I'll ask our legal team if we can somehow contractually preclude ourselves from sharing this data in the case of liquidation or otherwise bind ourselves in a useful fashion...
To your question about what the data actually includes and what the retention policies are -- we'll put together a summary of this on the page I mentioned in GP.
If you get clarity on liquidation, please consider open sourcing it à la YC's startup documents. It's something I've long wanted to include in my projects.
I hope the result has some teeth to it, and I'd like to see follow up once this item is complete.
If I were negotiating for a vendor to collect such an invasive level of personal data about me or my customers, I would insist on accordingly strong protections.
At a minimum there should be clause in your ToS making our consent expressly contingent on you upholding your protection commitments, particularly around what data is collected, who it's shared with, and when it is destroyed or 100% anonymized. It should insist you have contracts containing terms of equal strength in place with any of your vendors, subcontractors, partners, etc. who might conceivably gain access to the sensitive data.
The clause should be written such that the liability follows along to any assigns, heirs, successors, etc, and it should be excluded from any loopholes in other portions of the contract (particularly any blanket ones which allow you to change the ToS without gaining fresh, explicit consent) and preferably free from any limitations of liability.
I'm glad Stripe is taking a responsive approach to the matter and I hope you'll consider this feedback when you revisit your legal agreements.
Thanks for answering questions about this and being so open! In your top-voted comment, you claimed that this data will never be sold to advertisers. Are you now saying that you're unsure? If so, it would be helpful to update the comment, since it seems it's not accurate.
> This data has never been, would never be, and will never be sold/rented/etc. to advertisers
> I'll ask our legal team if we can somehow contractually preclude ourselves from sharing this data in the case of liquidation or otherwise bind ourselves in a useful fashion...
Attack real problems on all flanks, but I don't think you can get an affirmative from Legal.
Do you have cryptographers on staff? The "technology as a contract" approach is to implement a homomorphic encryption technique to do your cross-site correlation without being able to unmask the individual who is using multiple sites.
That way you don't have to trust your users, customers, sysadmins, big-data people, LEO, OR creditors. Keep it as secret sauce, or even better, drop an open-source library on github to advance the state of privacy. I would like to be able to ask vendors, "why AREN'T you protecting users' privacy this way?".
Yep. Also: sale, acquisition, merger, as well as government requests for data, and third party access. Speaking from experience selling a company, it’s difficult to plan for unknown eventualities, and even more difficult to keep any promises about what happens to data you have. The only effective way I know of to guarantee data you have doesn’t get shared is to delete it.
IANAL and I don't claim to understand any of this well, but I would naively assume that if Company A collected data under a binding legal agreement that they can only use it for X, then they go bankrupt, that shouldn't give Company B the ability to buy the data as a "liquidation asset" then do anything they feel like with it. Shouldn't the binding restrictions "move" with the data?
This depends on how the company is liquidated/sold. In the cases I mentioned of sale or acquisition, often the corporate entity remains in existence through the transition, so the effect is that nothing changes wrt the binding legal agreement, but a large group of new people gain access to the data. Also while legal agreements are binding, they can usually be changed, it takes some careful planning to prevent a contract from being changeable by the new owner of the contract. Think about the question of who owns the collected data in the first place. If the company owns it, and the investors own the company, the company might have a tough time getting investors to agree to waive their right to sell what they consider to be a valuable asset in the case of bankruptcy. If the company doesn't ask the investors, or can't get them to agree, then whatever they do has grounds for future legal challenge. It's all around better to delete any such data before anything changes hands.
I honestly don't think it's that simple, and in fact I suspect it gets harder the bigger the company. They could have every intention, even a plan and an working implementation today to keep any data they collect out of the hands of a buyer or the government, and still have a very hard time ensuring it when the time comes. It does sound like @pc is actively committed to it though.
I don't think anyone's playing dumb. I am completely speculating, yet absolutely certain, that they have actually considered future scenarios for collected data, and I believe that there are legitimate reasons to still need to discuss this and other scenarios that come up with a legal team every time. If it's not clear why this can happen, it will become clear if/when you run a company.
It's true that not collecting any data is a foolproof way to guarantee it doesn't get into the wrong hands, but that's tying both arms behind your back in the online world, and it would mean in this case choosing to not train any fraud detecting neural networks. There could be an even bigger mob if Stripe knew how to prevent certain kinds of fraud and chose not to for ambiguous privacy reasons.
> This data has never been, would never be, and will never be sold/rented/etc. to advertisers.
Unless Stripe goes bankrupt, in which case it'll be liquidated along with all the other assets.