[HN Gopher] OPPA: Ohio could become the third US state to enact ...
___________________________________________________________________
OPPA: Ohio could become the third US state to enact a new consumer
privacy law
Author : feross
Score : 112 points
Date : 2021-10-06 17:16 UTC (5 hours ago)
(HTM) web link (portswigger.net)
(TXT) w3m dump (portswigger.net)
| asdff wrote:
| It doesn't hit the governors desk for a signature until december
| 2022. That's plenty of time for the Ohio legislature to do as the
| Ohio legislature does and make this bill much less exciting.
| akersten wrote:
| As more and more states create their own legislation in this
| space, I've got a great startup pitch: Taxjar, but for each
| municipality's data laws - caters your Privacy Policy based on
| visitor IP (with requisite geolocation disclaimer before one is
| allowed to view the Privacy Policy, of course).
|
| There's no innovation quite like compliance-driven innovation!
| C'mon gang, let's get coding.
| a1369209993 wrote:
| > caters your Privacy Policy based on visitor IP
|
| And this is why it's important for such legislation to apply to
| all citizens and permanent residents of the legislating
| juridiction, regardless of where they're physically or network-
| topologically located.
| dragonwriter wrote:
| > And this is why it's important for such legislation to
| apply to all citizens and permanent residents of the
| legislating juridiction, regardless of where they're
| physically or network-topologically located.
|
| With Westphalian sovereigns (or gangs of such working
| together, like the EU), that's possible in principle, because
| such entities can claim jurisdiction over anything anywhere;
| their sovereignty is unlimited, though their practical
| ability to enforce their laws may be more circumscribed.
|
| For US states, however - "sovereign" though they may be -
| they cannot assert jurisdiction over commerce just because
| one of their citizens is involved, regardless of where they
| are physically located and where the other party is.
| [deleted]
| oh_sigh wrote:
| Are you ready to accept liability for faulty/non-lawful
| compliance?
| lmkg wrote:
| That's already a feature of enterprise-level consent management
| platforms like OneTrust and TrustArc.
|
| Well, a milder version anyways. Look-up is only country level,
| not state, and what changes is generally the pop-up rather than
| the privacy policy. But the tools are already in the
| marketplace.
| ta1234567890 wrote:
| Great, that means there is a potential market for it.
|
| When Ford motors started cars already existed, when Facebook
| started social networks already existed, when Google started
| search engines already existed, etc.
|
| In my opinion, getting demotivated for not being the first or
| being "the one" that came up with the idea prevents way too
| many people from starting their own thing.
|
| In the end, execution and adoption are what really matters.
| In general is better to copy something and improve on it than
| trying to invent something completely new.
| lmkg wrote:
| I know y'all are taking the piss. But real talk though: The
| consent-management space could do with some disruption.
| Like, for example, just a thought here, I know this sounds
| crazy, but hear me out: actually complying with GDPR. You'd
| think a tool whose entire job is to ensure compliance when
| gathering consent would actually gather consent in a
| compliant manner, but that's not the default behavior.
| l33t2328 wrote:
| Can you elaborate on the GDPR tool?
| rrix2 wrote:
| I take it to mean that this person is complaining (a
| point I often agree with) that these consent management
| platforms often resort to dark patterns to drive users'
| consent rather than attempting to truly inform a user
| before they consent.
| mywittyname wrote:
| This is a hard problem still. AFAIK, it's still not
| really well understood what constitutes lack of
| compliance. I've worked at a few companies where we just
| work with a legal team to get an okay.
| Macha wrote:
| There's the risk of getting small details incorrect while
| making a good faith effort of complying.
|
| And then there's what those platforms do, use every dark
| pattern possible to get the user to perform an action
| that they can interpret as consent.
| cde-v wrote:
| We used OneTrust to comply with CCPA last year, so it is
| already being done on a state by state basis.
| 908B64B197 wrote:
| Country level IP mapping was already a mistake. Let's not make
| it even more granular.
| shadilay wrote:
| It's time for a social media special district. https://en.wik
| ipedia.org/wiki/Special_district_(United_State...
| akudha wrote:
| I remember talking to a couple of tiny house builders few years
| ago. Rules for tiny houses vary wildly depending on the state
| and the county. There is no central place where the builders
| can look up the rules (at least that was case few years ago).
| In many cases they have to call the county office or go in
| person to get the latest rules, it is a hassle.
|
| They were willing to pay a few hundred dollars every month just
| to be able to access up-to-date rules in one place.
|
| I wonder how many of these _compliance driven innovation_
| opportunities (great term, btw) there are, thanks to
| bureaucracy.
| mywittyname wrote:
| >I wonder how many of these compliance driven innovation
| opportunities (great term, btw) there are, thanks to
| bureaucracy.
|
| Tons. I'd venture to say that the majority of B2B companies
| out there exist because they offer some form of assistance in
| dealing with compliance across the country/world. Even though
| we probably don't think of that as their primary service.
| Example: payroll services - the money transfers are the easy
| part, a company is really paying these services to do tax
| compliance.
|
| One of the problems with starting a company like this is
| finding all of the niches that exist. You kind of have to
| have worked in a sector to learn what some of the pain points
| are that can be eliviated.
| toomuchtodo wrote:
| https://up.codes/
|
| Carl Malamud, an open access advocate (among other roles),
| has been championing the cause of open building codes for
| almost a decade.
|
| https://www.google.com/search?q=Carl+Malamud+open+access
|
| https://www.eff.org/cases/publicresource-freeingthelaw
| theandrewbailey wrote:
| Instead, let's disrupt the industry with storageless personal
| data. It's like serverless, but for PII.
| keneda7 wrote:
| So are you purposing each person's data is not stored
| anywhere and must be manually typed? Or something where each
| person controls where their data is stored and has to
| explicitly give access to sites in order to read the data?
|
| I feel like the second option would be feasible if you could
| somehow get the major sites to agree they would pull the data
| each request rather than storing it in their databases.
| teeray wrote:
| "User data is stored securely using our innovative write-only
| memory"
| tomschlick wrote:
| "By storing our blockchain on /dev/null, we have limitless
| scalability to handle your customer's data, without the
| need to worry about it being stolen by hackers"
| smolder wrote:
| I feel silly asking, but you're joking right? On it's face
| it's nonsensical, but then "serverless" is kind of nonsense,
| too, given that it still runs on servers, so IDK.
|
| You did remind me of Tim Berners-Lee's SOLID project, not
| that it's "storageless" really.
| ramesh31 wrote:
| >Derives more than 50% of its gross revenue from the sale of
| personal data and processes/controls the personal data of 25,000
| or more consumers during a calendar year.
|
| This seems really arbitrary and pointless. Especially since it's
| gross revenue and not profit. Sounds like a perfect excuse for
| some creative accounting.
| jonas21 wrote:
| You omitted the other criteria. Only one of the following needs
| to be satisfied for the law to apply:
|
| * _Annual gross revenue generated in Ohio above $25 million._
|
| * _Controls or processes the personal data of 100,000 or more
| consumers during the calendar year._
|
| * _Derives more than 50% of its gross revenue from the sale of
| personal data and processes /controls the personal data of
| 25,000 or more consumers during a calendar year._
|
| If you control or process the personal data of more than 100K
| consumers, or have more than $25M in Ohio revenue, then it
| doesn't matter where your revenue comes from.
|
| Also, gross revenue from sale of personal data is
| straightforward to measure and verify: How much did you get
| paid for the data? Profit is not since this depends on how you
| allocate expenses to various parts of the business.
| akersten wrote:
| > Also, gross revenue from sale of personal data is
| straightforward to measure and verify: How much did you get
| paid for the data?
|
| I really wouldn't say that it's straightforward at all. How
| much money would you guess Google (or any AdTech firm)
| "makes" under that definition in Ohio? I would bet you the
| farm that it's actually $0, because they're not selling data,
| they're selling ad space ("retargeting").
| jonas21 wrote:
| Exactly. Google does not sell personal data, so its revenue
| from selling personal data is $0.
|
| Of course Google is still subject to the law because it
| qualifies on the other two criteria.
| maxerickson wrote:
| But it's 'or', so who cares.
|
| Is there some clever argument they can use to avoid
| admitting that they process data that they process?
| [deleted]
| lmkg wrote:
| This looks like a modification of the California version, and I
| like the original more than the remix.
|
| The California version (CCPA) imposes restrictions on large
| businesses, and on data brokers. "Large business" is defined by
| revenue and number of data subjects. "Data brokers" are defined
| _purely_ by deriving majority of revenue from sale of personal
| data.
|
| Notably, CCPA does not have a lower bound on the size of data
| brokers. If your business is to sell personal data, then you
| are a data broker and CCPA applies, even if you're just one guy
| hawking a spreadsheet of a dozen data subjects.
|
| The Ohio version seems to have modified this so that data
| brokers have a lower size bound. I.e. it applies to any
| Business over X size, and data brokers over X/4. That's... I
| don't see the point. If you're gonna protect personal data,
| then the long tail of small-size data brokers is something that
| I would consider kind of a big concern. Like, datasets about
| medical conditions could conceivably be very small and I want
| that shit regulated into the ground.
| fmajid wrote:
| No, because California, Colorado and Virginia already have
| privacy laws, so at best it will be fourth.
| rrix2 wrote:
| California did not enact their privacy law in 2021, but in
| 2020...
| fmajid wrote:
| The Hacker News headline omitted the "in 2021" bit.
| A4ET8a8uTh0 wrote:
| Interesting. It would appear maybe I was wrong about general
| sentiment towards privacy in US. CA law did not surprise that
| much and most dismissed it as 'what will they do next', but Ohio
| is not exactly blue, which would suggest some people are finally
| getting a little fed up with status quo.
|
| All this against backdrop of nationwide corps having tried to
| stop this exact scenario ( patchwork of state privacy laws ).
| TrispusAttucks wrote:
| Privacy ain't a red or blue issue. It's a human issue.
| A4ET8a8uTh0 wrote:
| In my heart of hearts, I agree with you. My cynical surface
| would just want to take this moment to kinda spread my hands
| as if to show that our current existence has been
| ridiculously politicized. You may not think it is a blue
| issue, but -- and I am not trying to derail this thread -- I
| just want to make an argument, isn't abortion a human issue?
| rndmind wrote:
| Yeah, bringing up abortion here? original conservatives
| were actually in favor of abortion because it the
| government did not have the right to tell you what you
| could do with you body.
|
| It wasn't until early '70's when G.O.P. figured out they
| could win the ultra religious voters by catering to this
| specific issue. Noam Chomsky has an excellent dialogue
| about this
| mywittyname wrote:
| Ohio isn't exactly pro-consumer at all. The Affirmative
| Defense section of the bill kind of highlights that, IMHO.
|
| > Businesses that satisfy requirements for the affirmative
| defense are afforded protection from any cause of action
| brought under Ohio laws, or in Ohio courts, alleging a
| violation of the OPPA or similar claims based on alleged
| violations of the Ohio Consumer Sales Practices Act's
| privacy-related provisions.
|
| It also prohibits citizens from suing violators of the law.
|
| Sounds to me like this is more about protecting businesses
| from litigation than it is about protecting consumers. I'm
| curious if the CCPA or Colorado's law have similar language;
| my suspicion is that they don't.
|
| Though, I'd love it if my beliefs were proven wrong here.
| finiteseries wrote:
| I don't know, that might be optimistic. There is infinitely
| more talk about how big tech is bad than how privacy is good in
| "red" areas.
|
| A cudgel's a cudgel though, and this one came with blueprints.
| priansh wrote:
| I'd like to speak to whoever came up with this acronym for
| obvious reasons
| triceratops wrote:
| Sorry, what are these reasons? It was not obvious to me.
| Jon_Lowtek wrote:
| Full text: https://legiscan.com/OH/text/HB376/2021
| Jon_Lowtek wrote:
| This one is interesting because many applications argue they
| have user behavior tracking (by a third party as a service) for
| this purpose
|
| _> > 1355.02.(F) The obligations imposed on businesses or
| processors under this chapter shall not be construed as
| restricting a business's or processor's ability to collect,
| use, or retain data as necessary to do any of the following:
| (1) Conduct internal research solely to improve or repair
| products, services, or technology; [...]_
| Jon_Lowtek wrote:
| giant hole number one: stupid definition of personal data as an
| effect of consumer rights instead of human right means no
| protection for employees. This is big because of cloud native
| back office or collaboration services. Microsoft Teams is not a
| consumer app.
|
| _> > Sec. 1355.01.(J) "Personal data" means any information
| that relates to an identified or identifiable consumer
| processed by a business for a commercial purpose. "Personal
| data" does not include [...]
|
| >> (G) "Consumer" means a natural person who is a resident of
| this state acting only in an individual or household context.
| "Consumer" does not include a natural person acting in a
| business capacity or employment context, including contractors,
| job applicants, officers, directors, or owners._
| Jon_Lowtek wrote:
| obviously the difference between human right and consumer
| right makes this unnecessary, but just to be sure:
|
| _> > 1355.02.(B) This chapter does not apply to any of the
| following: (1) Any body, authority, board, bureau,
| commission, district, or agency of this state or of any
| political subdivision of this state;_
___________________________________________________________________
(page generated 2021-10-06 23:00 UTC)