I’ve been trying to delete as many online accounts as possible to reduce the threat of my personal information / duplicate passwords / my cell number getting out there. I know, it’s probably not worth the effort but it does at least clean up my password manager and MFA app.
I’ve tried had trouble getting my personal information scrubbed and my account deleted at Robinhood and LendingTree. Both have policies that claim they’re unable to delete user accounts due to federal regulations.
Here’s the bit from Lending Tree: https://www.lendingclub.com/legal/privacy-policy
Data Retention: Due to the regulated nature of our industry, we are under legal requirements to retain data and are generally not able to delete consumer transactional data, credit or deposit account application data, or other financial information upon request. Certain regulations issued by state and/or federal government agencies may require us to maintain and report demographic information on the collective activities of our membership. We may also be required to maintain information about you for at least seven years to comply with applicable federal and state laws regarding recordkeeping, reporting, and audits. Criteria used to determine the period of time information about you is retained are primarily related to legal requirements and usefulness of the information for the purposes it was collected.
In both of these cases, I haven’t used the account in many years (RH: 2020, LT: 2018). It serves no purpose to maintain this account other than to exist as data for some malicious actor to acquire and act upon.
With data leaks happening practically every day, I’m really not comfortable with financial agencies with varying degrees of security keeping my information forever. I would think it would be in their own best interest to comply with a deletion request to prevent anyone from scamming them.
Also, I can’t tell you how many websites I’ve lost access to because my phone number was tied to log in. I previously had a company-issued cell phone and not longer have access to that. Any website that requires a phone number for MFA is just horrible. I’m trying to sign into another financial site now and apparently I’m not able to do so without a phone number I had eight years ago.
Wondering if anyone is familiar with this federal regulation that requires they hold on to this information and if there’s some sort of way around this either with a lawyer or federal form or something.
A common legal requirement for record keeping is 7 years in the US, as they noted in the quote, although some types of records may need to be kept longer. We are not 7 years out from 2018, so still within that standard window.
I have no idea if there is a way around it, and a lawyer would be the right person to provide advice.
As for changing 2fa when you no longer have the phone, the best you can do without a lawyer is contact their support and escalate to a supervisor if they don’t have a way to update that ready to go. First level support will generally not be able to handle that kind of thing, so be ready to escalate. No need tonstart off with any legal threats, just plainly state what the situation is and hownimportant it is to you and there is a high chance of getting the 2fa updated even if you can’t get the account closed.
I’d like to know seven years after when.
Thanks.
That would be something the company would need to answer.
I know a regular bank would need records for at least 7 years after closing an account so they have a record the account was closed, even if you had no other activity. An online account might need to be deactivated or closed or whatever term they use for ‘can’t do anything with the account’ for 7 years if they treat that like closing an account.
Contacting their support would be the only way to get a clear answer on their policy and how it applies to your account, and then talk to a lawyer if you don’t agree with their policy.
I’m imagining them logging your call then saying 7 years from the last record. If they follow up internally a couple weeks later, when you call back 7 years later they can repeat the process.
I’m feeling cynical today.
And every time you contact them, the clock resets, probably. They will never give up your data. That’s their bottom line.
Thank you.
Your comment reminded me of the time I tried to connect my new phone number to my accounts, but had trouble with Amazon and AirBnB because the last guy with the number forgot to update his accounts.
Amazon told me it’d have to delete the old account before allowing me to connect my new number.
That’s not even the worst one though.
AirBnB gave me no other option than to log in to the other guy’s account through nothing but the SMS recovery code (which came to my phone since I have his old number now), starting the account recovery process from within his account, and then removing the phone number from his account.
After logging out (and closing the private browsing window and turning off the VPN), I was then able to link the phone number to my account. (And yes, I tried everything else – from within my account, it told me “Sorry, this number is linked to another account”)
Never had a problem with AirBnB or the new phone number since then though!
This is why you never, ever enter a phone number into any account. Many orgs treat it as a backdoor.
Its also good to tell them you live in the EU now, and repeat the word GDPR a few times.
I hate this excuse because it’s so incredibly easy to keep records without keeping the account itself active. I work in healthcare and we have to do shit like this all the time with archiving patients records into an offline storage and then destroying their “hot” accounts to comply with two different incompatible laws.