Princeton privacy study halts GDPR/CCPA research over ethics concerns and industry blowback

Computer science researchers at Princeton University and Radboud University conducted an academic study that sent automated email messages to websites with GDPR and CCPA privacy policy requests from fake personas. Email operators, web admins, and privacy professionals interpreted the messages as security risks and legal threats, prompting the researchers to suspend the study and delete all communication.

On December 11, 2021, Coywolf News received the following message from Kurt Mayfair with the subject line, Questions About CCPA Data Access Process for coywolf.news.

To Whom It May Concern:

My name is Kurt Mayfair, and I am a resident of Norfolk, Virginia. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:

 1. Would you process a CCPA data access request from me even though I am not a resident of California?
 2. Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
 3. What personal information do I have to submit for you to verify and process a CCPA data access request?
 4. What information do you provide in response to a CCPA data access request?
To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

Thank you in advance for your answers to these questions. If there is a better contact for processing CCPA requests regarding coywolf.news, I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.

Sincerely,

Kurt Mayfair
Email using fake persona for Princeton-Radboud research on privacy law implementation

The message looked suspicious. It came from a nondescript email address, stated they were from Virginia (not California), and didn’t provide any details about who they were associated with. Googling Kurt Mayfair also didn’t return any relevant results.

The most ominous part of the message was the last paragraph, which stated, “I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.” I concluded two things from the message: First, this was likely spam, so I blocked the domain and reported it; and second, I should probably review my Privacy Policy, which I did. Additionally, I don’t concern myself with CCPA and GDPR because Coywolf News doesn’t use cookies or collect data, and it uses privacy-first GDPR and CCPA compliant site analytics.

CCPA and GDPR request emails with fake personas were part of Princeton-Radboud privacy law study

On December 26, 2021, Coywolf News received an email message from the Princeton-Radboud Study on Privacy Law Implementation. The subject line stated, “Please disregard recent email about GDPR or CCPA processes.

Hello,

You may have recently received an email from potomacmail.com regarding your process for responding to General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA) data requests for the following domain(s): coywolf.news. Please disregard that email.

The email was sent as part of an academic research study on GDPR and CCPA, which we have concluded. We will delete all responses received on December 31, 2021. We sincerely apologize for any burdens caused by our study.

If you would like more information about the study or to contact our research team, please see: https://privacystudy.cs.princeton.edu.

Sincerely,

Princeton-Radboud Study on Privacy Law Implementation
Email from Princeton Privacy Study with details about the previous email sent from a fake persona

The email said the previous CCPA and GDPR inquiry email was sent as part of an academic study on privacy law implementation and that all replies would be discarded by December 31, 2021. It included a link with more details about the privacy law study, which revealed who was behind the study, what they were studying, what went wrong, and how they were attempting to rectify its botched execution.

The page is maintained by Professor Jonathan Mayer at the Princeton University Center for Information Technology Policy, the Principal Investigator of the study. In an update published on December 18, 2021, Professor Mayer said he was dismayed that the emails in our study came across as security risks or legal threats. The intent of our study was to understand privacy practices, not to create a burden on website operators, email system operators, or privacy professionals. I sincerely apologize. I am the senior researcher, and the responsibility is mine. In a later update on December 21, 2021, he announced that they would be discarding all results.

We have also received consistent feedback encouraging us to promptly discard responses to study email. We agree, and we will delete all response data on December 31, 2021.

Professor Jonathan Mayer, Princeton-Radboud Study on Privacy Law Implementation

The page also included a Frequently Asked Questions (FAQ) section that addressed several concerns made by the study’s subjects. The FAQs confirmed the use of automation and “simulated identities” (i.e., fake personas). Mayer stated that he will be writing an ethics case study from this experience to help other technology policy researchers avoid making similar mistakes in future studies.

Details about the Princeton-Radboud Study on Privacy Law Implementation are available at this Princeton University subdomain and this archive (saved on December 27, 2021).

Related News

Jon Henshaw

Jon is the founder of Coywolf and the EIC and the primary author reporting for Coywolf News. He is an industry veteran with over 25 years of digital marketing and internet technologies experience. Follow @[email protected]