I should have been more clear, so let me correct that. I am convinced. I agree that harm was done, and suffer from generalized anxiety disorder myself, so I empathize with the panic attacks that people received.
It is because I believe that harm was done, but also because I am a privacy nut myself, that I am trying to, for my own sake, characterize how I should approach sending emails like this in the future. The study may not go on, but individuals still will send these emails as long as CCPA/GDPR exist. (Just to add some color: It's my anxiety which is causing my to want to delete everything from the internet. If there's minimal info about me online, I can rest easy. It's why this is a throwaway that I will abandon shortly.)
Reading everyone's thoughts is what changed my mind. I now understand to have underestimated the emotional and legal effects CCPA/GDPR requests could have on small website operators, and will be more judicious in the future (like this study should have been) in pre-filtering and my wording. Reactions like kstrauser's (elsewhere in thread) were initially surprising to me (perhaps because of the faceless nature of the internet), so I hope you take my about face as genuine.
Where do you think this balance lies? I still believe consumers, in general, should have right to ask those with their data about their processes; to give it to them; and, to upon request, delete it. And further, in general, I think these interactions are the kinds of things that researchers might legitimately want to study. I found your other comments to be thoughtful, so I am curious what you think explicitly.
Based on reading https://news.ycombinator.com/item?id=29611139 the other day, my impression is for a small website operator the email template used some potentially threatening language in the line "I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code."
There is some discussion that for large websites or gov entities this kind of language may be necessary to communicate your sincerity with the request, but lone operators doing their best probably dont have any sort of legal to ensure they follow the letter of the law. From my perspective maybe its best to approach a small website with a more casual tone that you just want your data gone and "make it serious" if the request is ignored or the response is noncompliant.
What I hope to see is a popularization of business models where no personal data is kept, because that is less expensive in terms of compliance costs, more beneficial to the consumer, and hopefully more attractive to the consumer as well. We can see the dawn of a new age in other comments in this thread where people talk about not collecting any data on their blog visitors!
Right now it is difficult to build businesses under such models because most institutions, frameworks, and tools shunt you towards hoarding all data. Over time, I hope that better tools will emerge so that building better businesses becomes easier.
There are people elsethread bemoaning not only the unfortunate artificial costs created by this email experiment, but the compliance costs of privacy-protecting legislation in general. But businesses should be paying those compliance costs, because it's an iron law at this point that business-collected personal data will leak yet individuals bear the costs when the data leaks.
To my mind, this experiment went awry in the same way that privacy-abusing businesses go awry: the organization reaped a benefit while the externalized costs were borne by outside individuals.
However, I'm inclined to forgive the researchers, as I think they will learn from this and find ways to collect data which cause less alarm and imposition. Similarly, I would hope that individuals pursuing their rights under privacy legislation would start off gently but firmly, giving small entities time to adapt. But simultaneously, I have an appreciation for those with bulldog tenacity who go after recalcitrant businesses (e.g. the heroes who have gone after Equifax in small claims court).
> how I should approach sending emails like this in the future
Don't.
It's that simple.
I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.
It is because I believe that harm was done, but also because I am a privacy nut myself, that I am trying to, for my own sake, characterize how I should approach sending emails like this in the future. The study may not go on, but individuals still will send these emails as long as CCPA/GDPR exist. (Just to add some color: It's my anxiety which is causing my to want to delete everything from the internet. If there's minimal info about me online, I can rest easy. It's why this is a throwaway that I will abandon shortly.)
Reading everyone's thoughts is what changed my mind. I now understand to have underestimated the emotional and legal effects CCPA/GDPR requests could have on small website operators, and will be more judicious in the future (like this study should have been) in pre-filtering and my wording. Reactions like kstrauser's (elsewhere in thread) were initially surprising to me (perhaps because of the faceless nature of the internet), so I hope you take my about face as genuine.
Where do you think this balance lies? I still believe consumers, in general, should have right to ask those with their data about their processes; to give it to them; and, to upon request, delete it. And further, in general, I think these interactions are the kinds of things that researchers might legitimately want to study. I found your other comments to be thoughtful, so I am curious what you think explicitly.