Termageddon customers,
Update on December 23, 2021: The email noted above seems to have come from the Princeton-Radbound Study on Privacy Law Implementation. The Principal Investigator of the study admitted to sending these emails as part of a study and has specifically stated that they are not legitimate requests and that you do not need to respond to these emails if you have received them. The full statement of the researcher on this matter can be found below:
If you would like to learn more about this study, you can do so here. You can also contact the study team regarding questions or concerns here: privacystudy@lists.cs.princeton.edu.
————————————————————————————————————————————————
Over the last few days, multiple businesses have received emails from individuals asking the business about their privacy rights and how those rights can be exercised. In fact, these emails are even being talked about in the discussion boards of the International Association of Privacy Professionals (IAPP.org). These inquiries have used very similar or the same language and go something like this:
To Whom It May Concern:
My name is (REDACTED), and I am a resident of (REDACTED), California. I have a few questions about your process for responding to General Data Protection Regulation (GDPR) data access requests:
- Would you process a GDPR data access request from me even though I am not a resident of the European Union?
- Do you process GDPR data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
- What personal information do I have to submit for you to verify and process a GDPR data access request?
- What information do you provide in response to a GDPR data access request?
- To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.
Thank you in advance for your answers to these questions. If there is a better contact for processing GDPR requests regarding (REDACTED WEBSITE), I kindly ask that you forward my request to them.
I look forward to your reply without undue delay and at most within one month of this email, as required by Article 12 of GDPR.
Sincerely,
(REDACTED)
If you have received one of these emails recently, you may be wondering what to do.
While this email seems to be suspicious (due to the fact that it has been bulk emailed to many unrelated companies and does not seem to be requesting to actually exercise privacy rights), we cannot confirm whether or not it is legitimate. Thus, we encourage you to take every request for privacy rights and questions, including this one, seriously.
Failing to respond to consumer requests can lead to complaints to data protection authorities, fines, and even lawsuits so it is important that you handle this matter expeditiously and accurately. Please note that Termageddon is not a legal services provider and the following information is not legal advice.
We encourage you to consider taking the following steps when evaluating and responding to these types of emails:
Step 1: Don’t panic!
Receiving an inquiry from a consumer regarding their privacy rights is not uncommon. As more privacy laws are passed, you should expect to see more of these types of requests from both legitimate consumers and others. If you have Termageddon, you can always rest easy knowing we monitor all current and new privacy laws and automatically update our customers’ policies accordingly.
Step 2: Review your Privacy Policy
If you have generated your Privacy Policy with Termageddon and it is up to date (meaning that you have answered all questions within the Privacy Policy generator and your dashboard does not say “update required” nor “update recommended” by your license), your Privacy Policy will state what privacy rights you provide to whom (under the “Your Rights” section) and how individuals can exercise their privacy rights (under the “Exercising Your Rights” section).
Please note that if your Privacy Policy does not have these sections but is otherwise up to date, that means that you may not be required to provide any privacy rights to any individuals. If this is the case and you have confirmed that the privacy law that the individual is referring to does not apply to you (you can see what privacy laws apply to whom here: https://termageddon.com/laws-require-privacy-policy/), you can respond to the individual stating that you cannot process their request as the privacy law does not apply to you.
If, however, your Privacy Policy does have the “Your Rights” and “Exercising Your Rights” sections, those sections will help you answer the following questions from the email:
- Who you provide privacy rights to, including whether you would process a request from a consumer not located in the state or country in which the privacy law was passed;
- How consumers can exercise their privacy rights, whether through email, a website, or telephone; and
- What information a consumer will need to submit to verify their identity to exercise their privacy rights.
Step 3: Respond to the request and reference your Privacy Policy
If you choose to respond to this request, you will need to do so within the time period specified in your Privacy Policy and in the privacy laws that apply to you. Please note that most privacy laws require you to respond within 30 to 45 days of receipt of the request.
We recommend that you link to your Privacy Policy in your response so that the individual making the request can view your privacy practices in full. In your response, you can either refer to the “Your Rights” section within your Privacy Policy or enter in the information from that section to answer the questions in the email.
One question that is not answered within your Privacy Policy is “what information do you provide in response to a data access request?” The answer to this question is not provided within the Privacy Policy as it depends on what information the individual provided to you in the first place. Thus, to answer this question, it is important to tell the individual that they will receive the information that you hold about them in the format required by the law that the request was made under if they do choose to make an official request.
What if you do not have a Privacy Policy?
To respond to this request, you will need to determine what privacy laws apply to you, what privacy rights you will need to provide to whom, and how individuals can exercise their rights. Contact your attorney and consider using an auto-updating Privacy Policy generator such as Termageddon!
Best,
Donata