It’s 2023. I’ve been working “online” in some shape or form since the late 90s. While I may not know how “everything” works online, I have been doing this stuff for long enough to not be a completely naive idiot. Or at least I hope I’m not!
However sometimes even I am surprised and a little shocked at how some companies play fast and loose with privacy and data.
What happened?
Last week I got.a cold call on my mobile. That was odd, as my mobile phone number is not “public”. It’s not on my business cards, my email signature or anywhere public that I’m aware of. Sure, you can easily get your hands on multiple email addresses that I use, my home address or my work phone number. But my mobile? Not as easily.
So, naturally, I asked the person who’d rung me how they got the number. They lied to me. Telling me they’d got it at an event, which I had’t attended, then trying to assert that one of my staff had provided the number. When I mentioned such inconvenient things like data protection law, privacy and GDPR they finally admitted where they got the information. A data broker called Lusha.
I’d never heard of this company called Lusha and I most certainly had never given them permission to process my personal data or breach my privacy.
They have quite a slick website but basically they seem to “enrich” data for businesses who want to cold call people and businesses. So they’ll take a public data source, which in my case could be my Linkedin profile, and then they’ll add more details they’ve got from other sources.
Now as I said, I’d never consented to my private data being shared with or processed by this company and until I got the phone call the other day I’d never heard of them. To say that I was not amused is a gross understatement – I was absolutely seething.
I’ve since explored their website and have used the various forms on their site to:
- check what data about me they hold
- request its deletion
In the process of doing that I made some quite disturbing discoveries.
Apparently a chunk of the data they share with their clients comes from other clients and how they get it is rather disturbing.
Lusha have what they call a “community” which has a very loose set of rules applied to it and I’d suspect next to no actual compliance function.
Once a Community user agrees to our Code of Conduct (the”Code”) and installs one of Lusha’s products, Lusha will synchronize their business email with our database.
What does that mean? “synchronize their business email with our database” is pretty damn scary.
Lusha’s product accesses professional business network contact information such as email headers and signatures to validate and update our data sources into one, accurate, and up-to-date business profile, which is used by Lusha’s customers and Community members. Lusha confidentially transfers Community members’ business contacts, removes outdated information, and combines it with our database.
My read of that is that they’re essentially parsing every email on your computer and sucking out all the “useful” personal data they can get from it.
If you’ve used a modern smart phone like an iPhone you’ll often see it will have worked out that a contact has a new phone number or other contact point and suggest that you update your address book. While that might be a little creepy, it’s also very useful. But most importantly it’s YOUR data on YOUR device about YOUR contact. It’s not being shared with others. It’s not like it’s being used to “enrich” somebody else’s product.
How on earth can Lusha’s approach to privacy and personal data be legal?
Why on earth are Irish companies using data from these people to make sales calls?
I requested the full record that they had on me and I also requested that they delete it. I’ve no idea how long it’ll take them to do that nor if they’ll even delete the data properly and fully.
Funnily enough the data they had on me wasn’t that good – though they did have valid email and phone numbers for me. So they not only breached my privacy under GDPR but also failed on accuracy side – I had no way of correcting it either as I was unaware of the data’s existence until last week!
Leave a Reply