https://cellio.dreamwidth.org/2024/03/12/glassdoor-violates-privacy.html Account name: [ ] Password [ ] [Log in] (OpenID?) (Forgot it?) [ ] Remember Me You're viewing [personal profile] cellio's journal Create a Dreamwidth Account Learn More [ ] [Interest ] [Go] Reload page in style: site light Monica * Recent Entries * Archive * Reading * Network * Tags * Memories * Profile Time to delete your Glassdoor account Mar. 12th, 2024 07:32 pm cellio: (Default) [personal profile] cellio Recently I contacted Glassdoor for an account-related issue. This led to them sending me email that I had to respond to. Big mistake. The TL;DR is: Glassdoor now requires your real name and will add it to older accounts without your consent if they learn it, and your only option is to delete your account. They do not care that this puts people at risk with their employers. They do not care that this seems to run counter to their own data-privacy policies. I created my Glassdoor account about ten years ago. The only information they required at the time was an email address -- or you could sign in with Facebook or Google if you wanted, which I declined to do. Early on I set some job alerts, including location, as one does on a site with job postings. I didn't worry about that too much at the time. After I responded to that support email last week, I found that they had updated my profile to add my real name and location, the name pulled from the email From line I didn't think to cloak because who does that? I never gave consent for that change, and said so explicitly when I objected. (In what follows, I was so fixated on my name that I didn't immediately notice my city was there too. I don't know how long it's been there.) For context, here are some quotes from their own data policy: As a global company, Glassdoor is subject to a variety of privacy laws that confer a range of privacy rights upon our users. We are committed to working to support compliance with the requirements of these global privacy laws and ensuring the rights and protections they offer are available to all of our users regardless of their location. [...] We allow you to learn about, access, and control the personal data that Glassdoor holds about you. This includes data related to your use of Glassdoor.com, Fishbowlapp.com, and our associated apps. Using the form at the bottom of this page, you can request that Glassdoor allows you to: [...] Rectify your personal data. [...] Delete your personal data. There is also this: Right to withdraw consent for certain specific uses of your personal data on Glassdoor. [...] If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Note the loophole there -- "if we collected it with your consent". They haven't explicitly invoked that, but they could and it's slimy. (I never gave consent, therefore the dependent clause doesn't apply, they could argue.) -- Now, on to the email discussion I had with, through escalations, three people over the course of six days. First, they said that they are a "verified network" and "we require all users to verify their identity before giving them full access to our platform". Which parts constitute "full access" were not specified; they seem to mean FishBowl, a Blind-inspired social-media thing they're now doing. I don't care about that. This requirement wasn't in place when I created the account -- demonstrably, as I was never required to provide a name. Sometime since then they changed the rules and my profile was sitting there with a null required field, I guess, until some employee noticed and edited it. I didn't find a notice of this changed requirement in my saved email, though it's possible I missed it or it got caught in a spam trap or something whenever it happened. I have no idea how long they've required that. I replied to that message saying, in part, that I withdraw consent for them to store my name, in accordance with their data policy that they had helpfully provided me a link to. (Wasn't going to quibble over "withdraw" at that point. I thought this would be straightforward. How wrong I was.) I got a reply from "lead, content and community team" -- I'm eliding employee names in this public post because I have more scruples than they do -- who informed me that though they were "required" to add my name to my profile, this would not affect the anonymous reviews I had posted in the past. Well I would hope not! But still, I said, them storing my name along with that data puts me at risk. I pointed out that we've seen ample evidence that anybody with a juicy online database can be hacked, and the mere presence of that involuntary data was a problem. The next reply contained this plot twist: So all users will now receive a Fishbowl account once they login to Glassdoor. Yours has already been created. All you need to do is download the Fishbowl app and login with either a social connection, your work email, or phone number to gain access to your account. Say what now? You created and stored my personal information in a second account, and I can only get access to delete it by giving up even more information? Um, no. I guess that unsolicited account will just sit there. (I asked where this was disclosed and was told that would be forthcoming. !!!) This message went on to tell me that it was "not possible" to edit my name and if I want it gone, my only option is to delete my account. I responded that I planned to do that after I get my data dump, and in the meantime can they remove or anonymize my name -- reset to last week's level of privacy? It obviously is possible for them to edit that field because they did. Users, however, cannot edit it, so I can't fix it myself. The reply came from "manager, content and community team": I stand behind the decision that your name has to be placed on your profile and it cannot be reverted or nullified/anonymized from the platform. I am sorry that we disagree on this issue. We treat all users equally when it comes to what is eligible to be placed on the profile and what is not, but we know that there are times our users, such as yourself, may not always agree with us. If you are not willing to allow your name on your profile, you will again need to complete Data erasure once you are able to. However, we cannot remove this for you or make the changes you wish to see for your name. This is my final determination. I, as well as multiple members of my team, have reviewed your request several times, and I am considering this matter closed. You heard it from the manager of Glassdoor's community team: they treat all users equally badly. Soon my account will be gone. If you have one, you might consider doing the same. Tags: * internet, * tech, * work (general) * Previous * +Memory * Share * Next --------------------------------------------------------------------- * 18 comments * Reply --------------------------------------------------------------------- Flat | Top-Level Comments Only (no subject) Date: 2024-03-13 01:58 am (UTC) magid: (Default) From: [personal profile] magid Oh, wow! That's... I'm not even sure how they see that as reasonable, but then, I don't understand a lot of folks. I'm so sorry to hear this (if I had a Glassdoor account, I'd be deleting it now). * Link * Reply * Thread * Hide 1 comment * Show 1 comment (no subject) Date: 2024-03-13 02:11 am (UTC) cellio: (Default) From: [personal profile] cellio Yeah, it blew my mind when I realized that they considered this to be appropriate behavior and not an over-eager employee trying to "help". In what universe is it reasonable for service providers to dox their users like that? There are places online where I choose to use my name. (Most of them, actually.) When I choose not to, I do not expect to be overruled. The account lacked a name for years; they could have said "comply with our altered terms of service or delete your account", without making things worse in the meantime. For that matter, if they now require this, why wasn't I prompted to edit it upon login after the change? If they want to enforce it, enforce it -- by making users respond. Not by going behind their backs. * Link * Reply * Thread from start * Parent (no subject) Date: 2024-03-13 02:47 am (UTC) metahacker: A cartoonish walky-talkie is jabbering angrily (angry box) From: [personal profile] metahacker Blech. Not surprising, still disappointing.. * Link * Reply * Thread * Hide 1 comment * Show 1 comment (no subject) Date: 2024-03-13 03:03 am (UTC) cellio: (Default) From: [personal profile] cellio Yeah. It would have been so easy for them to do the right thing instead. Name is required? Check at login, prompt, block whatever "full access" means until the user handles it. Fixes all your missing names, not just the ones attached to people who came to your attention, and doesn't take control away from the user. Or to handle cases individually, notify when discovered and then block access until the user edits. Easy peasy. No consent violations required; the user can edit, delete the account, or walk away. * Link * Reply * Thread from start * Parent (no subject) Date: 2024-03-13 05:35 am (UTC) minoanmiss: A detail of the Ladies in Blue fresco (Default) From: [personal profile] minoanmiss To use technical language, what the deep fried fuck is this bullshit. * Link * Reply * Thread * Hide 2 comments * Show 2 comments (no subject) Date: 2024-03-13 12:53 pm (UTC) cellio: (Default) From: [personal profile] cellio Your technical language made me laugh. :-) * Link * Reply * Thread from start * Parent (no subject) Date: 2024-03-14 07:13 pm (UTC) greyduck: CCS - Serious Li (CCS - Serious Li) From: [personal profile] greyduck Am a technician. Can confirm this language is 100% canonical and accurate. * Link * Reply * Thread from start * Parent (no subject) Date: 2024-03-13 11:30 am (UTC) madfilkentist: Photo of Carl (Carl) From: [personal profile] madfilkentist That is unbelievably slimy of them. I'm surprised this hasn't exploded all over the Internet, given that they say it's their uniform practice. * Link * Reply * Thread * Hide 7 comments * Show 7 comments (no subject) Date: 2024-03-13 12:55 pm (UTC) cellio: (Default) From: [personal profile] cellio I guess it hasn't happened to anybody with reach. Sites requiring real names isn't new, and sites changing their terms of service isn't new. The slimy new thing here is non-consensual privacy violations. I don't know how much they've done that; I only know that they did it to me. * Link * Reply * Thread from start * Parent * Thread * Hide 6 comments * Show 6 comments (no subject) Date: 2024-03-13 01:24 pm (UTC) sine_nomine: (Default) From: [personal profile] sine_nomine So odd, given that the whole point of Glassdoor was anonymity. I didn't even twig to the name thing when it asked for it last time I logged in. As you might imagine, I just said no on providing my name, and my alter ego now has an account. * Link * Reply * Thread from start * Parent * Thread * Hide 1 comment * Show 1 comment (no subject) Date: 2024-03-13 09:25 pm (UTC) cellio: (Default) From: [personal profile] cellio You can, they say, still make public posts anonymously. You have to remember to set that. With them storing your name, there's no protection from future changes that either accidentally or intentionally reveal it on your past contributions. The whole point was to allow people to post reviews safely. Of course this allows fake reviews (I've seen some that are too good to have been written by anybody but HR or marketing), and I guess that's the problem they're trying to combat. If they wanted to change the rules from now on, that would be fine -- people could decide whether to continue, and contributions that earlier could even be marked "unverified" or something if they want. But that's not what they did. * Link * Reply * Thread from start * Parent (no subject) Date: 2024-03-13 08:53 pm (UTC) rhialto: Me under a waterfall (Default) From: [personal profile] rhialto This totally sounds to me like it is violating the GDPR, given that "they treat all users equally", so including the European ones. Would you like some advertising of this page via Mastodon (https:// mastodon.sdf.org/@rhialto) Not that I am such an influencer but it might help to make this issue a bit more widely known... Edited Date: 2024-03-13 09:03 pm (UTC) * Link * Reply * Thread from start * Parent * Thread * Hide 3 comments * Show 3 comments (no subject) Date: 2024-03-13 09:29 pm (UTC) cellio: (Default) From: [personal profile] cellio And their data policy seems to be claiming that, inteaad, the extend GDPR protections to everyone. But it sounds like a GDPR violation to this non-expert, too. Please feel free to link this page on Mastodon, and thanks. (I did post something that fit in 500 characters there yesterday before writing this longer account here. This is definitely the more informative version.) * Link * Reply * Thread from start * Parent * Thread * Hide 2 comments * Show 2 comments (no subject) Date: 2024-03-14 09:51 pm (UTC) rhialto: Me under a waterfall (Default) From: [personal profile] rhialto Wow, that went further than I expected.... 700 reposts as of this moment... * Link * Reply * Thread from start * Parent * Thread * Hide 1 comment * Show 1 comment (no subject) Date: 2024-03-14 10:11 pm (UTC) cellio: (Default) From: [personal profile] cellio You've got reach! I've had and responded to two press inquiries. * Link * Reply * Thread from start * Parent (no subject) Date: 2024-03-14 04:36 am (UTC) ellenmillion: facepalm (facepalm) From: [personal profile] ellenmillion I don't have an account, but if I did, I would ruuuuun. * Link * Reply (no subject) Date: 2024-03-14 03:15 pm (UTC) goljerp: Photo of the moon Callisto (Default) From: [personal profile] goljerp Hmm, i seem to have a Glassdoor account from the last time I was job searching. Or maybe the time before that? Anyhow, let's say more than 10 years old. I think I'm going to just let it sit there, unused, and if they want to track me down to find out my name... well, good luck. This certainly doesn't give me warm fuzzies, though! * Link * Reply (no subject) Date: 2024-03-14 06:57 pm (UTC) From: (Anonymous) IANAEUL (I Am Not An EU Lawyer), but if you're in Europe, that's definitely a GDPR violation. (If you aren't, then... you might not have any options, though some US states have relevant laws.) The "if you consented, you may withdraw consent" seems likely to be a GDPR-oriented thing--there are rules for what kind of data collection does and does not require consent. They're probably leaning on one of the legal bases other than consent. See https://gdpr.eu/ gdpr-consent-requirements/, subheader "The GDPR requires a legal basis for data processing". * Link * Reply * Previous * +Memory * Share * Next * 18 comments * Reply Flat | Top-Level Comments Only Expand Cut Tags No cut tags Top of page