avatarZach Quinn

Summary

The provided web content outlines how individuals can exercise their data privacy rights by submitting a Data Subject Access Request (DSAR) to companies, detailing the process and providing a template for requesting data audit, suppression, or deletion.

Abstract

The article discusses the importance of data privacy, particularly in the context of personal data misuse by companies. It provides a narrative of an individual's experience with an invasive marketing practice, which prompts them to submit a DSAR to a real estate firm. The piece offers insights into the legal framework surrounding data privacy in the U.S., highlighting the varying degrees of protection across different states. It emphasizes the need for clear communication when making a DSAR, and it provides a template for readers to use when requesting information about their data usage or demanding its deletion. The author, who works in data engineering, stresses the significance of respecting data privacy and suggests that such experiences should inform ethical data handling practices within the industry.

Opinions

  • The author, a data engineer, expresses a heightened sensitivity to personal data protection, suggesting that those who work with data should be particularly vigilant about its use.
  • There is a clear frustration with the lack of a federal data privacy protection law in the U.S., which leaves consumers at the mercy of individual company policies and state-specific regulations.
  • The author believes that the real estate company's after-hours solicitation was an unacceptable use of their personal data, despite having initially consented to share it during an open house.
  • The article conveys that consumers should not hesitate to exercise their rights to data privacy, even if it means demanding the deletion of their personal information from company databases.
  • The author implies that companies should be held to high standards of privacy compliance and that targeted ads or excessive promotional contact can be valid reasons for consumers to request data audits or deletion.

So, You Think A Company Misused Your Data. How To Write A DSAR.

Learn how to audit a company for your user data, request data suppression or even demand total deletion — all in one email.

I need your help. Take a minute to answer a 3-question survey to tell me how I can help you outside this blog. All responses receive a free gift.

How I picture unprotected user data. Photo by Kasia Derenda on Unsplash.

Don’t Mess With The Data Subject

In my experience, no one is more sensitive to and protective of personal data than those, like myself, who work in the data science field.

Although many who seek to protect customer data are ethically-minded, some are just trying to avoid a very real consequence.

Fines.

Sephora: 1.2 million. Meta: 400 million. Google: Over 4 billion.

Since the list above is not a club you want to join, even as a multibillion enterprise, an increasing number of companies are ensuring that consumers are aware of how the company uses their data.

And, even better, in many cases, you even have an option of requesting an audit, suppression or outright deletion of your data.

The problem is that requesting any of those things is not an easy process.

Even though I’m a data engineer, I recently found myself writing a Data Subject Access Request (DSAR) after an uncomfortable solicitation attempt.

A Creepy Solicitation Inspired My Data Subject Access Request

Despite the time being after 9 p.m., the Ring notifications were incessant.

I initially cleared them, thinking it was the delivery guy making his third attempt to get my signature on a package; unfortunately, at the time, I was 500+ miles to the north.

I opened the app and saw someone hang something on my door knob.

Freaked out, my wife texted our neighbor who sent us a picture of the door cling, which had the logo of a national real estate firm.

A few things about the incident made me uneasy: The solicitation happened well after business hours, we live in a top floor apartment which means the agent was very dedicated to getting our business and they obviously had my exact address.

After the initial cringe subsided, I experienced a new sensation.

I was pissed.

Even though I recall filling out our information during an open house I don’t remember checking the box consenting to late-night visits.

So, like every American wronged by a massive corporation, I drafted an email.

Pardon the interruption: For more Python, SQL and cloud computing walkthroughs, follow Pipeline: Your Data Engineering Resource.

To receive my latest writing, you can follow me as well.

Begin The Process — If You Can Find It

One of the most difficult parts of going through a company’s data privacy process is actually finding the contact information, form, or terms that you need to understand your rights.

In my case, I literally searched “privacy” (good ‘ole control+f) on the website and found a landing page that contained all the information I needed.

Luckily, the email I contacted also had “DSAR” in the address, so I was able to find that with another quick search.

The “contact us” landing page also included distinct instructions for making a DSAR request.

Some of this criteria informed my DSAR template, which you can access by scrolling to the bottom of this story.

Since the U.S. (still) doesn’t have a federal data privacy protection law, companies have had to devise their own processes for reviewing, responding to and executing requests.

Know Your Rights — If You Have Them

Often, you’ll be at the mercy of a policy that may or may not be reminiscent of existing data privacy legislation.

Or, you might be lucky and live in one of these 5 states:

  • California
  • Colorado
  • Connecticut
  • Utah
  • Virginia

In that case, even if the company’s DSAR terms don’t cover your use case, you have the right to additional protections under state laws like California’s CCPA.

Unfortunately, my current resident state (Florida) is a lawless wetland and has no data privacy policy codified in state law.

So, I was at the mercy of the real estate company’s terms.

Amid a lot of legalese, I discovered I was entitled to:

  • The right to request information on how the company was using my data
  • The right to request to suppress or limit current information
  • The right to request deletion of my personally identifiable information (PII)

There were further details like how I could request information specific to data science processes like analytics, ML model inclusion and marketing use cases.

Drafting A Response

Being a remote worker and a writer, I try to communicate as clearly and concisely as possible, especially in business scenarios.

While I was tempted to blast the company for allowing agents to request my personal data and possibly store it on their personal devices, I just wanted to sever ties with this particular agency.

My response (which I’ll include in the next section) included:

  • The basis for my request (weird, after-hours solicitation)
  • The deletion request
  • A request to exclude my user data from aggregate data products like ML forecasting models
  • A request for information related to the use cases of my personal data

This is possibly unnecessary in your own scenario, but I felt it was worth acknowledging that I was aware I initially consented to sharing my personal data with the agency.

However, I believed that the manner in which it was used fell outside of an acceptable use case.

A DSAR Template

After reviewing the firm’s guidelines for submitting data audits and deletion requests, I came up with the following draft.

Feel free to use it as a template.

Or simply marvel at what happens when you wrong a data nerd.

Hi there.

Please consider this a formal request pursuant to (company’s) Data Subject Access Request terms to delete any personally identifiable information (PII) associated with my customer profile.

The basis for my request is that in December 2022, one of the agents at (company) in (location) left unsolicited marketing materials at my home well after business hours.

Although I vaguely recall providing (company) with personal data while taking an on-site survey during an open house, I did not willingly or knowingly consent to the invasive direct marketing the agent exhibited.

Consequently, I no longer wish for (company) to have access to my user data.

Please ensure that my data is adequately deleted from your data warehouse and other data products that may aggregate my information with that of other customers.

Pursuant to your company’s DSAR, in addition to deleting my information, to the extent possible, please provide me with the following context surrounding (company’s) use of my personal data for analytics and marketing purposes:

What personal information (company) collected (name, address, demographic info, etc.)

How this information was obtained, including whether this was data provided directly to (company) or information provided to (company) by a third-party broker

The duration this information was stored in any (company) database

The legal basis for processing, analyzing or otherwise manipulating my PII

(Company’s) retention period for aggregate and non-aggregated user data

Details of third-party platforms and (company) associates or realtors that may have had access to my data either via a company or SaaS database or storage on a local device (laptop, mobile, etc.)

Please confirm receipt of this email and the degree to which (company) is able to fulfill my request.

Takeaway

As more companies offer (somewhat) transparent options for consumers to understand how their data is used, there are more opportunities for consumers to hold companies accountable to what should be very high standards of privacy compliance.

You don’t have to have someone show up to your residence to make you feel uncomfortable.

Maybe you feel like an ad is a little too targeted or you’d like a company to stop contacting you with promotional offers.

These are all acceptable and perfectly valid reasons to request an audit of your personal data and, in some cases, outright deletion.

If you’re working in the data science field, I hope that any experience you have as a data customer informs your on-the-job efforts to protect private data.

Working with customer data has given me a greater level of respect for data in general.

But that also means if you handle my personal data, I expect the same treatment.

I don’t think that’s unreasonable.

Do you?

Create a job-worthy data portfolio. Learn how with my free project guide.

Data Science
Data Engineering
Data Privacy
Data
Legaltech
Recommended from ReadMedium
avatarHugo Lu
Exploring Snowflake’s Latest Features (Sep-24)

Snowpark API, Snowflake Pandas, Enhanced Debugging, Snowflake Vector Embeddings, Snowflake Trails

8 min read
avatarEgor Howell
How I Make Time for Everything (Even with a Full-Time Job)

How I am able to do YouTube videos, write blogs, and send out a newsletter every week whilst working full time as a data scientist

8 min read
avatarChristopher Tao
Do Not Use LLM or Generative AI For These Use Cases

Choose correct AI techniques for the right use case families

7 min read
avatarKonstantin Mogilevskii
Amazon Redshift Data Sharing

Introduction

6 min read
avatarEmmanuel Ikogho
Data Science is dying; here’s why

Why 85% of data science projects fail

4 min read
avatarVishal Rajput
Why GEN AI Boom Is Fading And What’s Next?

Every technology has its hype and cool down period.

15 min read