I was part of a human subject research study without my consent

Another subject, posted yesterday: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29599553" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=29599553</a>

A lot of people mocking the author or others for being scared and worried are basically blaming the victim here, and I would like them to stop.<p>The nature of legal practices in the USA is such that the answers to &quot;Are you totally in the clear legally?&quot; and &quot;Will you lose significant amounts of money proving in random courts that you are in the clear legally?&quot; are often <i>both</i> yes.<p>As a result, any researchers who send out thinly veiled legal threats as a &quot;research experiment&quot; are firmly in the wrong <i>ethically</i>, and should be called out by <i>all</i> the people to whom they have issued these veiled threats. Review boards that approved this experiment should be themselves subjected to an audit and potentially dissolved.

Can someone help me understand the <i>ethical</i> problem here? If I as an ordinary citizen contacted the webmaster with a similar worded email, the result would have been the same. The fact is that this “experiment” did not create any more or additional stress than is created for normal citizens&#x2F;businesses simply engaging in normal legal activities. If submitting such a request has the potential to cause such <i>undue</i> stress, shouldn&#x27;t society create protections or disallow such requests?<p>Edit: It&#x27;s not that hard to see that there are potentially some <i>social</i> problems here e.g. &quot;the message is easily construed as a legal threat&quot; or &quot;the message was mass mailed in a spam-like nature&quot;. However, my comment is in response to the title of the blog post which implies that the webmaster believes there&#x27;s an ethical problem that this &quot;experiment&quot; was even run in the first place. For the purpose of this thread, assume the email was worded perfectly and the university was very thoughtful and deliberate in who they contacted. I&#x27;m interested in discussing the ethics behind how a perfectly legal and reasonable thing can in one case be ethical and another case be unethical simply by virtue of the context in which the action was carried out.

Going back to study homepage here <a href="https:&#x2F;&#x2F;privacystudy.cs.princeton.edu&#x2F;" rel="nofollow">https:&#x2F;&#x2F;privacystudy.cs.princeton.edu&#x2F;</a> there is another update, now from the lead investigator, that includes the following paragraph:<p>&quot;Second, our team is prioritizing a possible one-time follow-up email to recipients, identifying the academic study and recommending that they disregard the prior email. If that is feasible, and if experts in the email operator community agree with the proposal, we will send the follow-up emails as expeditiously as possible.&quot;<p>Did this study send automated emails in such volume that they can&#x27;t work out how to send an apology without triggering spam protections? Or did they send email and not record it? What is he saying here?

&gt; My name is Maya Mishina, and I am a resident of Novosibirsk, Russia.<p>If i received such an email, I would mark it as spam and move on with my life. Why did this blogger take it seriously? Does she take other forms of spam so seriously?<p>I do feel for her stress and anxiety, but I also have to question her mental ability to filter noise. Life must be quite stressful for her overall.

The Institutional Review Board doesn&#x27;t seem to be much of an &quot;ethical board&quot; given they don&#x27;t consider the stress this causes the human side of the website operators. How did they conclude this doesn&#x27;t count as &quot;human subjects research&quot; given the expectation is to measure a human response to an email (framed as from a person)?

&quot;In order to be considered a covered business, the organization needs to have annual gross revenues in excess of twenty-five million, possess the personal information of 50,000 consumers, or derive 50 percent or more of its annual revenue from selling consumers&#x27; personal information.&quot;

How did anybody think it was appropriate to distress random human subjects by sending what appears at first glance to be a thinly veiled legal threat?

I have a not at all popular and rarely used blog. I still get dozens of stupid spam emails and comments a day and often some phone calls too. This would not have caught my attention for more than 10 seconds, if I even read it at all and it did not get filtered out by various spam tools.<p>I am quite perplexed at the people who panicked over this. It would probably rank 4th in the scariest things I have received today and seems on par with a call from the tax man claiming you owe them money and need to send them iTunes gift cards.

We got this email at my startup. We freaked out too, we&#x27;re not from California (or even the US), we&#x27;re not end-user facing so usually privacy stuff goes to our customers. We&#x27;d never received a mail like that. We responded with a kind reply, but had a lot of internal discussion. Our nice response included questions which never got answers. Because screw real people, right?<p>Experiments like these are training well-meaning people to ignore real privacy requests.

If there were a contratial agreement before the start of the study, the participants could have negotiated the monetary re-imbursement for the work done. (including data processing fees and the legal consultation).<p>By coercing the participants into study the university has in fact waived own negotiation rights. The university should compensate the participants for the actual work done, at the a fair market rate, and reimburse the legal fees.<p>(I am not a laywer).

I have pretty mixed feelings on this. On the one hand, I agree that the researcher&#x27;s actions (particularly the use of a false identity) were inappropriate. I am hesitant to engage in &quot;victim blaming&quot; by calling the targets of the email naive. But I hope this has been a learning experience for everyone, as it seems to have revealed a lot of knowledge gaps that were surprising to me.<p>I am not at all surprised that it was not subject to IRB review, but only because I&#x27;ve had a bit of involvement in the IRB process before and know that the specific legal mandates that drive IRBs (45 CFR 46) have a surprisingly narrow definition of human subject research that is driven primarily towards medical interventions, so generally speaking any research that consists of just asking questions and then anonymizing the results for reporting gets waved past IRBs (45 CFR 46.104). You might disagree with the situation (there&#x27;s plenty of reasons to) but it&#x27;s the law of the land. IRBs were developed pretty specifically in response to a spate of incidents in the mid-century, but especially the Tuskegee trials, involving non-consensual drug and toxin trials. The IRB process is directly designed to address these kinds of medical research, and so IRBs I&#x27;ve dealt with are not even very interested in looking at proposals coming from departments other than life sciences. The idea that IRBs are a general-purpose ethics review seems to be a pretty recent idea and it&#x27;s not something the IRBs themselves are that into, at least from my experience hearing professors gripe about having to go through a stack of pre-reviews for information assurance studies on the off chance they qualify as human subject research.<p>On the other hand, though, I operate several websites for small organizations, admittedly in a politics and public policy-adjacent space, and receive emails of this type as a matter of course. I&#x27;d be surprised if there are many people operating websites that get a meaningful amount of traffic that don&#x27;t get an email of this type from time to time. It&#x27;s sort of background noise if you&#x27;re doing anything that&#x27;s of much public interest. In some of these situations I benefit from having retained legal counsel that probably wouldn&#x27;t even bother to bill for this kind of thing, but it would still be a rare situation that I referred such an email to counsel unless it was something about a more obscure corner of city political financing regulations, which I have gotten once before.<p>The &quot;legal threat&quot; here honestly doesn&#x27;t read to me as much of a threat. Part of this is because in my hobby work I write emails very much like this one on a weekly basis... mostly citing FOIA or similar state sunshine&#x2F;open records&#x2F;open meetings laws. Many guides on transparency laws coming from this same community clearly advocate a similar sentence citing the response deadline, and I wouldn&#x27;t be surprised if this researcher copied and pasted that from such a &quot;consumer rights&quot; guide. It&#x27;s considered a best practice to state the deadline and citation with this kind of request. There are basically two reasons for this: first, some people, especially smaller organizations, may be totally unaware of the deadline and you will be telling them about it for the first time. They may not believe you on it if you don&#x27;t provide some sort of backing. The second is that there&#x27;s a perception (from my experience I&#x27;m skeptical this is frequently true but I&#x27;m sure it is occasionally) that especially federal offices may be aware of the deadline but feel comfortable ignoring it if they don&#x27;t think the requester knows. So providing the deadline and citation is sort of a &quot;savvy customer&quot; indication that encourages them to at least issue an extension letter on time (even then it&#x27;s very common, even before COVID but especially now, for federal agencies to run past the deadline without any response. Oddly, state and local agencies are usually much better about this).<p>Another part of why I have a hard time taking it as a threat is because it is the first in a rather long chain of actions that would lead to legal action. It does indicate that the requester is aware of the law but it&#x27;s quite a few steps from the requester&#x27;s intent to file a lawsuit. Most people that include a line like that never even bother to follow up with a nag when the deadline passes. What was in the email is basically a &quot;I copied and pasted this from an online howto&quot; level of effort, and there&#x27;s a pretty big ramp from there to filing a lawsuit (especially from a far away place). Really, in my experience, people who are a serious legal risk (i.e. lawyers and people who use them) cite statute <i>less often</i> than slightly crazy internet randoms do.<p>So I suppose what I mean to say, is that I feel bad for the people who were alarmed by this, but I hope it has been a learning experience: when you operate a website, you are putting yourself out in public and exposing yourself to both legal obligations and dealing with random people that have weird ideas about your legal obligations (there tend to be more of the latter than the former). There are a lot of risks and responsibilities entailed in running a website, most of them fairly minor, and this kind of thing is one of them... just something you have to deal with when you make the decision to be a public entity.<p>Or maybe a better takeaway is this: if you get at all involved in politics, government, civil rights, or the public sector in general you will get a lot of stuff like this (and some of it will actually require action, but usually not especially difficult action). One result of increasing online privacy concerns is that just operating a website is starting to enter the civil rights realm, so I suppose over time every website will get more of this.

I&#x27;m so confused by the comments here. Californian consumers regularly, and rightly IMO, laud the CCPA.<p>Then when on the receiving side, view it as a threat and freak out.<p>Note: I&#x27;m ignoring the whole lying aspect for now, because it isn&#x27;t pertinent to my argument.<p>So it sounds like it&#x27;s good for consumers, and a nightmare for producers. Seems the crux of the problem is the law itself.

Yeah this is pretty bad. Not really sure what to say beyond that. I&#x27;m extremely confused how anyone thought this was OK.

There is a logic error in this email. If this is not a request they cannot claim 45 days to response. So refernce to CCPA 1798.130 was clearly just to scary.

The study was disgusting; I&#x27;ve commented about it in another thread. But I think there&#x27;s something else here that explains the strong reactions people are having to this.<p>We as software engineers are not used to being told by a government how to build our code. If China passes some law saying that you can&#x27;t directly search a database without routing the call through a government server, I don&#x27;t care. I&#x27;m not going to research their laws and make sure my code conforms to that. It&#x27;s not my problem. It&#x27;s the people of China&#x27;s problem. If a company I&#x27;m working for has a legal team that says they need to accommodate that, they&#x27;ll tell me they need to write some code to do it. I&#x27;m free to write it for the money, or tell them to fuck the CCP and themselves.<p>But if I happen to know that a client is using my code in China without meeting some regulation there, it&#x27;s not my obligation to inform them. Best of luck. <i>I&#x27;m</i> not personally liable for that.<p>And so what happened here is, they went after developers and small self-coded sites. They intentionally went after the people writing the code, not the companies that have legal compliance departments.<p>So the big question it presents, that I think has some people hopping mad and other people too sanguine, is: Does this herald a wave of assault and blackmail against developers, where bad actors (or dumb actors, like Princeton undergrads) will use supposed infractions of local laws to try to extort settlements from makers of software? I mean, show me a piece of software, and I&#x27;m sure it would be illegal <i>somewhere</i>. But the question of threatening small developers this way is new - it&#x27;s a new form of trolling, like patent trolling but potentially even worse. The novelty of it and the potential for abuse is why I think a lot of people have been outraged by it, more than the question of whether someone should have just ignored this particular email. It presents an entirely new chilling effect that changes the bar for anyone looking to start a website, among other things. If any newbie coder had to make sure their code conformed to every legal requirement around the planet before putting it online, their chances of being successful with new code would be nil, and our livelihoods and creative capacities would be severely diminished. Our entire culture of making things would be crushed. An entire category of artistic creativity and originality that most of our lives are based upon could be shut down completely by a blizzard of emails like this one. I don&#x27;t think it&#x27;s overreacting to be alarmed by it, nor to be furious at this approach being pioneered by a supposedly liberal institution.

It looks like multiple people consulted lawyers because of the implied legal threat. OP isn&#x27;t the only one who took this somewhat seriously.<p>Attorney: <i>&quot;is this Princeton privacy study email that one of my clients received legitimate?&quot;</i><p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;jdigiacomo&#x2F;status&#x2F;1470756584435249152" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;jdigiacomo&#x2F;status&#x2F;1470756584435249152</a><p><i>&quot;Wow. I actually contacted my attorney over this email inquiry to see if I actually needed to respond and if so, how.&quot;</i><p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;NerdPress&#x2F;status&#x2F;1472340768933113859" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;NerdPress&#x2F;status&#x2F;1472340768933113859</a><p><i>&quot;our clients have spent around $10k aggregate trying to understand what these requests related to, and whether this was a coordinated mass phishing attempt&quot;</i><p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;FDTaisce&#x2F;status&#x2F;1471970527132618757" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;FDTaisce&#x2F;status&#x2F;1471970527132618757</a><p>An attorney in Switzerland: <i>&quot;Wir wurden von Mandantinnen und Mandanten gefragt, wie sie auf diese E-Mails mit Fragen nach ihrem Umgang mit datenschutzrechtlichen Anfragen reagieren sollen.&quot;</i> (&quot;We have been asked by clients how they should respond to these emails with questions about how they handle privacy-related inquiries.&quot; (DeepL))<p><a href="https:&#x2F;&#x2F;steigerlegal.ch&#x2F;2021&#x2F;12&#x2F;16&#x2F;datenschutz-gefaelschte-anfragen-dsgvo&#x2F;" rel="nofollow">https:&#x2F;&#x2F;steigerlegal.ch&#x2F;2021&#x2F;12&#x2F;16&#x2F;datenschutz-gefaelschte-a...</a><p>Three *different* attorneys in this thread report having clients reach out to them:<p>(1) <i>&quot;As outside privacy counsel, these are so frustrating. First one I saw cited being a CA resident so more alarming. Now for those interested\able to learn it&#x27;s more time and education as they think any request must be scams now. Plus how many clients won&#x27;t reach out next time?</i>&quot;<p>(2) <i>&quot;As in-house counsel, my initial gut instinct was that it was someone who was trying to entrap us - hoping we would make a mistake so they could sue. (I don&#x27;t have much faith in human nature, I suppose.) So I sent it to outside counsel to be safe. Waste of time and resources.&quot;</i><p>(3) <i>&quot;Same here. We deal with a lot of professional litigants and I was looking for the angle (it was GDPR not CCPA, so was worried about a private right of action being brought)&quot;</i><p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;JFuchsKC&#x2F;status&#x2F;1471921893758443526" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;JFuchsKC&#x2F;status&#x2F;1471921893758443526</a><p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;DanielleVEsq&#x2F;status&#x2F;1472105731474137094" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;DanielleVEsq&#x2F;status&#x2F;1472105731474137094</a><p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;SOliverLaw&#x2F;status&#x2F;1472288392889073665" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;SOliverLaw&#x2F;status&#x2F;1472288392889073665</a><p>(Sorry for the spaghetti comment: I got a bit carried away).

&gt; Wanna know why there&#x27;s no comments on this blog? I don&#x27;t want to have to deal with storing user data and doing moderation!<p>I&#x27;ve thought about starting a blog a few times, and I had the exact same thought. While it&#x27;s very easy to make a static website and store in on a CND to make it scale to billions of requests, it&#x27;s very hard to create a moderation system that scales.

Interesting - we received the same email but requester was a resident of Roanoke, Virginia. And the request was in regard to GDPR.<p>It smelled like SPAM enough for me to check the email headers - SPF and DMARC passed and was sent from potomacmail.com servers.<p>Another odd thing was - the request was for a customer using our SAAS application - so their targeting is not exactly accurate. I wanted to ignore it but we get emails all the time meant for our clients - so we simply replied that they should direct the request to the party in question.

I think you need some basic legal understanding to sort that kind of stuff into valid, unsure and invalid. It then depends on your confidence level if you require legal advise. Easier said than done.<p>From my point of view 45 days is plenty of time to read into the topic. On the other hand: Referring to 45 days was shooting way beyond the target here and unnecessary.<p>Scaring the author was wrong and by definition always happens without consent. That&#x27;s what the author can blame the researchers for. This was turned into a &#x27;without consent&#x27; situation and I find this to strong. The email is rather clear but is also weird enough to feel like scam.

This really feels like the long consequences for &quot;it&#x27;s just a prank bro&quot; and &quot;it&#x27;s a social experiment (to totally misguide you into a behavior and claim it&#x27;s a prank&quot;)&quot;.<p>Anyway,<p><pre><code> 127.0.0.1 - - [18&#x2F;Dec&#x2F;2021:04:04:57 +0000] &quot;GET &#x2F;security.txt HTTP&#x2F;1.1&quot; 404 2110 &quot;-&quot; &quot;Go-http-client&#x2F;2.0&quot; </code></pre> I suppose there are no IP anyway and the reverse proxy doesn&#x27;t forward them.

Apology from the PI, permanent suspension of sending emails, possible follow up emails telling people to disregard the original emails, and commitment to a formal research ethics study: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;jonathanmayer&#x2F;status&#x2F;1472427321047101442" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;jonathanmayer&#x2F;status&#x2F;1472427321047101442</a>

Would it make sense to pursue a class-action claim against Princeton and the researchers to recover everyone’s legal costs and business disruption costs? Probably wouldn’t be that difficult to get the contact information of every business that was contacted during discovery, right?

At this point all outgoing email from Princeton should be flagged as potentially malicious. Their ethics committees seem to have no problems with using deception against non consenting test subjects, or actively trying to sabotage software projects, because &#x27;using a computer&#x27; seems to be their catch-all for &#x27;approved&#x27;.<p>Maybe then their executives will seriously review what their researchers are doug9.

am i missing something? i don&#x27;t see anything about research or studies in the original email.<p>maybe it&#x27;s a legitimate inquiry?<p>maybe it&#x27;s performance art? (does the blog post have to be taken down if a right to be forgotten request is filed?)<p>does the ccpa even apply to hobby or non-revenue generating endeavors?

&gt; I go out of my way to ensure that this website handles as little user data as possible. I have gone so far to do this that the only unique identifiers I deal with are IP addresses…<p>This page uses Cloudflare so they’re offloading data collection but it’s still being done, right?

We&#x27;ve had a wave of almost exactly the same mails (GDPR instead of California law) some time ago: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26845102" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=26845102</a>

So, I think the question is: Can recipients bring a class action lawsuit against Princeton?

On the one hand, I think this research is done with bad ethics. Proper science requires consent of the people involved in experiments. An organisation like this should know better. I think that&#x27;s the reason this research needs to stop and go back to the drawing board.<p>On the other hand, anyone in California could send such an email legitimately. If you&#x27;re offended by the contents of the email rather than by the research itself, I have bad news for you: the text itself is perfectly fine. Someone can, and should be able to, exercise their rights regarding data collection. That goes for Big Tech which these laws are aimed at, but also for any other party our there collecting data. If you&#x27;re afraid of someone exercising their digital rights, you should probably not host anything public.<p>The real problem here is not the research itself and not even the laws the research is about, but about the litigious nature of some countries. Bad research happens, turning this research attempt into a spam campaign. Everyone gets spam, it&#x27;s not a reason for panic. It&#x27;s only a problem when you think any email you receive can actually be the basis of a life-altering lawsuit.<p>If you are someone who got spooked by such an email, I can&#x27;t help but think you might not want to publicly host anything. Attaching any kind of data collection to the web has come with legal implications for years now, even before the GDPR was a thing. This time it was a malevolent researcher; next time it might be someone who demands that their IP be purged from your logs. Look at this shoddy research as a training exercise, and consider if you&#x27;re prepared when a real version of this email comes in, before it&#x27;s too late to do anything about it!

I am the author of this article if anyone has any questions.

I got 2 of these emails. One CCPA and one GDPR, but the exact same boilerplate. So I knew it was sketchy. But I still wasted an hour of my time deciding whether to reply. Several of my colleagues in other small comapnies also received these emails. Multiply that by the thousands of emails they must have sent and that is a <i>lot</i> of time wasted. I believe some people even paid laywers to respond. So potentially a lot of money wasted as well.<p>The senders either they didn&#x27;t realize the sort of time and waste of money this would cause, in which case they are idiots, or they did, in which case they are arseholes.<p>How did this get past the Princeton ethics board?<p>What if every researcher started spamming thousands of businesses without their consent?

Does anyone know an actual case of an individual blogger getting fined under the CCPA?

Said everyone with a facebook account.

I got an email from them too, asking about GDPR compliance. Isn&#x27;t unsolicited mass email illegal under the GDPR? Maybe I should threaten to sue <i>them</i>.

What are the legal requirements for a blog run out of American servers by an American to be GDPR compliant these days?<p>I&#x27;m sort of wondering whether you can get away with responding to such a request these days with &quot;I am not in a jurisdiction that is obligated to comply with that law, and if you choose to charge me with violating it I am not under obligation to defend myself in court nor render myself for judgment?&quot;

I don&#x27;t know about US, but GDPR request in EU is something totally common and nothing to worry about as long as not you locally data protection officer get&#x27;s involved ;) I do detailed GDPR requests from time to time, especially to companies that annoy me with personalized marketing, just to mock them.

I went to their website, and it says:<p><i>Note from Jonathan Mayer, the Principal Investigator Hi, my name is Jonathan Mayer. I’m the Principal Investigator for this academic research study. I have carefully read every single message sent to our research team, and I am dismayed that the emails in our study came across as security risks or legal threats. The intent of our study was to understand privacy practices, not to create a burden on website operators, email system operators, or privacy professionals. I sincerely apologize. I am the senior researcher, and the responsibility is mine.<p>The touchstone of my academic and government career, for over a decade, has been respecting and empowering users. That’s why I study topics like web tracking, dark patterns, and broadband availability, and that’s why I launched this study on privacy rights. I aim to be beyond reproach in my research methods, both out of principle and because my work often involves critiquing powerful companies and government agencies. In this instance, I fell short of that standard. I take your feedback to heart, and here is what I am doing about it.<p>First, our team will not send any new automated inquiries for this study. We suspended sending on December 15, and that is permanent.<p>Second, our team is prioritizing a possible one-time follow-up email to recipients, identifying the academic study and recommending that they disregard the prior email. If that is feasible, and if experts in the email operator community agree with the proposal, we will send the follow-up emails as expeditiously as possible.<p>Third, I will use the lessons learned from this experience to write and post a formal research ethics case study, explaining in detail what we did, why we did it, what we learned, and how researchers should approach similar studies in the future. I will teach that case study in coursework, and I will encourage academic colleagues to do the same. While I cannot turn back the clock on this study, I can help ensure that the next generation of technology policy researchers learns from it.<p>Fourth, I will engage with the communities that have contacted me about this study, which have already offered valuable suggestions for future directions to simplify, standardize, and enhance transparency for GDPR and CCPA data rights processes. I very much appreciate the earnest outreach so far, and I will be reciprocating.<p>If you have questions or concerns about the study, please do not hesitate to reach out. I gratefully acknowledge the feedback that we have received.<p>Thank you for reading, and again, my sincere apologies.</i>

I received one of these as well, but the wording was different. From reading this, it sounds like the one I received was the one they send when they aren’t confident they have the correct email address. I didn’t respond. Here’s the email (I redacted my domain name and replaced it with [mydomain].)<p>To Whom It May Concern,<p>We are researchers at Princeton University conducting a study of how websites are implementing the EU and UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We are reaching out to you because this email address is provided as a contact on the website [mydomain].<p>Your website may be required to implement one or both of GDPR and CCPA, and we would appreciate if you would answer a few brief questions about your privacy practices.<p>1) Does [mydomain] implement GDPR or CCPA? If not, could you please explain why? If you are uncertain about whether [mydomain] is required to implement these laws or answer questions like ours, we have included informative resources at the end of this email.<p>2) If you implement GDPR or CCPA, do you process data access requests from individuals who are not residents of the EU or UK (for GDPR) or who are not residents of California (for CCPA)?<p>3) If you implement GDPR or CCPA, do you process data access requests via email, a website, or telephone? If via a website, what is the URL?<p>4) If you implement GDPR or CCPA, what personal information must a user submit for you to verify and process a data access request?<p>5) If you implement GDPR or CCPA, what personal information do you provide in response to a data access request?<p>Thank you in advance for your answers to these questions. If there is a better contact for questions about privacy practices on [mydomain], I kindly ask that you forward my request to them.<p>Sincerely, Ross Teixeira<p>----------<p>We offer these resources about GDPR and CCPA for your convenience. Please note that we cannot provide legal advice about whether [mydomain] is required to implement these laws or respond to our questions like ours about GDPR and CCPA practices.<p>* Article 3 of the GDPR, which specifies coverage: <a href="https:&#x2F;&#x2F;eur-lex.europa.eu&#x2F;legal-content&#x2F;EN&#x2F;TXT&#x2F;HTML&#x2F;?uri=CELEX:32016R0679&amp;from=EN#d1e1455-1-1" rel="nofollow">https:&#x2F;&#x2F;eur-lex.europa.eu&#x2F;legal-content&#x2F;EN&#x2F;TXT&#x2F;HTML&#x2F;?uri=CEL...</a><p>* European Data Protection Board guidance on GDPR coverage: <a href="https:&#x2F;&#x2F;edpb.europa.eu&#x2F;our-work-tools&#x2F;our-documents&#x2F;guidelines&#x2F;guidelines-32018-territorial-scope-gdpr-article-3-version_en" rel="nofollow">https:&#x2F;&#x2F;edpb.europa.eu&#x2F;our-work-tools&#x2F;our-documents&#x2F;guidelin...</a><p>* California Attorney General guidance on CCPA coverage: <a href="https:&#x2F;&#x2F;oag.ca.gov&#x2F;privacy&#x2F;ccpa#sectiona" rel="nofollow">https:&#x2F;&#x2F;oag.ca.gov&#x2F;privacy&#x2F;ccpa#sectiona</a><p>* Section 1798.140 of the California Civil Code, which specifies the businesses that CCPA covers: <a href="https:&#x2F;&#x2F;leginfo.legislature.ca.gov&#x2F;faces&#x2F;codes_displaySection.xhtml?sectionNum=1798.140.&amp;nodeTreePath=8.4.45&amp;lawCode=CIV" rel="nofollow">https:&#x2F;&#x2F;leginfo.legislature.ca.gov&#x2F;faces&#x2F;codes_displaySectio...</a>

A human research study? Give me a fucking break.<p>&gt;someone asked me a question and it scared me

I don&#x27;t see anything unethical about sending an email asking website operators how they comply with their obligations under various privacy laws. If you are not subject to those laws, you can reply as such. And if you are subject to those laws - it is a valid question!<p>If you find the prospect of receiving this email so horrifying, perhaps your real problem is with the laws themselves?

Lmao I periodically troll my friends by sending them GDPR and CCPA notices.<p>If you did this to my blog, I’d let you take me to small claims or whatever. The probability of you making it all the way to prosecution and the total harm is so low that I’m not going to CCPA or GDPR enforce on my blog.<p>Bite me.

&gt; This scared the shit out of me<p>This is satire, yes? Come on.

Put a PO Box mailing address on your website and mark any email that you don&#x27;t want to read as spam.<p>If someone is serious about getting a hold of you, they can buy a stamp.

I don&#x27;t really see any issues with this. If you are subject to any of these rules you and your business should be ready. If not they shouldn&#x27;t be a concern. Absolutely nothing unethical going on here. Apart from crap business not wanting to follow the legistlation.

My take: yes, a researcher misrepresented who they were. But that misrepresentation had nothing to do with the alleged harm. I see no reason to believe that the writer&#x27;s reaction would have been any different if the request had been a completely legitimate one, which it very well could have been. The actual substance of the request was polite, non-threatening, and potentially legitimate. If the writer had bothered to do even a few minutes of research, she would have realized that the cited law did not apply to her and the requester was simply wrong when they said that it was. A panic attack was IMHO an extreme overreaction. Solicitations are sent out under false pretenses all the time by people with far more sinister motives. I think it&#x27;s reasonable to expect adults in today&#x27;s world to be able to take such things in stride and not freak out about them (or at least do a little bit of homework before freaking out).

This is going to be disagreeable, but as someone who was blocked from starting a COVID surveillance program at my uni due to the IRB constraints on &quot;human subjects&quot; - would need to buy special, expensive software in order to prevent test results from being &#x27;deanonymized&#x27; - I think this space is too regulated already. In some cases, people with apparently legitimate ethical issues should have been told to shove it, in my opinion. Innovation is being destroyed to protect people&#x27;s feelings.