> Section 6.3 We may share personal information in connection with a corporate transaction, like a merger or sale of our company, the sale of most of our assets, or a bankruptcy.
>Section 6.5 Except where explicitly stated to the contrary in this Policy, in some cases, particularly given the limited amount and type of information and data collected through omg.lol, we have not restricted contractors’ own use or disclosure of that information or data. We are not responsible for the conduct or policies of Stripe, or other contractors.
INAL but that seems pretty cookie-cutter "Company is not ruling-out selling your data to others".
Also not a lawyer, but that sounds more like "if another company acquires us, we will give your info to them" and then separately "Stripe might sell your data; we're not responsible for them".
No, that's not totally reasonable and expected. Change of control can be a valid reason for breaking open a previous arrangement, especially when that change of control negates the exact reason why people would join this to begin with.
After all, if your data can be transferred at will to another entity due to a change of ownership and the agreement you made can then be annulled (because the new owners don't care about your privacy as much as the previous ones) then that's an end-run around the whole principle.
Not a lawyer so I might be reading this wrong - but to me this says "We might sell the company to someone else, and they in turn might sell it to anyone", and that's a bit scarier.
Couldn't you simply codify in the ToS that PII or even most/all historical metadata would be scrubbed upon the sale of the company? IANAL, but I would assume that a company could commit themselves in the user agreement in such a way that it guarantees some protection against this kind of concern.
You can always change the terms of service; no one would really notice a detail like this.
And things like email addresses are "PII", and maybe some more things that are required to actually run this business. So "scrub all PII" isn't really a very feasible thing to do in the first place.
So your "solution" is 1) never change interests, 2) never have health problems, 3) never retire, 4) well live forever basically?
And no one is going to buy a company stripped of all customer data.
This is just not realistic. Any company or website that lives long enough will change hands eventually, whether it's "selling" or handing it to your first-born son, or whatever, for any number of reasons, and when that happens you lose control. The best you can do is hand it over to someone you trust (if that's possible), but nothing is fool-proof.
>... we have not restricted contractors’ own use or disclosure of that information or data. We are not responsible for the conduct or policies of Stripe, or other contractors.
I mean this seems pretty suspect for anyone privacy focused.
> Part b. omg.lol does not believe its processing of limited personal data of those outside the United States (if any) brings it within the jurisdiction of these laws.
That's a hard disclaimer if there's any.
I read that as: if you're a European user, we do not believe you can legally enforce us to honor your rights, even though we operate within the EEA.
And is illegal to boot. If that's their attitude they should not allow Europeans to register in the first place because all it will do is set them up for a confrontation with the various Data Privacy Offices. And such wilful language rules out any apologies.
More to the point, the GDPR is quite explicit on here as well:
> Article 3.2 goes even further and applies the law to organizations that are not in the EU if two conditions are met: the organization offers goods or services to people in the EU, or the organization monitors their online behavior. (Article 3.3 refers to more unusual scenarios, such as in EU embassies.)
That's also a sovereign citizen level of legalese. It doesn't matter what omg.lol states it believes. If anything, this demonstrates clear intent to violate users' privacy and be non-compliant with international data protection laws.
This is largely a moot point as long as omg.lol remains some guy's side project but given that the ToS explicitly mentions the possibility of a merger or buyout, this feels like it's poisoning the well a bit. If there's any upside to this, it's that this makes a buyout far less likely because he's essentially saying "yeah, we collect a ton of personal information but we don't have the legal consent for any of it and explicitly told users we're not complying with their regional data protection laws when it comes to gathering, processing or storing their personal information". Fair enough for the MySpace era of Web 2.0 privacy abuse but no longer workable in a world with the GDPR and its many regional equivalents.
your comment is spot on. an acquisition is also the perfect time to have someone trigger an investigation by the local privacy authority for breach of GDPR and I can tell with reasonable certainty that the wording on that ToS is enough to get fined. Until they have a legal presence in the EU they might get away with it, though.
>omg.lol does not believe its processing of limited personal data of those outside the United States (if any) brings it within the jurisdiction of these laws.
Oh dear. That is definitely not correct. The only way for omg.lol to not fall under the jurisdiction of the GDPR is to not offer their services to people living where it applies.
And how would the owner go about that? Implement expensive geo-fences and KYC processes for a market they are not interested in? If they (EU people) want to use it .. they should be able to without expecting the same protections as if the business operates in EEA.
How did we get here? To where If I spin up a webserver and charge for access now I'm suddenly forced to lick your middle finger because you have laws in your country saying so?
Simple: explicitly state what regions you provide your service to, optionally use cheap/free IP geolocation to block users from regions you don't wish to provide your service in and wherever you have to record a user's region anyway limit the options to regions you support or display a warning about your terms of service prohibiting use from other regions.
There are plenty of sites that only cater to US users and have signup forms requiring data like postal addresses or payment methods that contain regional information. Heck, some US sites even exclude users from certain states for various reasons. This service costs money so they need the user's billing address anyway. Just restrict access there and then like the rest.
The guy who created omg.lol did not "spin up a webserver and charge for access", they run a company that collects, stores and processes their users' behavioral data and personally identifiable information. It's more like a hosting company except it's apparently cobbled together from various third parties without any due diligence about how they operate. And it even uses the phrase "privacy-focused" in various parts of its claims. Yeah, I'd say it's reasonable to expect a company like that to provide basic information like what data it collects, how it ensures that data is protected and how a data subject can get that data deleted or corrected.
We have laws preventing corporations from selling products that are unfit for purpose or food that is blatantly toxic and we have laws preventing corporations from offering you contracts that demand personal harm or indentured servitude. In places like the EU we also have laws that prevent companies from using your data without consent and making sure you follow the best current practices when handling that data. And yeah, if you want to make a service that collects all data and monetizes the ever living fuck out of it you can still do that, you just need to ask your users for consent and allow them to opt-out if it isn't essential to doing what the users would want to use the service for (i.e. no bait and switch).
I don't know why some people find it so hard to understand the idea of informed and non-coerced consent.
I'll include the mandatory ianal, but they could even ask people to indemnify them, or put up a banner saying: you must be in the US, blah-blah. But they're straight up saying: don't care about your laws. That seems untenable.
Hangon, if go to another country I most certainly have to follow the laws that apply there.
If I surf over to another (Internet surfing) country because the server is physically located in that country, I again am forced to follow the laws that apply there.
It does seem illogical to have such setup especially since physical I haven't moved.
Now it seems that I can take my laws with me when I visit a server in another country. Making everything even more confusing.
Unfortunately that does not apply to physically traveling to another country: that country doesn't care two bobs for my countries laws.
>If I surf over to another (Internet surfing) country because the server is physically located in that country, I again am forced to follow the laws that apply there.
on the other hand if you go set up a business that sells to citizens of that other country do you have to follow rules to be allowed to sell stuff there? You see how the analogy is a little closer aligned?
Not really.
For Example, I setup a business on the Oregon side of the Portland, Oregon / Vancouver, Washington border. Oregon doesn't have a sales tax, should I have to pay Washington sales tax because I had someone buy something from my shop in Oregon?
Same kind of deal, omg.lol have my servers located in the United States, payment processing happens in the United States, in United States Dollars. In no way is omg.lol making a special usecase to handle European customers.
Now, Europe is free to attempt to excise their laws againt omg.lol, however they wouldn't get much further than "you're blocked in the EU" and having to get ISPs and transit networks to blocke their traffic, and payment networks to stop serving EU customers for that particular merchant ID.
If you ever run an ecommerce business, the expectation is absolutely that you pay taxes to foreign governments in compliance with their rules for any customers in their jurisdiction.
Is this usually followed in small scale shops? Almost never in my experience, though if the shop gets big enough or if the business is sold those tax liabilities are still technically owed. Many countries do have a minimum revenue before you have to pay taxes, and some have a minimum before you're supposed to report sales via tax filings even if you don't owe, but you better keep the operation small if you never plan to pay foreign sales tax.
That's not really that interesting of a question, if the owner wants to give the finger to the laws of a region with 300+ million people in it then that's their right, how they go about doing that in a way that it doesn't translate into liability (rather than simply respecting the law with regards to EU subjects) is not something that we need to solve for them. The choice is theirs, so are the consequences.
>How did we get here? To where If I spin up a webserver and charge for access now I'm suddenly forced to lick your middle finger because you have laws in your country saying so?
You do business somewhere, you have to abide by the laws of that somewhere.
As to how did we got here? I don't know. It probably happened sometime around year 500 BC?
The easiest and most reasonable option would be to honor GDPR and similar laws.
If you scam people in country A from country B, you're criminally liable to country A even if it's not a crime in country B. Same if it's espionage (cf. Assange), piracy (cf. TPB) and so on. Why should infringing on privacy rights be any different?
true they are legally required by EU law to follow GDPR, but then it gets into enforcement, Facebook et. al might like to not follow GDPR but they are big enough then have holdings that the GDPR can take money from.
If omg.lol does not have any business in EU it is probably not going to actually be a problem for them because EU is unlikely to go to U.S court to try to get money - also because I believe that probably wouldn't work.
However
1. if they are trying to get purchased by someone they probably should consider potential buyers probably don't want to buy a bunch of EU liability.
2. they should probably refrain from any sort of ambition that would give them such a business in the future because regulators can be really mean when someone does this kind of funny stuff.
3. if they don't pay if called on it maybe there would be a situation where they would get blocked - not sure about that but seems reasonable reaction.
>Section 6.5 Except where explicitly stated to the contrary in this Policy, in some cases, particularly given the limited amount and type of information and data collected through omg.lol, we have not restricted contractors’ own use or disclosure of that information or data. We are not responsible for the conduct or policies of Stripe, or other contractors.
INAL but that seems pretty cookie-cutter "Company is not ruling-out selling your data to others".
https://home.omg.lol/info/legal