Researchers sent requests under privacy laws to website owners. It is canceling the study after complaints.
Researchers at Princeton University and Radboud University have apologized for a research study gone awry.
The researchers wanted to determine how companies responded to requests about the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). They sent emails pretending to be people who might make requests under these regulations in the future and asked the website owners to respond with information about how to make such a request and how it would be handled.
Many site owners read these emails as a veiled threat. Not only did the emails ask for information related to how they handle privacy laws, but they concluded with a timeline such as,
I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.
I received two emails from the researchers. Both landed in my spam folder. But after stumbling upon one of the messages, I dug in a bit deeper. I researched the sending email and didn’t come up with much, which led me to believe it was a scam or someone on a legal fishing expedition.
It was a waste of my time leading into the holidays. Weeks later, the researchers followed up apologizing.
While the researchers appear to have gone to some lengths to only email sites they thought were relevant, they certainly missed the mark. CCPA only applies to fairly large companies; sending a legal request to a couple of small blogs is baffling.
If you received a message from any of these domains, you can safely delete them: