We are a team of computer science researchers at Princeton University and Radboud University, conducting an academic study of how online services have implemented the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
As part of the study, we are asking public websites about their processes for responding to GDPR and CCPA data access requests. We attempt to identify a website's correct email address for data access requests through an automated system. While we have evaluated the system to confirm that it has high accuracy, some emails may be incorrectly directed to a website or email address.
We are sending emails related to this study from the following single-purpose domains:
Please contact the study team at email@example.com if you have any questions or concerns. The members of the study team are Ross Teixeira and Professor Jonathan Mayer (the Principal Investigator) at the Princeton University Center for Information Technology Policy, and Professor Gunes Acar at the Radboud University Digital Security Group.
Hi, my name is Jonathan Mayer. I’m the Principal Investigator for this academic research study. I have carefully read every single message sent to our research team, and I am dismayed that the emails in our study came across as security risks or legal threats. The intent of our study was to understand privacy practices, not to create a burden on website operators, email system operators, or privacy professionals. I sincerely apologize. I am the senior researcher, and the responsibility is mine.
The touchstone of my academic and government career, for over a decade, has been respecting and empowering users. That’s why I study topics like web tracking, dark patterns, and broadband availability, and that’s why I launched this study on privacy rights. I aim to be beyond reproach in my research methods, both out of principle and because my work often involves critiquing powerful companies and government agencies. In this instance, I fell short of that standard. I take your feedback to heart, and here is what I am doing about it.
First, our team will not send any new automated inquiries for this study. We suspended sending on December 15, and that is permanent.
Second, our team is prioritizing a possible one-time follow-up email to recipients, identifying the academic study and recommending that they disregard the prior email. If that is feasible, and if experts in the email operator community agree with the proposal, we will send the follow-up emails as expeditiously as possible.
Third, I will use the lessons learned from this experience to write and post a formal research ethics case study, explaining in detail what we did, why we did it, what we learned, and how researchers should approach similar studies in the future. I will teach that case study in coursework, and I will encourage academic colleagues to do the same. While I cannot turn back the clock on this study, I can help ensure that the next generation of technology policy researchers learns from it.
Fourth, I will engage with the communities that have contacted me about this study, which have already offered valuable suggestions for future directions to simplify, standardize, and enhance transparency for GDPR and CCPA data rights processes. I very much appreciate the earnest outreach so far, and I will be reciprocating.
If you have questions or concerns about the study, please do not hesitate to reach out. I gratefully acknowledge the feedback that we have received.
Thank you for reading, and again, my sincere apologies.
Thank you to the website operators, email system operators, privacy professionals, academic colleagues, and all others who have reached out about our privacy rights study. I am writing to provide an update about how we are acting on the feedback that we have received.
Our top priority has been issuing a one-time follow-up message that identifies our study and that recommends disregarding prior email. We are sending those messages.
We have also received consistent feedback encouraging us to promptly discard responses to study email. We agree, and we will delete all response data on December 31, 2021.
Please do not hesitate to reach out with further questions or concerns, and I again offer my heartfelt apologies for the burdens caused by this study.
The study aims to advance understanding of how websites have implemented the data rights provisions of European Union and California privacy law, specifically the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Our goals are to accurately describe how websites have operationalized these new user rights, whether websites are extending these rights to non-EU citizens and non-California residents, and whether websites are effectively authenticating users when they exercise these rights.
Very few websites post details of their processes for handling GDPR and CCPA requests. Both the GDPR and the CCPA contemplate users and intermediaries reaching out with questions about data rights processes, and we are using that opportunity to understand current website policies and practices.
We sent emails to websites through December 15, 2021. We are not currently sending additional emails for this study, and we will not send further emails.
We will publish the results of this study as academic research, with the intent of highlighting best practices for implementing GDPR/CCPA data rights and informing future policymaking about data privacy. There is no commercial component to this study. We will not identify how particular websites responded or did not respond to the emails in this study. We will delete all response data and disable inbound email to the above domains on December 31, 2021. As of December 31, 2021, all response data has been deleted.
We are not aware of any adverse consequences for a website declining to respond to an email that is part of this study. We will not send a follow-up email about an email that a website has not responded to, and we will not name websites when describing email responses in our academic research.
The majority of websites which are covered by GDPR or CCPA provide a public email address, which users can contact to exercise their data rights (e.g., firstname.lastname@example.org, email@example.com, or firstname.lastname@example.org). We attempt to identify a website's appropriate email address through an automated system that exclusively uses publicly available information from websites, website rankings, and website categorizations. The system assigns a confidence value depending on the website, email address, webpage where the email address appeared, website ranking, and website categorization. While we have evaluated the system to confirm that it has high accuracy, some emails may be directed to an incorrect website or email address.
The set of websites for this study is sampled from the Tranco list of popular websites and publicly available datasets of third-party tracking websites.
The study aims to understand how websites would respond to real users, while accommodating websites that may have less capacity to respond. We strike this balance by considering a website’s ranking, its categorization, the email address, the URL and content of the page where the email address appeared, and (when available from directory services) information about the business associated with the website.
When our study system cannot confidently identify a website email address which appears appropriate for GDPR or CCPA requests, the system does not send an email.
When the system has higher confidence that it has identified an appropriate email address, it sends a request for information that describes the study.
When the system has even higher confidence, it sends up to several emails that simulate real user inquiries about GDPR or CCPA processes. This research method is analogous to the audit and “secret shopper” methods that are common in academic research, enabling realistic evaluation of business practices. Simulating user inquiries also enables the study to better understand how websites respond to users from different locations.
We submitted an application detailing our research methods to the Princeton University Institutional Review Board, which determined that our study does not constitute human subjects research. The focus of the study is understanding website policies and practices, and emails associated with the study do not solicit personally identifiable information.