They shouldn’t be doing that they would be in breach of PECR the Privacy and Electronic Communications Regulations which sit alongside the Data Protection Act and from the 25 May the GDPR. If you have unsubscribed they will be in breach of GDPR after 25 May.
I manage my passwords with a web front end for online cloud access, browser plugins and cached Apps for Android and Apple devices. It means I can access my passwords anywhere in the world at any time. Other services mandate a clunky physical file that is shared between devices meaning you have multiple files to manage.
Maybe this will be a warning to people who post on social media in the public domain. You never know what may come back to haunt you in the future!
I’m quite savvy when it comes to this sort of thing, but this experience has left me more worried about how companies use and store your personal data. I think it’s time to question why hotels demand this data and more importantly, how they store and destroy it?