Also, while not a legal threat, "My questions are about your process for when I do submit a request." strongly implies an intent to submit a legal CCPA request in the future. Using "if" instead of "when" would have somewhat mitigated this, although it still comes across as somebody trying to find a loophole.
Then they’re not very good cease and desist letters. A C&D should state exactly what you are asking them to stop doing and exactly what will happen if they don’t. That way the other party can’t claim they didn’t understand later.
Search C&D samples on google and see for yourself.
“Your failure to abide by your Agreements will result in [redacted] pursuing any and all available remedies, including but not limited to injunctive relief and monetary damages.”
So, I don’t consider this very specific (you may, and that’s fine but then our disagreement is about something different).
Yes, language like that. Put it this way, a cease and desist should contain an IF THEN. If you don’t stop copying my CD then I will sue you for injunctive relief and monetary damages.
Contrast that to the subject email. There’s no if you don’t respond then I will sue you. It’s not a threat, it’s a request and the requestor’s reference to a statute that they think might apply.
I’ve been on the internet since before Al Gore invented it. I’ve seen more crappy stuff from lawyers all the time. Remember, in the US, you do not need a reason to sue someone. A friend just got sued by a guy who tried to by his house for some BS reason. Trust me, stupid stuff happens.
EDIT: Some grammar, and minor clause clarification in second-to-last paragraph.
Yes, frequently. And throwaway.
About once a week, I pick an account in my LastPass collection, and initiate the following process:
1. Initiate a CCPA data request using a form or email, and I always include language about the timeline. I am not a lawyer, I'm just a person.
2. Then, once I have the data, I delete the account.
I'm trying to purge my web presence before I move out of California. I have about 200 accounts left, and have done this with 50.
Admittedly, these are all large businesses, so far. Think Google, where I've worked myself, so I know they are equipped to handle it. But, I will be working my way down to small businesses eventually, and I am surprised to find out that simply quoting the statute (which is what I do) is considered anything but vaguely legally threatening. If the website doesn't fall under CCPA, or hell, if it does, I just expect it to be ignored. I mean no ill will.
I'm personally pretty conflicted, since I actually fully agree with this [1] about the study being unethical, but if I send an email as an individual to a website with my data, quoting a California law, that doesn't seem wrong to me, even if it causes $10k in legal costs, since my request is truly genuine and not intended to cause harm.
I would agree that there is a distinction at the study level, but I'm not exactly sure why.
The distinction is super clear to me. You as an individual are exercising genuine data subject access rights granted to you by law. They are a researcher prentending to be a data subject exercising rights in order to gather data for their study.
Even if what you are doing is "legal" it seems abusive as hell to me, especially if it is ever targeted at a smaller company or person like in the OP's case. Why are being so difficult? Why don't you find something more useful to do with your time instead of making others jump through idiotic hoops out of some misplaced sense of justice?
I imagine that for some companies it is difficult, and to the extent that I feel a 'sense of justice' about it, I would hope that my efforts help the organization (or single person, acknowledging that) set up a process to handle this.
I'm *genuinely* not trying to be abusive though. It's *extremely important* that consumers have the ability to exercise their data and privacy rights.
I'm not that old (mid 30s), but genuinely much of the data I have on the internet was put there when I was an actual child. And it's still there. This is actually one of the first times I've posted in *years* online. I really want to delete *almost everything*. Note in my OP, I said I worked at Google. I quit, because although I actually think ad targeting and the surveillance network are actually okay-ish, I wanted to opt-out myself, on both ends. So far, this decision has cost me 250k USD personally (if I calculate out the opportunity cost since I quit, just so far). And for the websites/apps I do still use, I donate some amount of money per year. OK, maybe I'm a freak, I really do think this stuff is important.
What would you suggest I do? Leave all my data online? As I said, in my cases, I was an actual child (those COPPA things did nothing to stop me), and this is, so far, a really effective way at getting places to delete my data. Maybe it's because they're "scared" of the law, but you know, then the law is working. Before, nobody responded to my deletion requests, and many websites had no option to delete. As a libertarian-ish person, this is a clear win for the consumer in terms of "coercive power of the state being used to create a framework that increases net freedom".
I am open to being wrong though! Let me delete all of my data first though so I don't have to do this again.
Responding to throwaway, I think the critical difference here is that you're making the requests in good faith. The researcher was making these (could be interpreted as vague) requests deceptively.
Yeah, I think that's right. But it does raise an interesting point. The meta-point of the study was a good one, I think, which is to "study privacy on the internet".
I'm soooo behind that (one reason I am disappointed in the ethical lapses here)—I've often considered publishing the steps I take for each website on a substack or whatever, to help other people. Sometimes, it can be hard to figure out (1) if your data can be requested-to-be-deleted, and (2) how to even do it.
Clearly, the deception was bad; I guess, just thinking out loud, how could this study have been done ethically? Perhaps, sign up real people to request the data, and transparently include a notice that this was part of a study?
The last bit is the tricky one; including that might skew the results in favor of websites being compliant.
If I understand correctly the sentiment is that the study is not in “good faith” by virtue of being a study. That’s where I’m genuinely ethically confused. It’s not like the study is bad faith (like they’re trying to trick websites into something illegal then sue them). At worst it’s neutral faith. But why is that unethical?
