If you received an email message from one of the domains listed below, please disregard it.

As of December 31, 2021, all response data has been deleted.

Update 4 (Friday, December 31 @ 10:20pm): Updated FAQs to confirm deletion of study data.

Update 3 (Tuesday, December 21 @ 7:40pm): Added an update from the Principal Investigator. Updated FAQs about no additional emails and deletion of study data. Updated contact information for the research team.

Update 2 (Saturday, December 18 @ 11:30pm): Added a note from the Principal Investigator below. Added a note above to disregard emails from domains listed.

Update 1 (Friday, December 17 @ 7pm): Added an FAQ below.

We are a team of computer science researchers at Princeton University and Radboud University, conducting an academic study of how online services have implemented the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

As part of the study, we are asking public websites about their processes for responding to GDPR and CCPA data access requests. We attempt to identify a website's correct email address for data access requests through an automated system. While we have evaluated the system to confirm that it has high accuracy, some emails may be incorrectly directed to a website or email address.

We are sending emails related to this study from the following single-purpose domains:

Please contact the study team at privacystudy@lists.cs.princeton.edu if you have any questions or concerns. The members of the study team are Ross Teixeira and Professor Jonathan Mayer (the Principal Investigator) at the Princeton University Center for Information Technology Policy, and Professor Gunes Acar at the Radboud University Digital Security Group.

Note from Jonathan Mayer, the Principal Investigator (Saturday, December 18 @ 11:30pm)

Hi, my name is Jonathan Mayer. I’m the Principal Investigator for this academic research study. I have carefully read every single message sent to our research team, and I am dismayed that the emails in our study came across as security risks or legal threats. The intent of our study was to understand privacy practices, not to create a burden on website operators, email system operators, or privacy professionals. I sincerely apologize. I am the senior researcher, and the responsibility is mine.

The touchstone of my academic and government career, for over a decade, has been respecting and empowering users. That’s why I study topics like web tracking, dark patterns, and broadband availability, and that’s why I launched this study on privacy rights. I aim to be beyond reproach in my research methods, both out of principle and because my work often involves critiquing powerful companies and government agencies. In this instance, I fell short of that standard. I take your feedback to heart, and here is what I am doing about it.

First, our team will not send any new automated inquiries for this study. We suspended sending on December 15, and that is permanent.

Second, our team is prioritizing a possible one-time follow-up email to recipients, identifying the academic study and recommending that they disregard the prior email. If that is feasible, and if experts in the email operator community agree with the proposal, we will send the follow-up emails as expeditiously as possible.

Third, I will use the lessons learned from this experience to write and post a formal research ethics case study, explaining in detail what we did, why we did it, what we learned, and how researchers should approach similar studies in the future. I will teach that case study in coursework, and I will encourage academic colleagues to do the same. While I cannot turn back the clock on this study, I can help ensure that the next generation of technology policy researchers learns from it.

Fourth, I will engage with the communities that have contacted me about this study, which have already offered valuable suggestions for future directions to simplify, standardize, and enhance transparency for GDPR and CCPA data rights processes. I very much appreciate the earnest outreach so far, and I will be reciprocating.

If you have questions or concerns about the study, please do not hesitate to reach out. I gratefully acknowledge the feedback that we have received.

Thank you for reading, and again, my sincere apologies.

Update from Jonathan Mayer, the Principal Investigator (Tuesday, December 21 @ 7:40pm)

Thank you to the website operators, email system operators, privacy professionals, academic colleagues, and all others who have reached out about our privacy rights study. I am writing to provide an update about how we are acting on the feedback that we have received.

Our top priority has been issuing a one-time follow-up message that identifies our study and that recommends disregarding prior email. We are sending those messages.

We have also received consistent feedback encouraging us to promptly discard responses to study email. We agree, and we will delete all response data on December 31, 2021.

Please do not hesitate to reach out with further questions or concerns, and I again offer my heartfelt apologies for the burdens caused by this study.

Frequently Asked Questions