I just used a contact form of a local webshop. I couldnt enter my email address because it contains a +.

I contacted them to tell them about this issue and the response was it is because of security reasons. Since when is following specs a security breach? Unless their system is one leak I don't see how its possible.

Am I wrong or did they either lie or have a leak in their system?

Im surprised more sites don't strip out /\+[^@]+/ to help mask their sale of PII.

A second reply after I asked for some clarification:
"I have discussed this again with our ICT department and they will not add support for a plus sign in email addresses. I cannot go into details about this because of security reasons.
I hope Ive informed you enough about this.

Kind regards,
John Doe"

"Dear John,

Even though your products are great I have the feeling my personal details are not stored in a safe way. Hereby I would like to first receive all data you have collected about me and afterwards delete all information you have on me according to the right to be forgotten section of the GDPR.

Thanks Codex"

Im curious what their reaction to this will be. If their ICT department keeps saying it is a security risk and they cannot say why either they are lying or their system is, as we dutch say it, as leak as a basket.