December always seems to be the season of increased and novel forms of email spam in my inbox. As if they’re hoping my spam filters will take time off, or something.

This year’s personal novelty in my inbox is what seems a trolling attempt w.r.t. the EU data protection regulation (GDPR) and the similar Californian consumer privacy act (CCPA).

Yesterday I received an email titled “Questions About GDPR Data Access Process for zylstra.org” sent from an address that has left no previous online search traces, and for which the domain name was first registered in March 2021. The sender’s domain envoiemail.fr looks set up specifically for this. The name used seems fake (no one in the world has that name if I’m to believe Google, LinkedIn et al).

The mail reads:

To Whom It May Concern:

My name is … , and I am a resident of Paris, France. I have a few questions about your process for responding to General Data Protection Regulation (GDPR) data access requests:

Do you process GDPR data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
What personal information do I have to submit for you to verify and process a GDPR data access request?
What information do you provide in response to a GDPR data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

Thank you in advance for your answers to these questions. If there is a better contact for processing GDPR requests regarding zylstra.org, I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within one month of this email, as required by Article 12 of GDPR.

Sincerely,

That last bit about Article 12 and having a month to reply, seems ominous but in my reading of the GDPR only concerns actual data access requests.

When I received that mail it appeared fake to me, mostly because it’s boilerplate text without context about me as the receiver and using the domain name as some sort of organisation name. I replied nonetheless, which I probably shouldn’t have, with a single line message that my private website doesn’t fall within scope of the GDPR. I do have a GDPR policy page out of professional interest in the subject matter.

Then today I received another mail. This time concerning the Californian Consumer Privacy Act (CCPA), which is a data protection act modelled on the EU GDPR. The text was the same, the name used was different but also fake / trace-less online, the sender’s domain name (potomacmail.com) was registered in March 2020 and like the previous one pretends to be an e-mail service (but one whose online traces are all blogposts like mine outing it as some sort of scam attempt). The mail reads the same as the first one:

To Whom It May Concern:

My name is …, and I am a resident of Norfolk, Virginia. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:

Would you process a CCPA data access request from me even though I am not a resident of California?
Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
What personal information do I have to submit for you to verify and process a CCPA data access request?
What information do you provide in response to a CCPA data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

Thank you in advance for your answers to these questions. If there is a better contact for processing CCPA requests regarding zylstra.org, I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.

Sincerely,

….

Needless to say, this blog is not within scope of the CCPA.

Both domain names used, envoiemail.fr and potomacmail.com show the same message if you visit the domains. Judging by the mail headers they use Amazon simple e-mail services.

What would be the purpose of such spam messages. The blogpost I linked to says there was a tracking pixel in the mail they received but I don’t see that in my mail’s source. The hard thing is I now have to wait 30 and 45 days according to these mails to see if there’s a follow-up. 😉

6 reactions on “What GDPR / CCPA Trolling Attempt Is This?

Comments are closed.