[HN Gopher] OPPA: Ohio could become the third US state to enact ... ___________________________________________________________________ OPPA: Ohio could become the third US state to enact a new consumer privacy law Author : feross Score : 112 points Date : 2021-10-06 17:16 UTC (5 hours ago) (HTM) web link (portswigger.net) (TXT) w3m dump (portswigger.net) | asdff wrote: | It doesn't hit the governors desk for a signature until december | 2022. That's plenty of time for the Ohio legislature to do as the | Ohio legislature does and make this bill much less exciting. | akersten wrote: | As more and more states create their own legislation in this | space, I've got a great startup pitch: Taxjar, but for each | municipality's data laws - caters your Privacy Policy based on | visitor IP (with requisite geolocation disclaimer before one is | allowed to view the Privacy Policy, of course). | | There's no innovation quite like compliance-driven innovation! | C'mon gang, let's get coding. | a1369209993 wrote: | > caters your Privacy Policy based on visitor IP | | And this is why it's important for such legislation to apply to | all citizens and permanent residents of the legislating | juridiction, regardless of where they're physically or network- | topologically located. | dragonwriter wrote: | > And this is why it's important for such legislation to | apply to all citizens and permanent residents of the | legislating juridiction, regardless of where they're | physically or network-topologically located. | | With Westphalian sovereigns (or gangs of such working | together, like the EU), that's possible in principle, because | such entities can claim jurisdiction over anything anywhere; | their sovereignty is unlimited, though their practical | ability to enforce their laws may be more circumscribed. | | For US states, however - "sovereign" though they may be - | they cannot assert jurisdiction over commerce just because | one of their citizens is involved, regardless of where they | are physically located and where the other party is. | [deleted] | oh_sigh wrote: | Are you ready to accept liability for faulty/non-lawful | compliance? | lmkg wrote: | That's already a feature of enterprise-level consent management | platforms like OneTrust and TrustArc. | | Well, a milder version anyways. Look-up is only country level, | not state, and what changes is generally the pop-up rather than | the privacy policy. But the tools are already in the | marketplace. | ta1234567890 wrote: | Great, that means there is a potential market for it. | | When Ford motors started cars already existed, when Facebook | started social networks already existed, when Google started | search engines already existed, etc. | | In my opinion, getting demotivated for not being the first or | being "the one" that came up with the idea prevents way too | many people from starting their own thing. | | In the end, execution and adoption are what really matters. | In general is better to copy something and improve on it than | trying to invent something completely new. | lmkg wrote: | I know y'all are taking the piss. But real talk though: The | consent-management space could do with some disruption. | Like, for example, just a thought here, I know this sounds | crazy, but hear me out: actually complying with GDPR. You'd | think a tool whose entire job is to ensure compliance when | gathering consent would actually gather consent in a | compliant manner, but that's not the default behavior. | l33t2328 wrote: | Can you elaborate on the GDPR tool? | rrix2 wrote: | I take it to mean that this person is complaining (a | point I often agree with) that these consent management | platforms often resort to dark patterns to drive users' | consent rather than attempting to truly inform a user | before they consent. | mywittyname wrote: | This is a hard problem still. AFAIK, it's still not | really well understood what constitutes lack of | compliance. I've worked at a few companies where we just | work with a legal team to get an okay. | Macha wrote: | There's the risk of getting small details incorrect while | making a good faith effort of complying. | | And then there's what those platforms do, use every dark | pattern possible to get the user to perform an action | that they can interpret as consent. | cde-v wrote: | We used OneTrust to comply with CCPA last year, so it is | already being done on a state by state basis. | 908B64B197 wrote: | Country level IP mapping was already a mistake. Let's not make | it even more granular. | shadilay wrote: | It's time for a social media special district. https://en.wik | ipedia.org/wiki/Special_district_(United_State... | akudha wrote: | I remember talking to a couple of tiny house builders few years | ago. Rules for tiny houses vary wildly depending on the state | and the county. There is no central place where the builders | can look up the rules (at least that was case few years ago). | In many cases they have to call the county office or go in | person to get the latest rules, it is a hassle. | | They were willing to pay a few hundred dollars every month just | to be able to access up-to-date rules in one place. | | I wonder how many of these _compliance driven innovation_ | opportunities (great term, btw) there are, thanks to | bureaucracy. | mywittyname wrote: | >I wonder how many of these compliance driven innovation | opportunities (great term, btw) there are, thanks to | bureaucracy. | | Tons. I'd venture to say that the majority of B2B companies | out there exist because they offer some form of assistance in | dealing with compliance across the country/world. Even though | we probably don't think of that as their primary service. | Example: payroll services - the money transfers are the easy | part, a company is really paying these services to do tax | compliance. | | One of the problems with starting a company like this is | finding all of the niches that exist. You kind of have to | have worked in a sector to learn what some of the pain points | are that can be eliviated. | toomuchtodo wrote: | https://up.codes/ | | Carl Malamud, an open access advocate (among other roles), | has been championing the cause of open building codes for | almost a decade. | | https://www.google.com/search?q=Carl+Malamud+open+access | | https://www.eff.org/cases/publicresource-freeingthelaw | theandrewbailey wrote: | Instead, let's disrupt the industry with storageless personal | data. It's like serverless, but for PII. | keneda7 wrote: | So are you purposing each person's data is not stored | anywhere and must be manually typed? Or something where each | person controls where their data is stored and has to | explicitly give access to sites in order to read the data? | | I feel like the second option would be feasible if you could | somehow get the major sites to agree they would pull the data | each request rather than storing it in their databases. | teeray wrote: | "User data is stored securely using our innovative write-only | memory" | tomschlick wrote: | "By storing our blockchain on /dev/null, we have limitless | scalability to handle your customer's data, without the | need to worry about it being stolen by hackers" | smolder wrote: | I feel silly asking, but you're joking right? On it's face | it's nonsensical, but then "serverless" is kind of nonsense, | too, given that it still runs on servers, so IDK. | | You did remind me of Tim Berners-Lee's SOLID project, not | that it's "storageless" really. | ramesh31 wrote: | >Derives more than 50% of its gross revenue from the sale of | personal data and processes/controls the personal data of 25,000 | or more consumers during a calendar year. | | This seems really arbitrary and pointless. Especially since it's | gross revenue and not profit. Sounds like a perfect excuse for | some creative accounting. | jonas21 wrote: | You omitted the other criteria. Only one of the following needs | to be satisfied for the law to apply: | | * _Annual gross revenue generated in Ohio above $25 million._ | | * _Controls or processes the personal data of 100,000 or more | consumers during the calendar year._ | | * _Derives more than 50% of its gross revenue from the sale of | personal data and processes /controls the personal data of | 25,000 or more consumers during a calendar year._ | | If you control or process the personal data of more than 100K | consumers, or have more than $25M in Ohio revenue, then it | doesn't matter where your revenue comes from. | | Also, gross revenue from sale of personal data is | straightforward to measure and verify: How much did you get | paid for the data? Profit is not since this depends on how you | allocate expenses to various parts of the business. | akersten wrote: | > Also, gross revenue from sale of personal data is | straightforward to measure and verify: How much did you get | paid for the data? | | I really wouldn't say that it's straightforward at all. How | much money would you guess Google (or any AdTech firm) | "makes" under that definition in Ohio? I would bet you the | farm that it's actually $0, because they're not selling data, | they're selling ad space ("retargeting"). | jonas21 wrote: | Exactly. Google does not sell personal data, so its revenue | from selling personal data is $0. | | Of course Google is still subject to the law because it | qualifies on the other two criteria. | maxerickson wrote: | But it's 'or', so who cares. | | Is there some clever argument they can use to avoid | admitting that they process data that they process? | [deleted] | lmkg wrote: | This looks like a modification of the California version, and I | like the original more than the remix. | | The California version (CCPA) imposes restrictions on large | businesses, and on data brokers. "Large business" is defined by | revenue and number of data subjects. "Data brokers" are defined | _purely_ by deriving majority of revenue from sale of personal | data. | | Notably, CCPA does not have a lower bound on the size of data | brokers. If your business is to sell personal data, then you | are a data broker and CCPA applies, even if you're just one guy | hawking a spreadsheet of a dozen data subjects. | | The Ohio version seems to have modified this so that data | brokers have a lower size bound. I.e. it applies to any | Business over X size, and data brokers over X/4. That's... I | don't see the point. If you're gonna protect personal data, | then the long tail of small-size data brokers is something that | I would consider kind of a big concern. Like, datasets about | medical conditions could conceivably be very small and I want | that shit regulated into the ground. | fmajid wrote: | No, because California, Colorado and Virginia already have | privacy laws, so at best it will be fourth. | rrix2 wrote: | California did not enact their privacy law in 2021, but in | 2020... | fmajid wrote: | The Hacker News headline omitted the "in 2021" bit. | A4ET8a8uTh0 wrote: | Interesting. It would appear maybe I was wrong about general | sentiment towards privacy in US. CA law did not surprise that | much and most dismissed it as 'what will they do next', but Ohio | is not exactly blue, which would suggest some people are finally | getting a little fed up with status quo. | | All this against backdrop of nationwide corps having tried to | stop this exact scenario ( patchwork of state privacy laws ). | TrispusAttucks wrote: | Privacy ain't a red or blue issue. It's a human issue. | A4ET8a8uTh0 wrote: | In my heart of hearts, I agree with you. My cynical surface | would just want to take this moment to kinda spread my hands | as if to show that our current existence has been | ridiculously politicized. You may not think it is a blue | issue, but -- and I am not trying to derail this thread -- I | just want to make an argument, isn't abortion a human issue? | rndmind wrote: | Yeah, bringing up abortion here? original conservatives | were actually in favor of abortion because it the | government did not have the right to tell you what you | could do with you body. | | It wasn't until early '70's when G.O.P. figured out they | could win the ultra religious voters by catering to this | specific issue. Noam Chomsky has an excellent dialogue | about this | mywittyname wrote: | Ohio isn't exactly pro-consumer at all. The Affirmative | Defense section of the bill kind of highlights that, IMHO. | | > Businesses that satisfy requirements for the affirmative | defense are afforded protection from any cause of action | brought under Ohio laws, or in Ohio courts, alleging a | violation of the OPPA or similar claims based on alleged | violations of the Ohio Consumer Sales Practices Act's | privacy-related provisions. | | It also prohibits citizens from suing violators of the law. | | Sounds to me like this is more about protecting businesses | from litigation than it is about protecting consumers. I'm | curious if the CCPA or Colorado's law have similar language; | my suspicion is that they don't. | | Though, I'd love it if my beliefs were proven wrong here. | finiteseries wrote: | I don't know, that might be optimistic. There is infinitely | more talk about how big tech is bad than how privacy is good in | "red" areas. | | A cudgel's a cudgel though, and this one came with blueprints. | priansh wrote: | I'd like to speak to whoever came up with this acronym for | obvious reasons | triceratops wrote: | Sorry, what are these reasons? It was not obvious to me. | Jon_Lowtek wrote: | Full text: https://legiscan.com/OH/text/HB376/2021 | Jon_Lowtek wrote: | This one is interesting because many applications argue they | have user behavior tracking (by a third party as a service) for | this purpose | | _> > 1355.02.(F) The obligations imposed on businesses or | processors under this chapter shall not be construed as | restricting a business's or processor's ability to collect, | use, or retain data as necessary to do any of the following: | (1) Conduct internal research solely to improve or repair | products, services, or technology; [...]_ | Jon_Lowtek wrote: | giant hole number one: stupid definition of personal data as an | effect of consumer rights instead of human right means no | protection for employees. This is big because of cloud native | back office or collaboration services. Microsoft Teams is not a | consumer app. | | _> > Sec. 1355.01.(J) "Personal data" means any information | that relates to an identified or identifiable consumer | processed by a business for a commercial purpose. "Personal | data" does not include [...] | | >> (G) "Consumer" means a natural person who is a resident of | this state acting only in an individual or household context. | "Consumer" does not include a natural person acting in a | business capacity or employment context, including contractors, | job applicants, officers, directors, or owners._ | Jon_Lowtek wrote: | obviously the difference between human right and consumer | right makes this unnecessary, but just to be sure: | | _> > 1355.02.(B) This chapter does not apply to any of the | following: (1) Any body, authority, board, bureau, | commission, district, or agency of this state or of any | political subdivision of this state;_ ___________________________________________________________________ (page generated 2021-10-06 23:00 UTC)