• by Wendy Davis , December 20, 2021

Princeton University has apologized for a "secret shopper" study in which researchers posed as consumers and demanded information about how website operators -- including nonprofits and bloggers -- complied with privacy laws.

For the study, which was cut short last week, researchers emailed website operators questions about their compliance with either the California Consumer Privacy Act or Europe's General Data Protection Regulation.

The emails didn't identify the sender as affiliated with Princeton, or specify that the information was being sought as part of a research project.

The messages were also worded in a way that left some recipients concerned about the possibility of regulatory scrutiny or litigation.

Princeton associate professor Jonathan Mayer said in a blog post that the study drew on “secret shopper” techniques, which involve researchers posing as consumers. 

Mayer said the emails were sent to companies that appeared on a list of popular websites, as well as some “publicly available datasets" of third-party trackers. 

“The intent of our study was to understand privacy practices, not to create a burden on website operators, email system operators, or privacy professionals. I sincerely apologize," he wrote.

He added: "Our team will not send any new automated inquiries for this study. We suspended sending on December 15, and that is permanent."

It's not yet clear how many website operators received the messages.

One publicly available message, which was posted by the operator of the Free Radical blog, purportedly came from a resident of Nice, France.

That email posed a series of questions relating to the website's response to consumers' requests for access to their personal data. 

The author asked whether the site would process a data access request from a non-California resident, and what type of information would be provided in response to a data access request, among other questions.

The message concluded: “I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.”

The requests -- particularly the demand for answers within 45 days -- could have led recipients to believe they were under scrutiny by the California Attorney General, according to Jeff Kosseff, an associate professor of cybersecurity law at the U.S. Naval Academy.

“It did not seem like they considered the real world aspects of the burdens this would place on the recipients,” Kosseff tells MediaPost.

Kosseff says he learned of the emails after a friend of his who runs a nonprofit received one.

“She was terrified,” Kosseff says.

He adds that even though nonprofits aren't subject to the California Consumer Privacy Act, the email sparked concern by making it appear as if her organization was under regulatory scrutiny.

“Nobody wants the California Attorney General contacting them and demanding information,” he says.

The California Consumer Privacy Act allows state residents to learn what personal information has been collected about them by for-profit companies, have that information deleted, and prevent the sale of that data to third parties.

Kosseff called attention to the study on Friday, in a series of tweets.

“I've practiced privacy law for more than a decade, and the responses would require me to do some research and put some time into it,” he tweeted. “I understand the value in 'secret shopper' type research, but this is different because many businesses will need to turn to outside counsel and their costly billable hours to come up with a response. They have no idea they're taking part in a study.”

On Friday, after the operator of the Free Radical blog learned the email was sent as part of a research project, he posted: "I verged on a panic attack for nothing. People who wasted money asking lawyers for their advice on this did it for nothing. How dare you, Princeton? I didn’t give you permission to experiment on me!"

For his part, Mayer wrote that he is “dismayed that the emails in our study came across as security risks or legal threats.”

Kosseff says he would like to see Princeton to do more than apologize. He says the school should also reimburse some website operators -- particularly nonprofits and individuals -- for expenditures on outside counsel.