21 thoughts on ““Questions About GDPR Data Access Process” Spam from Virginia”

1. i got this too, as apparently many people have…must be some sort of scam, but it’s unclear what they are trying to do

2. Thank you, Joe. This was super helpful! Regards from Montreal.

3. Hi Joe
   Thanks this post. Last night I received two similar emails for GDPR and CCPA. The wording is exactly the same as the one you have listed. The GDPR emaiI claimed to be from someone from France. I wonder if you have any further updates. Did you respond? Did you hear back from them. I’m at a loss what to do as I know you are supposed to comply with a request but I’m hesitant to do this if it is spam or any other form of coercion.
   Thanks

   Peter

4. I got a near identical email, but they claimed to be in Virginia.

5. @Peter,
   You don’t have to reply as it’s *not* a data access request (as they explicitly state in the mail), it’s basically a fishing expedition to see who would respond. If it isn’t a data access request you are under no obligation to reply and frankly, you gain nothing by replying.

   I think their purpose is to see who gets scared enough by this first mail into replying. Respondents will then receive the next email, which most likely leads to some scheme where whoever sends you these mails can make money. At least that’s my guess.

6. yesterday I received two similar emails for GDPR and CCPA. Same wording, one from France and one from Virginia.
   This was very helpful! regards from Milan

7. Hi,
   I received a similari email from a sender kurtmayfair@potomacmail.com .
   My website Is intended mainly for italiano users (the content is in italian language).

   If it could be usefull, the email received is the follow (I replaced the URL of my website with text MY_WEBSITE).

   “To Whom It May Concern:

   My name is Kurt Mayfair, and I am a resident of Norfolk, Virginia. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:

   Would you process a CCPA data access request from me even though I am not a resident of California?
   Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
   What personal information do I have to submit for you to verify and process a CCPA data access request?
   What information do you provide in response to a CCPA data access request?
   To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

   Thank you in advance for your answers to these questions. If there is a better contact for processing CCPA requests regarding MY_WEBSITE, I kindly ask that you forward my request to them.

   I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.

   Sincerely,

   Kurt Mayfair”

8. Would be an interesting opportunity for a scam buster to play along and see what crawls out from under the stone. Since the domains are registered through NameCheap, I wouldn’t have seen them as such domains require whitelisting at our system, for obvious reasons.

9. We received the same email on CCPA! Following this thread for updates

10. I suspect what’s going on here is that some bottom-feeder is looking for companies to extort with the help of the law.

    In the US, some scummy law firms make their bread and butter issuing legal threats over compliance with the Americans with Disabilities Act. An ambulance chaser, who has recruited a disabled person to act as an ostensible potential plaintiff, will visit public businesses looking for legitimate but minor ADA violations. Then they run an extortion scheme on the business.

    For example, suppose a restaurant has a wheelchair ramp installed, but the grade of the ramp slightly exceeds the federally-mandated maximum 1:12 ratio for such a ramp. The lawyer will send the restaurant a letter threatening an expensive federal lawsuit over ADA violations on behalf of his disabled client. Of course, this matter can be quietly and discreetly settled for a small fee of $500, which is cheaper than replacing the ramp and much less costly than litigation…

    So, my guess here is that someone’s blasting this letter out and saving all of the responses that admit — in writing! — that the company isn’t in compliance / refuses to comply / doesn’t know how to comply with the relevant law. The extortionist will then begin threatening lawsuits, offering to go away for a fee.

11. I got one of these about GDPR saying they’re from Moscow in Russia. It was in my spam, as others in that Reddit thread said too.

12. Thanks for the helpful post!

    On Saturday 11 December I received two emails from different senders with exactly the same text expect for names and places (Roanoke, Virginia sent from potomacmail.com and Sacramento, California sent from yosemitemail.com).

    Both emails referenced GDPR but not CCPA.

    Both emails were received during the night with the second one coming in 59 minutes after the first.

13. We received the same email but with CCPA in place of GDPA. I hate scammers.

14. Pingback: California Privacy Rights Act (CPRA) > Datenschutzrecht

15. Thank you Joe, this is really useful as we’ve received a similar request (the CCPA one) Presumed it was dodgy but always nice to know!

    Out of interest the reason these might get a response from a lot of EU or UK based organisations is that it’s possible for non EU/UK citizens to be covered by the GDPR. An American citizen attending a UK university for example, would be able to exercise rights under GDPR with regard to the information processed by the university about them. Similarly if your data is processed by a company based in the EU you’d fall within the scope of GDPR, even if you’d never been to the UK or Europe.

16. I received both the CCPA and GDPR variety of this mail message, and was surprised to learn it is part of a research project. My personal site is outside the scope of both acts, and it makes me wonder what type of filtering if any did they do on their list of recipients and how my e-mail address ended up on that list in the first place. I have reached out to the researchers and they write that “We currently held off sending any further emails” due to some of the feedback received. I have filed a complaint with the Radboud University (as I’m in the same country), and am approaching Princeton for information about any approval process w.r.t. ethical research design, that was applied to this research.

17. Many thanks for digging into this. We also received these emails.
    I wonder if it would be helpful to report this to Princeton’s Internal Review Board. In light of the burden it sought to impose on non-consenting data subjects, it seems it should have been flagged as an unethical practice.

18. Very helpful post. Thank you.

    Since these emails are causing many companies to spend a lot of time figuring out whether and how to respond, is there some professional organization that can tell Princeton to state in their emails that this is a legit study? Just goes to show that they may be brilliant in computer science, but not so much in awareness of how their actions affect others.

19. If the sender is from the US, is it possible to sue the hell out of the sender? In my layman opinion this causes pain to the recipient, not to speak of expenses from an assumed legal position. A clever lawyer may be able to make them pay a painful amount of money in response.

20. @Ned Land: I am no lawyer and the following is just my personal interpretation of the legal situation. The Federal CANSPAM act in the US is rather toothless and prosecutions under it are rare. The crucial detail here probably is the fact that it specifically only regulates commercial emails whereas these mails supposedly were sent for academic purposes. There is no business angle. Even if all the other provisions apply (e.g. the deceptive nature of the description of the originator), that would probably prevent a prosecution under the act.

    It’s the universities where this “research” was conducted that should have supervised the design and methodologies of the study. That they apparently didn’t do so hints at deeper problems. I think their ethics boards will take an interest in public submissions about it.

21. Pingback: Vorsicht, gefälschte E-Mail-Anfragen zum Datenschutz! - Steiger Legal