Wednesday, December 02, 2020

Is Privacy Bee a scam or legitimate?

 I run a small company and have in the last months, received a few very intimidating legal notices from a firm called Privacy Bee.  

They've caught my and my counsel's attention because while they claim to be protecting people's privacy, they cite individuals that my company has never done business with, has not emailed, and has no records of. 

We have spent considerable resources checking and double checking our lists so we are sure that we are not keeping records of them or direct marketing to them so we don't know what to make of it. As I look at them and see that they are charging a subscription to users, I wonder more and more about them.

Privacy Bee is one of these highly automated web companies which is incredibly buckled down and private.  .No individuals are listed.  For those of you not familiar with this, it's sometimes companies that are doing something controversial and nobody wants their name actually associated with it. Specifics.:

  1. The Privacy Bee website does not cite a single individual who invests in the company or works at the company. NO executives, no president, no individual to address legal concerns to. Nothing. Even the fine print, nothing.
  2. LinkedIn shows no individuals working there.
  3. Webhosting info is carefully managed so no individual can be found (I think btw, they are not in compliance with the need to make these records transparent). https://whois.domaintools.com/privacybee.com
I looked at their signup process and saw this:


The letters that I've received from them talk about protecting the rights of individuals. On each of the two sets of emails that I've received, an individual whose rights they claim they are protecting is cited. A good amount of information from the individual is provided including:
  • Name
  • Email
  • Date or birth
  • mobile cell phone
  • secondary phone number
  • home address
It's of course odd that a company, protecting privacy, will circulate such information about them.

I'm posting this in hopes of finding other companies that have dealt with Privacy Bee which can help me understand what they are looking for, what sort of company or business they have.  

I have contacted the individuals that they cite and the responses are along the lines of (this one is an exact quote from an email).

"you will have to ask privacy bee why their algorithm flagged you as being a potential source for my personal info"

This of course is the problem. Privacy Bee cannot be easily contacted. There is one email that I can find for them. support@privacybee.com and a contact-us page. I'm concerned that if I do that and show that they have my attention, it will trigger another set of intimidating initiatives and wild goose chases on our side.  

. I can click on a Privacy Bee link which gives me two choices: 
The problem is if the requested action is to delete records which do not exist in the first place, how should a company respond to a request to take action on the request to delete the existing records?

Does clicking that I agree somehow admit that I had such records? In this case, I do not want to agree.
Does clicking on I refuse somehow put me on record that my company refuses to support privacy?


It also shows a signed document which reads as follows

Limited Power of Attorney
 I, _______________, residing at ________________________________, appoint Privacy Bee, LLC, a Wyoming Limited Liability Company, as my authorized agent (attorney-in-fact) to act for me in any lawful way with respect to the matter described below. This Limited Power of Attorney is granted only to the extent necessary for my authorized agent to submit requests under the California Consumer Privacy Act, General Data Protection Regulation, Australian Privacy Act, or other relevant privacy legislation (the “Privacy Laws”), to any organization governed by the Privacy Laws, which grants consumers certain rights to request access to personal information (as defined in the Privacy Laws), to obtain copies of the personal information, to request the deletion of the personal information, and to opt-out of the sale of the personal information. By this power of attorney, I authorize my agent named above to submit a request on my behalf, under the Privacy Laws, for access, deletion, and opt-out from organizations that must comply with applicable Privacy Laws. I agree and acknowledge that my authorized agent may withdraw from this limited representation at its sole discretion. I further agree and acknowledge that this Limited Power of Attorney will terminate automatically, with respect to any particular organization to which my rights under the Privacy Laws are being exercised, once the authorized agent submits a request under the Privacy Law to the particular organization. I further agree and acknowledge that this Limited Power of Attorney will terminate automatically upon any legal actions taken by me, my authorized agent, or any third party (e.g., an organization to which a submission under the Privacy Laws is being made) associated with the purpose of this Limited Power of Attorney. 

 

-----Original Message-----

From: Privacy Bee <companies@mail.privacybee.com>

Sent:  date, 2020  

To: "MY COMPANY" <emails@ "MY COMPANY">

Subject: Urgent Followup: Legal Request for Data Deletion and Opt-Out of Resale [Request ID: xyz]

Concerns:  "MY COMPANY"

Request ID: xyz

Signed Power of Attorney: Yes

Request Date: November 2020

Respond At: https://app.privacybee.com/request/xyz

To Data Protection Officer or Legal Counsel:

I am hereby submitting a follow-up to a personal data request pursuant to Section 1798.105 of CCPA (SB-1121), Article 17 of GDPR, Nevada SB-220, New Hampshire HB 1680-FN, Washington Privacy SB-5376, Illinois DTPA SB2330, New York S5462, Hawaii SB 418, North Dakota HB 1485, Massachusetts S-120, Maryland SB 613, Texas Privacy Protection Act HB 4390, or other applicable right-to-be-forgotten legislation. If you feel my data is exempt from privacy legislation for any reason, I'm still asking you to respect my wishes regardless, as I believe privacy is a universal human right and I'm hopeful the integrity of your organization will honor my request with or without legal requisite.

The initial request was sent <time and date> UTC and I still have not received a response that my request has been fulfilled.  This is a reminder that you only have 5 days left to respond!

Specifically for  "MY COMPANY":

- Data Deletion: I hereby request the immediate and complete purging of any and all information your company has on me including but not limited to: user accounts, marketing data, transaction data, behavioral data, social data, CRM records, or absolutely anything that that contains my personal information.

- No Dissemination: if any information is being or has been disclosed, resold, licensed, rented, or otherwise disseminated by your company to third parties, I hereby request to opt-out of that data sharing, and request you communicate this request for opt-out and deletion to those entities as well.

If I have given consent to the processing of my personal data (e.g. according to Article 6(1) or Article 9(2) GDPR, or other applicable legislation), I am hereby withdrawing said consent. In addition, I am objecting to the processing of personal data concerning me (which includes profiling).

As I’m legally permitted, please confirm your compliance of my request without undue delay and in any event within one month of receipt of this request.

I am including the following information necessary to identify me:

Name: 
Primary Email:
Primary Phone: xxx  (Mobile)
Secondary Phone: yyy (Home)
Primary Address: specific home address
Birthday: Detailed date of birth

If you require additional information to resolve my identity, to view my signed Power of Attorney authorizing this request, or to respond to this request, please visit: https://app.privacybee.com/request/xyz

If you do not answer my request within the stated period, I and my legal privacy advocate, Privacy Bee, are reserving the right to take legal action against "MY COMPANY" and to lodge a complaint with the responsible supervisory authority.

Thank you.

This request was submitted by and tracked by Privacy Bee (privacybee.com).

 Route::get('request_followup', [TestEmailController::class, 'request_followup']);

 

In reviewing Privacy Bee's Terms of Service, I note that they are NOT a law firm.
2.3 No Legal Representation. We do not offer legal representation, nor do we offer any legal advice, legal opinions, recommendations, referrals, or counseling. 

Their business model seems to be a subscription service of sorts:

4. Fees and Payment.

You agree to pay fees (the “Fees”) for the Services on a monthly basis (the “Subscription”), in advance, in the amounts set forth in our price list for the Services in effect at the time of payment. The Fees applicable to you are set forth when you sign up for your Account, and may be amended by us, from time to time, in our sole discretion and with advance notice to you. By signing up for the Services, you expressly authorize us to withdraw funds from your bank account and/or charge your payment card (as applicable) for the full amount of the Fees. Since the Services are on-going and are subject to recurring payments, you expressly authorize us to withdraw funds from your bank account and/or charge your payment card on a recurring basis until you affirmatively cancel, remove or stop your use of the Services. You may be provided with the option to prepay Fees in advance on a quarterly or annual basis, in which event we may offer a discount or other incentive to you. All Fees paid by you for, via, or in connection with the Services are final and are non-refundable. You understand that the fees you pay to the Company for the Services are associated with the attempt to exercise your rights under the CCPA, and not for the guarantee of results associated therewith.

They claim extensive rights to any info their subscribers provide them. 

7.3 User Content. You hereby grant to us a royalty-free, fully paid-up, sublicensable, transferable, perpetual, irrevocable, non-exclusive, worldwide license to use, copy, modify, create derivative works of, display, perform, publish and distribute, in any form, medium or manner, any text, information, data, materials, images, or other content you provide to us using the Services or submit or post to the Site and that is not Feedback owned by us (the “User Content”). You represent and warrant that: (a) you own the User Content or have the right to grant the rights and licenses in these Terms, and (b) the User Content and use by us of the User Content as licensed herein does not and will not violate, misappropriate or infringe on the rights of any third party. We may remove any User Content from the Site for any reason at our discretion.

In the Privacy Bee privacy agreement they both say that they don't sell (unclear if they license) personal data and won't without some sort of opt out first.  And I quote:

  1. For more details about the personal information we have collected over the last 12 months, including the categories of sources, please see Section 3 “How We Use Your Information” above. We collect this information for the business and commercial purposes described in Section 4 “How We Share and Disclose Your Information” above. We share this information with the categories of third parties described in Section 4 “How We Share and Disclose Your Information” above. We do not sell (as such term is defined in the CCPA) the Personal Information we collect (and will not sell it without providing a right to opt out). Please note that we do use third-party cookies for our advertising purposes as further described in Section 4 “How We Share and Disclose Your Information” above.


No comments: