getDare Truth or Dare - View Single Post

EnglandBoy · 05-12-2023, 05:23 AM

GDPR doesn't specify it's any personally identifying data - any data at all must be deleted if a user withdraws their consent, with the only exceptions being for things like law enforcement. Art. 4:

"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"

A name or online identifier should quite comfortably cover getDare usernames. Otherwise, getDare specifies in its own privacy statement that it collects other identifiable data. This means any data getDare has on you - including posts and PMs - is "personal data" under GDPR. GDPR applies to any organisation that targets its services at EU/UK users, which getDare does.

GDPR is specific about consent. Art. 7:

"The data subject shall have the right to withdraw his or her consent at any time."

Informed and continuous consent is ESPECIALLY important in a context such as getDare where sensitive and sexual information is held and stored. What the current privacy policy is effectively doing is stating, unlawfully, that they don't care about informed and continuous consent with regards to data processing, despite the sensitive nature. GDPR is also clear on the right to erasure - and erasure means erasure, not simply being banned. Art. 14:

"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;"

Art. 6(1):

"Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;"

It is, in my view, crystal clear that getDare is seriously breaching the laws and data rights of its users in the EU and UK by refusing account deletion. This runs the risks of fines and being forced to pay compensation to users - including for, as the GDPR puts it, "material or non-material damae as a result of an infringement of this Regulation".

This is definitely something that getDare should get onto before it escalates as it is very apparent that it is currently in breach of the law in quite a sensitive subject area, and it is very open about being in breach of the law. Similar legislation also exists in California (CCPA), so even if getDare is outside of GDPR jurisdiction it is likely within CCPA jurisdiction.

05-12-2023, 05:23 AM	#9
EnglandBoy Junior Member Join Date: Jun 2020 Posts: 7	GDPR doesn't specify it's any personally identifying data - any data at all must be deleted if a user withdraws their consent, with the only exceptions being for things like law enforcement. Art. 4: "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" A name or online identifier should quite comfortably cover getDare usernames. Otherwise, getDare specifies in its own privacy statement that it collects other identifiable data. This means any data getDare has on you - including posts and PMs - is "personal data" under GDPR. GDPR applies to any organisation that targets its services at EU/UK users, which getDare does. GDPR is specific about consent. Art. 7: "The data subject shall have the right to withdraw his or her consent at any time." Informed and continuous consent is ESPECIALLY important in a context such as getDare where sensitive and sexual information is held and stored. What the current privacy policy is effectively doing is stating, unlawfully, that they don't care about informed and continuous consent with regards to data processing, despite the sensitive nature. GDPR is also clear on the right to erasure - and erasure means erasure, not simply being banned. Art. 14: "The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;" Art. 6(1): "Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;" It is, in my view, crystal clear that getDare is seriously breaching the laws and data rights of its users in the EU and UK by refusing account deletion. This runs the risks of fines and being forced to pay compensation to users - including for, as the GDPR puts it, "material or non-material damae as a result of an infringement of this Regulation". This is definitely something that getDare should get onto before it escalates as it is very apparent that it is currently in breach of the law in quite a sensitive subject area, and it is very open about being in breach of the law. Similar legislation also exists in California (CCPA), so even if getDare is outside of GDPR jurisdiction it is likely within CCPA jurisdiction.