I refer to my previous articles related to an e-mail from a company with a domain name privacybee.com registered at Seattle P O Box address in the state of Washington.
The company is not a resident company in California nor in EU region. But it quotes privacy laws such as
“Section 1798.105 of CCPA (SB-1121), Article 17 of GDPR, Nevada SB-220, New Hampshire HB 1680-FN, Washington Privacy SB-5376, Illinois DTPA SB2330, New York S5462, Hawaii SB 418, North Dakota HB 1485, Massachusetts S-120, Maryland SB 613, Texas Privacy Protection Act HB 4390, or other applicable right-to-be-forgotten legislation.”
to state that if its request to “Delete” a certain personal information is not adhered to,
“Privacy Bee, are reserving the right to take legal action against ..and to lodge a complaint with the responsible supervisory authority.“
For people who know the privacy laws it is a threat that GDPR supervisory authority may fine upto 4% of your turnover or the AG of California may impose a fine of at least $7500/.
This is a harassment of the mail recipient.
We can also note that the company quotes a “Power of attorney” which has no recognition and uses e-mail address and a name without any verification such as a digital certificate etc,
There are hyperlinks to be clicked for further information which will install many cookies and there is no guarantee that they are not malware in themselves.
Even if you visit their web page several javascripts may become active and whether they have any malicious effect is to be checked.
The Privacy policy of privacybee.com itself may not be fully compliant with CCPA nor GDPR and certainly not the laws of India as applicable now for such websites.
This company is using the cover of Privacy laws to scare Indian companies and encouraging Indians to part with their e-mail address for a “Scan” which itself could be a way of collecting personal information without accountability.
There is a need for the Indian industry to study the business model of this company and prevent it from illegal collection of personal data of Indians.
We may re-iterate that PDPB 2019 expects such agencies to register themselves as “Consent Manager” with the DPA and subject itself to the discipline of a “Data Fiduciary” which includes submission of a “Privacy By Design” policy with more details of the processes used by the company to handle the PII of Indians.
Further there is a transfer of information out of India and even under the current ITA 2000/8 without considering the due diligence of PDPB 2019, there are “Reasonable Security Practices” which the company may not be following.
I wish CERT-In conducts an enquiry of such companies who are like “Ambulance chasers” and discredit the Privacy Regulations meant to protect the genuine victims of identity theft and privacy infringement.
I request every professional to think if they receive the kind of email referred to in my previous article how would they respond.
Since compliance to the request would mean providing an assurance that
“We donot have the personal details of the data subject and/or we have deleted all copies of information related to this data subject from all the resources of our company and our dub contractors”
each of the professionals may also consider what would be the cost of attempting to address this speculative query which is unverified and not backed by legal authority
Naavi
