[pessimizer]

That seems like a pretense.

The researcher was an actual human being, so all they would have to do to require a response is to register on the site before sending the email. If they had registered accounts, then requested their information be sent to them and required its deletion, it would have been an order of magnitude more work for the site owners than just sending answers about the process (which, if the site is subject to the law, should already be prepared.)

I think people are mad precisely because they were asked about compliance with a law. Largely because emails went out to sites that were not commercial or too small to be bound by the law, so they weren't aware of it and panicked.

[toast0]

If the researcher is at Princeton, which (last I checked) is neither in the EU nor in California, they may not have standing to compel a response under GDPR or CCPA, both of which apply to data about persons within their territories, as I understand it (although interpretations certainly vary).

According to the linked blog, the owner wasn't covered by CCPA anyway as I suspect is the case for a lot of the recipients, so there would still not be a response required. Some of the sites may have data exports and account deletion clearly available to users anyway, in which case no human interaction would be needed; but the research wasn't looking for that.