• by Wendy Davis  @wendyndavis, December 22, 2021

Princeton University will delete all data that was collected as part of a “secret shopper” study in which researchers posed as consumers, and emailed website operators questions about their privacy practices.

The research team will also notify the recipients that the emails were sent as part of a study, and recommend that they disregard them, Princeton associate professor Jonathan Mayer said Tuesday.

For the study, which was cut short last week, researchers questioned website operators questions about their compliance with either the California Consumer Privacy Act or Europe's General Data Protection Regulation.

The emails didn't identify the sender as affiliated with Princeton, or specify that the information was being sought as part of a research project.

The messages, which asked for a response within 45 days, were worded in a way that left some recipients concerned they could face regulatory scrutiny or litigation.

Jeff Kosseff, an associate professor of cybersecurity law at the U.S. Naval Academy, called attention to the study last Friday, in a series of tweets.

“I've practiced privacy law for more than a decade, and the responses would require me to do some research and put some time into it,” he posted on Twitter. “I understand the value in 'secret shopper' type research, but this is different because many businesses will need to turn to outside counsel and their costly billable hours to come up with a response. They have no idea they're taking part in a study.”

On Saturday, Mayer apologized for the study and said researchers had permanently stopped sending out new messages. At the time, he said the research team planned to publish the results of the study as “academic research, with the intent of highlighting best practices for implementing GDPR/CCPA data rights and informing future policymaking about data privacy.”

But by Tuesday evening, Mayer reversed course. He said the research team would instead “delete all response data” and disable inbound mail to the domains from which the initial emails originated.