I just joined after reading the post. This wasn't the first time I've heard of Omg.lol but I wasn't entirely convinced earlier.
For a long while, I've felt kinda lonely online as all of the communities and little corners online I've been part off have slowly died. I guess I've sort of been digitally homeless.
I really enjoy the latest trends when it comes to indieweb and digital gardens, people creating their own space instead of living on closed platforms, so this definitely hit all the marks for me. I don't think I've bought anything online faster than just now haha.
Blake just cost me twenty quid, but I'm happy to vote with my feet instead of selling my data and attention to big corporations.
INAL but that seems pretty cookie-cutter "Company is not ruling-out selling your data to others".
https://home.omg.lol/info/legal
Also not a lawyer, but that sounds more like "if another company acquires us, we will give your info to them" and then separately "Stripe might sell your data; we're not responsible for them".
Which is rotally reasonable/expected imho.
I mean this seems pretty suspect for anyone privacy focused.
Also not legal in Europe where you absolutely are responsible for the actions of your processors
Oh dear. That is definitely not correct. The only way for omg.lol to not fall under the jurisdiction of the GDPR is to not offer their services to people living where it applies.
And how would the owner go about that? Implement expensive geo-fences and KYC processes for a market they are not interested in? If they (EU people) want to use it .. they should be able to without expecting the same protections as if the business operates in EEA.
How did we get here? To where If I spin up a webserver and charge for access now I'm suddenly forced to lick your middle finger because you have laws in your country saying so?
Hangon, if go to another country I most certainly have to follow the laws that apply there.
If I surf over to another (Internet surfing) country because the server is physically located in that country, I again am forced to follow the laws that apply there.
It does seem illogical to have such setup especially since physical I haven't moved.
Now it seems that I can take my laws with me when I visit a server in another country. Making everything even more confusing.
Unfortunately that does not apply to physically traveling to another country: that country doesn't care two bobs for my countries laws.
Edit: INAL.
on the other hand if you go set up a business that sells to citizens of that other country do you have to follow rules to be allowed to sell stuff there? You see how the analogy is a little closer aligned?
Not really. For Example, I setup a business on the Oregon side of the Portland, Oregon / Vancouver, Washington border. Oregon doesn't have a sales tax, should I have to pay Washington sales tax because I had someone buy something from my shop in Oregon?
Same kind of deal, omg.lol have my servers located in the United States, payment processing happens in the United States, in United States Dollars. In no way is omg.lol making a special usecase to handle European customers.
Now, Europe is free to attempt to excise their laws againt omg.lol, however they wouldn't get much further than "you're blocked in the EU" and having to get ISPs and transit networks to blocke their traffic, and payment networks to stop serving EU customers for that particular merchant ID.
If you run a site in the US targeting a primarily US user base, should you be forced to abide by the laws of Saudi Arabia?
I'll include the mandatory ianal, but they could even ask people to indemnify them, or put up a banner saying: you must be in the US, blah-blah. But they're straight up saying: don't care about your laws. That seems untenable.
That's not really that interesting of a question, if the owner wants to give the finger to the laws of a region with 300+ million people in it then that's their right, how they go about doing that in a way that it doesn't translate into liability (rather than simply respecting the law with regards to EU subjects) is not something that we need to solve for them. The choice is theirs, so are the consequences.
Simple: explicitly state what regions you provide your service to, optionally use cheap/free IP geolocation to block users from regions you don't wish to provide your service in and wherever you have to record a user's region anyway limit the options to regions you support or display a warning about your terms of service prohibiting use from other regions.
There are plenty of sites that only cater to US users and have signup forms requiring data like postal addresses or payment methods that contain regional information. Heck, some US sites even exclude users from certain states for various reasons. This service costs money so they need the user's billing address anyway. Just restrict access there and then like the rest.
The guy who created omg.lol did not "spin up a webserver and charge for access", they run a company that collects, stores and processes their users' behavioral data and personally identifiable information. It's more like a hosting company except it's apparently cobbled together from various third parties without any due diligence about how they operate. And it even uses the phrase "privacy-focused" in various parts of its claims. Yeah, I'd say it's reasonable to expect a company like that to provide basic information like what data it collects, how it ensures that data is protected and how a data subject can get that data deleted or corrected.
We have laws preventing corporations from selling products that are unfit for purpose or food that is blatantly toxic and we have laws preventing corporations from offering you contracts that demand personal harm or indentured servitude. In places like the EU we also have laws that prevent companies from using your data without consent and making sure you follow the best current practices when handling that data. And yeah, if you want to make a service that collects all data and monetizes the ever living fuck out of it you can still do that, you just need to ask your users for consent and allow them to opt-out if it isn't essential to doing what the users would want to use the service for (i.e. no bait and switch).
I don't know why some people find it so hard to understand the idea of informed and non-coerced consent.
You do business somewhere, you have to abide by the laws of that somewhere.
As to how did we got here? I don't know. It probably happened sometime around year 500 BC?
The easiest and most reasonable option would be to honor GDPR and similar laws.
If you scam people in country A from country B, you're criminally liable to country A even if it's not a crime in country B. Same if it's espionage (cf. Assange), piracy (cf. TPB) and so on. Why should infringing on privacy rights be any different?
true they are legally required by EU law to follow GDPR, but then it gets into enforcement, Facebook et. al might like to not follow GDPR but they are big enough then have holdings that the GDPR can take money from.
If omg.lol does not have any business in EU it is probably not going to actually be a problem for them because EU is unlikely to go to U.S court to try to get money - also because I believe that probably wouldn't work.
However
1. if they are trying to get purchased by someone they probably should consider potential buyers probably don't want to buy a bunch of EU liability.
2. they should probably refrain from any sort of ambition that would give them such a business in the future because regulators can be really mean when someone does this kind of funny stuff.
3. if they don't pay if called on it maybe there would be a situation where they would get blocked - not sure about that but seems reasonable reaction.
That's a hard disclaimer if there's any.
I read that as: if you're a European user, we do not believe you can legally enforce us to honor your rights, even though we operate within the EEA.
This is very disappointing, and automatically dismisses omg.lol as an option for me as a researcher and educator.
And is illegal to boot. If that's their attitude they should not allow Europeans to register in the first place because all it will do is set them up for a confrontation with the various Data Privacy Offices. And such wilful language rules out any apologies.
More to the point, the GDPR is quite explicit on here as well:
https://gdpr.eu/companies-outside-of-europe/
Which is pretty much what happens given that they allow EU citizens to buy a 20 USD subscription.
That's also a sovereign citizen level of legalese. It doesn't matter what omg.lol states it believes. If anything, this demonstrates clear intent to violate users' privacy and be non-compliant with international data protection laws.
This is largely a moot point as long as omg.lol remains some guy's side project but given that the ToS explicitly mentions the possibility of a merger or buyout, this feels like it's poisoning the well a bit. If there's any upside to this, it's that this makes a buyout far less likely because he's essentially saying "yeah, we collect a ton of personal information but we don't have the legal consent for any of it and explicitly told users we're not complying with their regional data protection laws when it comes to gathering, processing or storing their personal information". Fair enough for the MySpace era of Web 2.0 privacy abuse but no longer workable in a world with the GDPR and its many regional equivalents.
your comment is spot on. an acquisition is also the perfect time to have someone trigger an investigation by the local privacy authority for breach of GDPR and I can tell with reasonable certainty that the wording on that ToS is enough to get fined. Until they have a legal presence in the EU they might get away with it, though.
Worth a shot I suppose
Not a lawyer so I might be reading this wrong - but to me this says "We might sell the company to someone else, and they in turn might sell it to anyone", and that's a bit scarier.
You can't prevent that, not really. That "section 6.3" applies to every company, but these ToS are a bit more upfront about it.
Couldn't you simply codify in the ToS that PII or even most/all historical metadata would be scrubbed upon the sale of the company? IANAL, but I would assume that a company could commit themselves in the user agreement in such a way that it guarantees some protection against this kind of concern.
You can always change the terms of service; no one would really notice a detail like this.
And things like email addresses are "PII", and maybe some more things that are required to actually run this business. So "scrub all PII" isn't really a very feasible thing to do in the first place.
Is forced selling a thing for sole proprietorships? Is including data in a sale forced? You can prevent that if you want two ways:
1) Don't sell the company 2) Sell the company sans data (destroy it first)
So your "solution" is 1) never change interests, 2) never have health problems, 3) never retire, 4) well live forever basically?
And no one is going to buy a company stripped of all customer data.
This is just not realistic. Any company or website that lives long enough will change hands eventually, whether it's "selling" or handing it to your first-born son, or whatever, for any number of reasons, and when that happens you lose control. The best you can do is hand it over to someone you trust (if that's possible), but nothing is fool-proof.
You can't prevent it, but you can make it a breach of contract.
(Where the new buyer would breach the contract if passing data on.)
No, that's not totally reasonable and expected. Change of control can be a valid reason for breaking open a previous arrangement, especially when that change of control negates the exact reason why people would join this to begin with.
After all, if your data can be transferred at will to another entity due to a change of ownership and the agreement you made can then be annulled (because the new owners don't care about your privacy as much as the previous ones) then that's an end-run around the whole principle.
I love the idea of the service, but yes, those terms (and the commentary about the GDPR) are very strong showstoppers for me.
I really enjoy the latest trends when it comes to indieweb and digital gardens, people creating their own space instead of living on closed platforms
The way I see the current day situation, re: Elon Musk's freedom of speech contingency tree -- If X/Twitter and other social media prospers, it's good for him and he wins. If those die and people rediscover, "people creating their own space instead of living on closed platforms," he wins as well.