few days but due to a human error it went out to a much larger segment of email addresses on our database

Storing any necessary audit records seperately, with the relevant justification information, would prevent "whoopsies" going to banned users, ex users and random mail addresses.

@LilyMumsnet

@soniamumsnet

@MichaelMumsnet

@EstherMumsnet

@justinemumsnet

Is there a good reason why you are cherry picking which users you think are worth responding to? I have also been raising this via the report system for days. The ignorance is astounding.

@JustineMumsnet Your users, once again, have concerns over the personal information you hold on them. This is ridiculous.

When a user changes email address, it's deleted from their user account. We do need to keep track of changes made to user accounts to prevent abuse, and the details of any email changes are stored in our database in case someone tries to move someone else's account to a different email address and we then need to investigate.

Why and how would 'someone else' move 'someone else's email' to a different account? Do you mean a MN employee?
If the justification is to be able to 'investigate' then clearly the link to account must remain in place.
Mumsnet are obviously keeping previous emails within a database that was accessible to whoever sent the Christmas Eve mailshot out.

This makes no sense.
As Mumsnet are well aware, many women changed the email address associated with their account when there were previous data breaches. The motivation for doing this was justified concern for privacy.

@soniamumsnet and the rest of you, as I have already stated, I have raised an official complaint with ICO, through the proper channels. Your data protection is appalling and after so many data issues, breeches, dramas and what not I think it's best it's looked into properly. I will not be providing any more data to you, all screen shots, emails, past usernames and evidence from my side has been provided. I've had extensive GDPR training and am following that and the advice of our work data controller.

The fact you had to do a check this morning, after this was raised days ago, shows all we need to know. If you had strict GDPR processes in place you wouldn't need to do this as it would never happen.

Quite simply, as you seem to need it that way, you cannot store data that has been changed/deregistered by a user. It is illegal. It is not on users to remind you of this. It is your job to delete it.

Has anybody heard from MMHQ yet?

I just really don't think that MNHQ just flat out ignoring these queries is sensible or even acceptable. It's not a question about whether or not we can have a new emoji on the app, or whatever. It's about whether or not data protection laws have been broken.

@MNHQ

[quote DumplingsAndStew]@MNHQ[/quote]
I'm now assuming they're just hoping it'll go away, which is a pretty shoddy approach to take.

The ICO is involved now; it won't go away.

Still nothing. @JustineMumsnet do you seriously not see this is a despicable way to treat your users?

Very unimpressed to find an email sent to a work email address sent on the 24th that should have been removed from your database a long time ago as I changed it and have deleted my account. The response from Mumsnet on this thread is woeful.

@MichaelMumsnet

Hello, and thanks for bearing with us while we’ve taken a thorough look at this.

We mistakenly sent an email that was part of our welcome journey for new members, to our full database of emails - apologies again for that.

Having investigated we are confident that we are not holding emails for users who have deregistered or unsubscribed - but if users change their email addresses the old one isn’t automatically removed from our master email list, which is why on Xmas eve, you might have received a mail for an account that you no longer use for Mumsnet.
We’ll make sure that in future old emails are automatically removed from the list when users update their details.

Please let us know if you have any further concerns and we’ll be happy to check your permission details to make sure everything is as you want it (for example, it’s quite common for people to unsubscribe from an email, thinking they’ve unsubscribed from all emails, when in fact they’ve only unsubscribed from the one they are currently reading).

Apologies once again for any upset.
MNHQ

I sent an email about this to contactus@ mumsnet.com on 27/12/2020

I have had no reponse which is a 'further concern' @MichaelMumsnet. Acknowledgement of email would be reasonable to expect given your assurances made the following day (as above).

Am still waiting on a response too.

@DumplingsAndStew

Am still waiting on a response too.

It's so shoddy and unprofessional.

I have reported the thread again.

At this stage, I think its @JustineMumsnet who needs to come and engage with users. This is unacceptable.

Hello everyone - and thanks for your questions. I've taken some time this week to go through everything on this thread and dig into all the nooks and crannies - so apologies for the delayed response.

Back in April, I explained on this thread that while we’ve certainly had our fair share of security incidents, the suggestion that we’re cavalier with users’ data is, I believe, untrue and unfair - we’ve always been transparent and upfront about any data breaches, however small and inconsequential (unlike many orgs who routinely swept things under the carpet). Please take a look at my post on that thread as I hope it will provide some reassurance.

However, it’s also fair to say that we have not been following what we understand to be best practise wrt to the removal of old email addresses from our email system when users change (as oppose to delete) their email - we should have been removing the old emails from our mailing list, not just changing them on our site database and that indeed was an oversight on our part. We have now fixed this and I apologise for any concern caused.

It remains the case that we are always more than happy to manually remove any email from our list, so please do contact us if you have any concerns at all. And please be assured that de-registration is and has been working as it should - if you deregister your account it removes all details you provided at registration, including your email address, from our data-base and all our mailing lists.

Thanks again for raising this - it is always helpful and we're always happy to answer questions about how and why we store your data.

So you haven't broken any GDPR laws, then?

(I'll just ignore the appeals to emotion in your statements, as they are inconsequential and have no bearing on the facts of the matter)

@JustineMumsnet

Thank you for your response, though I still think it unacceptable that you have been ignoring users concerns for the past two weeks.

Are you admitting that until this was discussed here, you have been holding on to user's personal data in a way you shouldn't have? What have the ICO said when you self-reported this breach of GDPR laws? And when are you going to make your userbase aware of this breach?

Thank you.

@MeMarmiteYouJam

So you haven't broken any GDPR laws, then?

(I'll just ignore the appeals to emotion in your statements, as they are inconsequential and have no bearing on the facts of the matter)

No I don't believe we have broken GDPR rules as such (this is a bit of a niche case and it isn't explicitly covered) but as said, I also believe that we weren't following best practice. There was no deliberate attempt to hold onto and use old email addresses - we delete those old emails from our user database and up to now marked them "do not send to" on our master email list, rather than removing them. And on Christmas Eve, as you know, we mistakenly sent a mail to that master list instead of to the new joiners list. I believe that best practice would be to remove old emails from the master email list instead of marking them as "do not send to this mail". Had we done that then the human error made on Christmas eve wouldn't have resulted to us contacting old emails iyswim. So, in short, I don't believe we've broken any GDPR rules but we can do better and hence have changed the way manage these lists now as we always aim to follow best practice in how we look after personal data. Thank you to everyone on this thread who brought this to our attention.

Please let us know if you have any further concerns and we’ll be happy to check your permission details to make sure everything is as you want it

@JustineMumsnet
Thank you for responding to some of the issues which have been raised.
I sent an email to contactus@ mumsnet on 27/12/2020 (the day before Michael Mumsnet posted the encouraging words above). It has not been acknowledged.

@JustineMumsnet Can you confirm why you chose to hang on to these email addresses in a hidden database, rather than delete them as you should?