"My name is Charlene and I work here at Airbnb in a specialized team. I hope this email finds you well.
We understand that you would like to exercise one of your rights under the General Data Protection Regulation (GDPR), namely the right of erasure.
Airbnb is required to verify that the person making the request is the data subject entitled to the information being requested. We have implemented identification and verification procedures to ensure that we do not edit, delete, or hand over personal information to a person impersonating a data subject.
We kindly ask you to send us both of the following:
A re-statement of your request
A photocopy of a valid official government ID such as your driverās license or passport to validate your identity and to facilitate your request
Your request and a copy of your proof of identity can be delivered by email to dpo@airbnb.com or by answering this e-mail."
Iāve can recall having to send a verification email before, when cancelling with other providers, but never been asked for a copy of ID. Are AirbnB asking too much? And going beyond what is required under the GDPR?
According to The International Association of Privacy Professionals (IAPP) YES!
Asking for a copy of ID document, passport or other official, government-issued document, such as a birth certificate, as a standard way of verifying the identity of data subjects should be definitely avoided.
The obvious reason why is because it is disproportionate and not always relevant. The less obvious reason is that this is not considered a secure and efficient method of authentication, and the level of assurance as to the real identity of a person, in contrast to what some might think, is quite low.
Unfortunately that seems to be an opinion rather than legislation, but. Another consulting company has all the recitals including āverificationā on their site and it seems discretionary how it is done.
Obviously insecure, underscoring abysmally bad practice. If a personal document were to be provided in any case, it should only be through a secured or encrypted messaging system, not email.
Iām left wondering what level of authentication AirBNB requests when an account is first set up? Also when accessing your account subsequently what level of authentication is required to do that?
Generally for most sites transactions seem to be accepted based on your login being successful and as required CC payment data being accepted.
All of this occurs (hopefully) through a secure internet connection (https:) or better. There is every practical reason cancelling your account should be through the same secure process. As @PhilT has noted the suggested procedure from AirBNB is high risk and to be avoided.
Aside from the AirBNB correspondence looking like a scam, what is that AirBNB risk if they delete your account without your permission. It would seem far more likely it could happen the way they are suggesting than someone hacking your account directly?
Unfortunately with identity theft and hacking of online accounts, many online service providers have become conservative in relation to what is required to open, close, change account details etc.
I suspect that want to ensure that the person closing the account is actually the account holder rather than someone else getting up to mischief or using such methods to gain address to the account.
Precisely, but is that a reason to use bad practice to do that? Exposing what can be sensitive personal information to the open internet (eg unencrypted email)? If they were serious they would be rolling out a secure messaging system, would they not? Seems they are serious thinking customer concerns on personal information / privacy might be frivolous?
Thank you very much for all your responses. In further email correspondence with the AirBnB functionary, she has advised that: Airbnb, as a data controller, needs to make sure we are receiving any GDPR-related request only from the account owner. Thatās the reason why we are asking you to send us a proof of identity in the form of a valid ID.Weāll need it to match the information you have added to your account - name, surname and date of birth - with the details on the ID you will provide us.
Well, of course. So I replied giving my first and last names, and my date of birth; and pointed out that they are asking more than what was requested in opening the account.
And I also included some relevant text from the IAPP (thank you TheBBG) regarding: what to ask for; what not to ask for; and keeping things relevant and in context. Iāve also asked that if the functionary cannot action my request that their Data Protection Officer engage with me.
If you get to a stalemate you can offer to send them what they want IFF they put up a secure messaging system that is satisfactory to yourself using their own reasoning echoed back at them. You can ask them for their own identifying documentation such as their certificates of incorporation to prove to your satisfaction it is actually them and not a phishing system and the functionary or DPO is really an AirBnB person.
Bottom line is if they want to play a game you can play too, although getting the outcome you desire any time soon, or at all, could be jeopardised if they want to go into hard ball territory.
āGovernment IDā is required to be a verified account user on Airbnb. It is provided through their site. I was quite prepared to provide it to prove who I am and be verified for using Airbnb.
Apologies for the tardiness. Common sense has now reigned. I was finally asked just to log back into my account to verify that it was me. In a nutshell, the overall procedure (over time) to open and to close the account has been: verify who I was in opening the account; log into the account in order to complete the closure request; when prompted by AirBnB, log into the account a second time. Logical, quick and easy.
So that is the end of that (unless somebody thinks that it is worth a couple of paragraphs in Choice). Thank you all.
One would think that for standard practice, if the request was nade through a logged in accountā¦and a verification email sent the the registered email adress of the account holder requesting confirmation of the request (click on link type confirmation), this would be enough to action a cancellation.
Itās also the almost universal procedure used by most online services to verify user ID for lost passwords. Some may also include a two factor authentication if that is usual for access, or a secret Q&A.
Great news @Davcromb.
We are all a little better informed from your shared experience. Thanks.
