Update on December 23, 2021: The email noted above seems to have come from the Princeton-Radbound Study on Privacy Law Implementation. The Principal Investigator of the study admitted to sending these emails as part of a study and has specifically stated that they are not legitimate requests and that you do not need to respond to these emails if you have received them. The full statement of the researcher on this matter can be found below:
If you would like to learn more about this study, you can do so here. You can also contact the study team regarding questions or concerns here: email@example.com.
Over the last few days, multiple businesses have received emails from individuals asking the business about their privacy rights and how those rights can be exercised. In fact, these emails are even being talked about in the discussion boards of the International Association of Privacy Professionals (IAPP.org). These inquiries have used very similar or the same language and go something like this:
To Whom It May Concern:
My name is (REDACTED), and I am a resident of (REDACTED), California. I have a few questions about your process for responding to General Data Protection Regulation (GDPR) data access requests:
- Would you process a GDPR data access request from me even though I am not a resident of the European Union?
- Do you process GDPR data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
- What personal information do I have to submit for you to verify and process a GDPR data access request?
- What information do you provide in response to a GDPR data access request?
- To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.
Thank you in advance for your answers to these questions. If there is a better contact for processing GDPR requests regarding (REDACTED WEBSITE), I kindly ask that you forward my request to them.
I look forward to your reply without undue delay and at most within one month of this email, as required by Article 12 of GDPR.
If you have received one of these emails recently, you may be wondering what to do.
While this email seems to be suspicious (due to the fact that it has been bulk emailed to many unrelated companies and does not seem to be requesting to actually exercise privacy rights), we cannot confirm whether or not it is legitimate. Thus, we encourage you to take every request for privacy rights and questions, including this one, seriously.
Failing to respond to consumer requests can lead to complaints to data protection authorities, fines, and even lawsuits so it is important that you handle this matter expeditiously and accurately. Please note that Termageddon is not a legal services provider and the following information is not legal advice.
We encourage you to consider taking the following steps when evaluating and responding to these types of emails:
Step 1: Don’t panic!
- Who you provide privacy rights to, including whether you would process a request from a consumer not located in the state or country in which the privacy law was passed;
- How consumers can exercise their privacy rights, whether through email, a website, or telephone; and
- What information a consumer will need to submit to verify their identity to exercise their privacy rights.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.