We didn't set out to hide our GDPR requests, we put them behind our Support/Legal button. But we got sued anyway, and we lost.
Now we have to have the "delete my data" and "request my data" as part of our main settings list. Result: flooded with requests. People are clicking the buttons just because they are there. For me it's not a big deal, I automate all the requests. But, I still feel like this went too far.
Its our human right to have realtime machine readable data copies of everything we do, its no companies business to question or interfere. Unless it crashes your servers because trolls are trying to DOS, it is really hard to not be angry at a statement as "this is going too far".
> People are clicking the buttons just because they are there.
The reasons why they click the buttons are utterly irrelevant to anyone except them.
Let them click the buttons. It's their right.
> But, I still feel like this went too far.
Not far enough. I think data should be a massive liability. It should actively cost you lots of money to know any fact at all about any person anywhere on the planet.
In other words, in an ideal world you would be scrambling to press that button on their behalf the second your business with them was concluded. "Can we please forget everything we know about you please?" and only their explicit affirmative consent would allow you to not delete their data.
At the moment, holding data about someone is not a significant recurrent cost, but it is a liability in the form of a risk that could get you in serious trouble if you get something wrong. However, that particular business risk doesn't tend to be recognised by many many organisations. It should be.
If they can afford to be ignorant of the risks, it's because the liability is not high enough. Gotta raise the liability until they start doing what we want them to do by default. Private information should be an existential risk for them. They should be deleting every last bit without even asking, not sucking up endless amounts of it without consent.
> Users have basic bare bones functionality that all applications should support is "too far"?
They were objecting to the idea that putting it behind the "support" button is a violation. If true, that's excessive in terms of mandating accessibility.
I would never file a support ticket to open an account. If you did that, your business would be under by the end of the week.
No, requiring actual application functionality isn't too far. For God's sake, just make normal software like a normal person. This should all be very intuitive.
Stop trying to game things, stop trying to maximize conversions and other bullshit metrics, stop trying to implement every dark pattern under the sun and just... Be normal. I promise you will comply without even trying.
And, bonus points, your software will be less shit. I know it doesn't feel that way right now, because most software is shit. You shouldn't aspire to be another turd floating around in the cesspool that is the modern web.
Can we get the full story? I don't believe that's what happened because GDPR does not prescribe any specific avenue of requesting data. You're not required to have a button on your website at all, it's completely valid to accept and respond to requests by mail, but it's obviously much cheaper to offer automated data export.
Now we have to have the "delete my data" and "request my data" as part of our main settings list. Result: flooded with requests. People are clicking the buttons just because they are there. For me it's not a big deal, I automate all the requests. But, I still feel like this went too far.