As more and more states create their own legislation in this space, I've got a great startup pitch: Taxjar, but for each municipality's data laws - caters your Privacy Policy based on visitor IP (with requisite geolocation disclaimer before one is allowed to view the Privacy Policy, of course).
There's no innovation quite like compliance-driven innovation! C'mon gang, let's get coding.
I remember talking to a couple of tiny house builders few years ago. Rules for tiny houses vary wildly depending on the state and the county. There is no central place where the builders can look up the rules (at least that was case few years ago). In many cases they have to call the county office or go in person to get the latest rules, it is a hassle.
They were willing to pay a few hundred dollars every month just to be able to access up-to-date rules in one place.
I wonder how many of these compliance driven innovation opportunities (great term, btw) there are, thanks to bureaucracy.
>I wonder how many of these compliance driven innovation opportunities (great term, btw) there are, thanks to bureaucracy.
Tons. I'd venture to say that the majority of B2B companies out there exist because they offer some form of assistance in dealing with compliance across the country/world. Even though we probably don't think of that as their primary service. Example: payroll services - the money transfers are the easy part, a company is really paying these services to do tax compliance.
One of the problems with starting a company like this is finding all of the niches that exist. You kind of have to have worked in a sector to learn what some of the pain points are that can be eliviated.
This is why I believe Bill Gates' statement that "90% of software hasn't been written yet" is (perpetually) true.
Alas, the Venn diagram of domain knowledge (for any given niche) and any measure of competence developing products is tiny.
And the work just isn't interesting. A friend made good money writing property tax administration software for municipalities. Tried to recruit me for years. I helped on some stuff, enough to verify I wasn't well suited to that type of work. Older me could probably do it happily.
One word, Sarbanes-Oxley. That's how you create parasitic jobs.
It's not all bad, Manufacturing compliance for Drugs for example, make sense.
Never the less, whether necessary (as in health) or primarily burdensome like SOX, they create tons and tons of high paying jobs. Small companies can't afford full timers so they make do with consultants who charge an arm and a leg.
SOX means well, but it's not going to stop the hanky-panky except for the inept. Is the cost of compliance worth the return on having less of incompetent fiscal malfeasance?
And this is why it's important for such legislation to apply to all citizens and permanent residents of the legislating juridiction, regardless of where they're physically or network-topologically located.
> And this is why it’s important for such legislation to apply to all citizens and permanent residents of the legislating juridiction, regardless of where they’re physically or network-topologically located.
With Westphalian sovereigns (or gangs of such working together, like the EU), that’s possible in principle, because such entities can claim jurisdiction over anything anywhere; their sovereignty is unlimited, though their practical ability to enforce their laws may be more circumscribed.
For US states, however – “sovereign” though they may be – they cannot assert jurisdiction over commerce just because one of their citizens is involved, regardless of where they are physically located and where the other party is.
The EU has the protection of personal data as article 8 of the Charter of Fundamental Rights of The European Unions. It starts with the wonderful words "Everyone has the right ..."
That's already a feature of enterprise-level consent management platforms like OneTrust and TrustArc.
Well, a milder version anyways. Look-up is only country level, not state, and what changes is generally the pop-up rather than the privacy policy. But the tools are already in the marketplace.
Great, that means there is a potential market for it.
When Ford motors started cars already existed, when Facebook started social networks already existed, when Google started search engines already existed, etc.
In my opinion, getting demotivated for not being the first or being “the one” that came up with the idea prevents way too many people from starting their own thing.
In the end, execution and adoption are what really matters. In general is better to copy something and improve on it than trying to invent something completely new.
I know y'all are taking the piss. But real talk though: The consent-management space could do with some disruption. Like, for example, just a thought here, I know this sounds crazy, but hear me out: actually complying with GDPR. You'd think a tool whose entire job is to ensure compliance when gathering consent would actually gather consent in a compliant manner, but that's not the default behavior.
I’ve been working on compliance software for 2 years now and this problem is hard. A large part of it is in “ensuring compliance”. You have to sort of straddle the line otherwise you end up a data controller instead of a data processor. You also can’t really give legal advice. You can build as many tools as you want but it’s really hard to give a good toolset and also not become liable.
This is a hard problem still. AFAIK, it's still not really well understood what constitutes lack of compliance. I've worked at a few companies where we just work with a legal team to get an okay.
I take it to mean that this person is complaining (a point I often agree with) that these consent management platforms often resort to dark patterns to drive users' consent rather than attempting to truly inform a user before they consent.
To elaborate: While most of these tools can be configured to comply with GDPR, it is not their default configuration. The tools and products predate GDPR, and being enterprise software they value backwards-compatibility over other aspects of functionality. So out of the box, they engage in practices which are non-compliant.
But of course, most companies assume that the default configuration is compliant, since that's the entire point of the product, right? Companies think the product is a compliance solution itself and therefore compliance is purely an IT problem of deploying the software and legal doesn't need to be involved. But in fact the software is actually a platform for scaling and automating enforcement, and legal actually needs to be involved to figure out what compliance looks like.
There are several studies showing that a huge fraction of GDPR/ePD violations are actually a result of using consent-management software but leaving it in the default configuration.
I feel silly asking, but you're joking right? On it's face it's nonsensical, but then "serverless" is kind of nonsense, too, given that it still runs on servers, so IDK.
You did remind me of Tim Berners-Lee's SOLID project, not that it's "storageless" really.
So are you purposing each person's data is not stored anywhere and must be manually typed? Or something where each person controls where their data is stored and has to explicitly give access to sites in order to read the data?
I feel like the second option would be feasible if you could somehow get the major sites to agree they would pull the data each request rather than storing it in their databases.
"By storing our blockchain on /dev/null, we have limitless scalability to handle your customer's data, without the need to worry about it being stolen by hackers"
Privacy regulations that can be satisfied by merely changing the text on a privacy policy that nobody is actually expected to read are not useful privacy regulations. Useful privacy regulations must be sufficient to force changes in how a business is run. If a company is stalking me across every major webpage, then adding implied consent to a privacy policy on that company's webpage does nothing to restore my privacy.
I think the GDPR comes closest to what I would want, with the requirement for explicit, informed, and freely given consent prior to any data collection that isn't strictly necessary for the site to function, and that access to the site can't be conditional on giving consent. What I'd want in addition is far stricter enforcement of it, such as heavy fines on every site that thinks a banner saying "Continued use of this site constitutes consent." is satisfies any of the conditions required.
I think that is one of the value proposition of fly.io -- by bringing compute to the edge, you can comply with local data privacy policies, along with some interesting ways of building web apps, and get great data locality and low latency.
Interesting. It would appear maybe I was wrong about general sentiment towards privacy in US. CA law did not surprise that much and most dismissed it as 'what will they do next', but Ohio is not exactly blue, which would suggest some people are finally getting a little fed up with status quo.
All this against backdrop of nationwide corps having tried to stop this exact scenario ( patchwork of state privacy laws ).
Ohio isn't exactly pro-consumer at all. The Affirmative Defense section of the bill kind of highlights that, IMHO.
> Businesses that satisfy requirements for the affirmative defense are afforded protection from any cause of action brought under Ohio laws, or in Ohio courts, alleging a violation of the OPPA or similar claims based on alleged violations of the Ohio Consumer Sales Practices Act’s privacy-related provisions.
It also prohibits citizens from suing violators of the law.
Sounds to me like this is more about protecting businesses from litigation than it is about protecting consumers. I'm curious if the CCPA or Colorado's law have similar language; my suspicion is that they don't.
Though, I'd love it if my beliefs were proven wrong here.
I agree. The law authorizes only the attorney general to crack the whip, and limits that prosecutorial discretion with an blanket affirmative defense. Who wins here?
The state government gains the ability to selectively harass west coast tech companies. Since west coast tech companies are perceived as left-wing institutions, state legislators probably anticipate that media coverage of the attorney general harassing them in court will poll well with voters in Ohio.
In my heart of hearts, I agree with you. My cynical surface would just want to take this moment to kinda spread my hands as if to show that our current existence has been ridiculously politicized. You may not think it is a blue issue, but -- and I am not trying to derail this thread -- I just want to make an argument, isn't abortion a human issue?
Yeah, bringing up abortion here? original conservatives were actually in favor of abortion because it the government did not have the right to tell you what you could do with you body.
It wasn't until early '70's when G.O.P. figured out they could win the ultra religious voters by catering to this specific issue. Noam Chomsky has an excellent dialogue about this
It doesn't hit the governors desk for a signature until december 2022. That's plenty of time for the Ohio legislature to do as the Ohio legislature does and make this bill much less exciting.
I guess Koreans in US are going to laugh hard when they read this on news paper. For those who are not into K-Pop culture,
>The Korean word Oppa (오빠) is used when you are a woman and talking with an older male (related to you or not). For example, Oppa (오빠) is used to address an older male friend, even if he is not your older brother by blood.
Doubt that anyone will laugh hard over that. Also its a surprisingly common acronym in Ohio[0], so I would guess that Ohio based Koreans have gotten over it by now.
[0] Ohio Public Policy Archives, Ohio Psychiatric Physicians Association, etc.
>Derives more than 50% of its gross revenue from the sale of personal data and processes/controls the personal data of 25,000 or more consumers during a calendar year.
This seems really arbitrary and pointless. Especially since it's gross revenue and not profit. Sounds like a perfect excuse for some creative accounting.
This looks like a modification of the California version, and I like the original more than the remix.
The California version (CCPA) imposes restrictions on large businesses, and on data brokers. "Large business" is defined by revenue and number of data subjects. "Data brokers" are defined purely by deriving majority of revenue from sale of personal data.
Notably, CCPA does not have a lower bound on the size of data brokers. If your business is to sell personal data, then you are a data broker and CCPA applies, even if you're just one guy hawking a spreadsheet of a dozen data subjects.
The Ohio version seems to have modified this so that data brokers have a lower size bound. I.e. it applies to any Business over X size, and data brokers over X/4. That's... I don't see the point. If you're gonna protect personal data, then the long tail of small-size data brokers is something that I would consider kind of a big concern. Like, datasets about medical conditions could conceivably be very small and I want that shit regulated into the ground.
You omitted the other criteria. Only one of the following needs to be satisfied for the law to apply:
* Annual gross revenue generated in Ohio above $25 million.
* Controls or processes the personal data of 100,000 or more consumers during the calendar year.
* Derives more than 50% of its gross revenue from the sale of personal data and processes/controls the personal data of 25,000 or more consumers during a calendar year.
If you control or process the personal data of more than 100K consumers, or have more than $25M in Ohio revenue, then it doesn't matter where your revenue comes from.
Also, gross revenue from sale of personal data is straightforward to measure and verify: How much did you get paid for the data? Profit is not since this depends on how you allocate expenses to various parts of the business.
> Also, gross revenue from sale of personal data is straightforward to measure and verify: How much did you get paid for the data?
I really wouldn't say that it's straightforward at all. How much money would you guess Google (or any AdTech firm) "makes" under that definition in Ohio? I would bet you the farm that it's actually $0, because they're not selling data, they're selling ad space ("retargeting").
This is toothless. Without a private cause of action available to the consumer, prosecutorial discretion means offenses will go unpunished based on political winds.
giant hole number one: stupid definition of personal data as an effect of consumer rights instead of human right means no protection for employees. This is big because of cloud native back office or collaboration services. Microsoft Teams is not a consumer app.
>> Sec. 1355.01.(J) "Personal data" means any information that relates to
an identified or identifiable consumer processed by a business
for a commercial purpose. "Personal data" does not include [...]
>> (G) "Consumer" means a natural person who is a resident of this state acting only in an individual or household context. "Consumer" does not include a natural person acting in a business capacity or employment context, including contractors, job applicants, officers, directors, or owners.
obviously the difference between human right and consumer right makes this unnecessary, but just to be sure:
>> 1355.02.(B) This chapter does not apply to any of the following:
(1) Any body, authority, board, bureau, commission, district, or agency of this state or of any political subdivision of this state;
This one is interesting because many applications argue they have user behavior tracking (by a third party as a service) for this purpose
>> 1355.02.(F) The obligations imposed on businesses or processors
under this chapter shall not be construed as restricting a
business's or processor's ability to collect, use, or retain
data as necessary to do any of the following:
(1) Conduct internal research solely to improve or repair
products, services, or technology;
[...]
>> Sec. 1355.07.(B) A business may charge different prices or rates for goods or services for individuals who exercise their rights under this chapter for legitimate business reasons or as otherwise permitted or required by applicable law.
>> Sec. 1355.01.(J) [...] "Personal data" does not include [...]
(2) Pseudonymized, deidentified, or aggregate data. [...]
Because ad-tech at large doesn't care about actually identifying an individual as long as they can engage with it. Example: Facebook provides access to large amounts of "pseudonymized" data to the SCL group, who runs their own analysis resulting in a map of pseudonym->propaganda. They then pay FB to engage the users based on that.
I am not a lawyer, but this case seems to not fall under OPPA, because everyone can argue that they did not share personal data. So the user has no right to be informed about their "pseudonymized data" being processed by the SCL group for the purpose of feeding them propaganda.
Similar case is google analytics. A webapp sets 'anonymize_ip: true' and avoids pushing the consumers name and postal address in the data layer and can then argue the collection of tracking data by the third party affiliate google is pseudonymized. Nevermind that google doesn't actually care about the consumers address as long as they can create a profile for the pseudonym.
The european unions GDPR has a chapter on profiling, which OPPA has not.
There's no innovation quite like compliance-driven innovation! C'mon gang, let's get coding.