Deeply-weird privacy people update


So folks finally figured out what was behind that weird series of privacy emails I got: it turns out it was a privacy study being run at Princeton. It is not being run very well.

Here’s a pretty good Twitter thread about it and with more links to read:

Also something to make clear:

  1. This is a research study being presented as a legal inquiry and not a research study
  2. The preamble of the email is an active lie
  3. There are many better ways that they could have run this study

I do not appreciate having my time wasted by this nonsense.

Deeply-weird privacy people


Every now and then I get what feels like a bad-faith form letter from someone who I’ve never heard of before, has probably never even come to this website, and is probably a privacy lawyer out to make a quick buck.

UPDATE: The mystery has been solved.

Here’s the most recent one:

To Whom It May Concern:

My name is [REDACTED], and I am a resident of Norfolk, Virginia. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:

Would you process a CCPA data access request from me even though I am not a resident of California? Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to? What personal information do I have to submit for you to verify and process a CCPA data access request? What information do you provide in response to a CCPA data access request? To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

Thank you in advance for your answers to these questions. If there is a better contact for processing CCPA requests regarding, I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.



My response is to just direct them to the privacy policy for this website which is a weird thing for me to even need for, y'know, a personal blog.

Maybe I should just not respond and see if they try to sue me for data that I don’t have and have no reason to keep, though.

Incidentally the letter is always exactly the same except for the name and the cited law; they’re always from Roanoke, Virginia, and the wording is otherwise identical each time. They also always come from the same email domain.

So I mean it’s probably a bot, but… to what end? Other folks have been receiving these as well, and the prevailing theory is that it’s people trying to sell GDPR/CCPA compliance packages, but my responses have gone unanswered. So strange.