> You cannot, as implied by the email, demand a response to an arbitrary query.
I wouldn't say that the questions were arbitrary; they were exactly the things you would need to know in order to submit a request for information, but without the actual request.
The only alternative that I can think of to get the same information is to register at all of these websites, use them for five minutes, then make an actual legal request, and if not provided with "information" and "purposes", to make an actual legal threat.
I don't get the impression that site owners would feel a lot happier about that approach. I can see how sending the email that was actually sent would be seen by a researcher as a better approach. And can also see a self-serving aspect, in that it's a cheaper approach - saves the labor of registering a bunch of accounts.
But I'm getting the impression that site owners went to defcon 1 after getting a single request for information that should be easily available on the site if it were subject to the law (which the blog author has stated clearly that they were not.)
If anything was missing imo, it's that there should have been help in the email mentioning the for-profit/$25MM revenue/50K Californians requirement in the law - but that might make it sound more like a threat, not less. They could also have made better guesses about whether the sites they were emailing would be bound by the law, and targeted the emails better.
But if the site does fall under the law, and they felt threatened and hired a lawyer to answer those questions, I'm not sympathetic. They're supposed to be able to answer those questions if any of the >50K Californians they work with ask, at any time. If they were, replying would be a simple matter of sending a link or a form email that they already had ready.
> they were exactly the things you would need to know in order to submit a request for information, but without the actual request.
This doesn’t seem accurate to me. The first and fourth questions especially aren’t relevant to submitting a valid CCPA request.
But my point was that, more generally if your goal is to use CCPA to compel a company to answer your questions, I think you’re going to be disappointed.
The law simply doesn’t compel companies to answer arbitrary questions. Heck, I don’t think CCPA even compels them to answer any of these questions.
Only questions 2 and 3 are relevant to submitting a request, and CCPA requires the company to publish that information, but I don’t think it compels them to answer emailed questions asking for that information. Open to being wrong on this point though.
"They could also have made better guesses about whether the sites they were emailing would be bound by the law, and targeted the emails better."
They made no guesses - they randomly selected sites from rankings of top websites (specifically, from an common academic time-smoothed aggregation of Alexa and some of its competitors).
From the study website (https://privacystudy.cs.princeton.edu/): "The set of websites for this study is sampled from the Tranco list of popular websites and publicly available datasets of third-party tracking websites."
I wouldn't say that the questions were arbitrary; they were exactly the things you would need to know in order to submit a request for information, but without the actual request.
The only alternative that I can think of to get the same information is to register at all of these websites, use them for five minutes, then make an actual legal request, and if not provided with "information" and "purposes", to make an actual legal threat.
I don't get the impression that site owners would feel a lot happier about that approach. I can see how sending the email that was actually sent would be seen by a researcher as a better approach. And can also see a self-serving aspect, in that it's a cheaper approach - saves the labor of registering a bunch of accounts.
But I'm getting the impression that site owners went to defcon 1 after getting a single request for information that should be easily available on the site if it were subject to the law (which the blog author has stated clearly that they were not.)
If anything was missing imo, it's that there should have been help in the email mentioning the for-profit/$25MM revenue/50K Californians requirement in the law - but that might make it sound more like a threat, not less. They could also have made better guesses about whether the sites they were emailing would be bound by the law, and targeted the emails better.
But if the site does fall under the law, and they felt threatened and hired a lawyer to answer those questions, I'm not sympathetic. They're supposed to be able to answer those questions if any of the >50K Californians they work with ask, at any time. If they were, replying would be a simple matter of sending a link or a form email that they already had ready.