MetaFilter's new Privacy Policy document July 16, 2021 3:33 PM   Subscribe

We're rolling out a new formal Privacy Policy document for MetaFilter! You can read it here right now; in the next few days we'll get a link added in the site footer and update the FAQ, etc. If you want to discuss it or have questions, come on inside.

This is the end of a what ended up being an unexpectedly protracted process of drafting and discussion exacerbated by some significant scheduling issues on both ends, but I'm glad we finally have it ready to go; this is one of those things MetaFilter had never explicitly gotten done in the past and it was overdue. While I think the spirit of how we deal with site data is better gotten at through conversation here, this documentation is an important resource to make available to users and to be able to rely on as a moderation team.

We worked with a legal firm to find the best compromise ground we could between what a boilerplate online corporation privacy policy tends to look like and the fairly unique nature of MetaFilter as an online business and as a community with strong and specific expectations. The resulting document still reads like, well, a legalistic privacy policy; there's only so much give on what lawyers will give a thumbs up to as legally sound and practical, even if it feels off the mark for a place like MeFi. But we were able to carve out a great deal of stuff that might otherwise have appeared, and to explicitly say "we don't do this" to a lot of not-great things that other places do, in fact, do as a matter of course.

Included in this is a link to a page that addresses the specifics of California's CCPA act in terms of what information we do and do not collect or disclose or sell, and gives a good summary of the level of detail emerging in US state-specific privacy laws. The answer to "sell" is no across the board; we don't, never have, and never will sell any user information or content from the site, period. "Disclosed for a Business Purpose" is, as the legal folks were very clear, basically collapsible to "exists on the internet at all"—that we back up data or use cloud hosting by itself qualifies as a disclosure in this context, so anything we do collect is by definition also disclosed. We do not, however, provide user information to third parties for any kind of commercial or analytical use etc.

As privacy laws grow and change, we may need to amend these documents or add more state-specific sub-documents. We'll announce major updates as they come. But based on the advice we've gotten, we don't expect much to change here in the foreseeable future.

I'll do my best to follow up on questions about the document and the process, etc, in this thread. Other mods may also pop in; Eyebrows McGee and loup in particular have been directly involved in this process throughout the document's development.
posted by cortex (staff) to Etiquette/Policy at 3:33 PM (15 comments total) 10 users marked this as a favorite

(A member noted that the zipcode line on the address has gotten mangled somehow; the zipcode there is 97283, the same P.O. Box as listed on the funding page. Will get that fixed, thank you!)
posted by cortex (staff) at 3:45 PM on July 16, 2021

Probably the most significant scheduling issue was that I had a leaky hole in my spinal column and had to go to the ER and have a lot of MRIs and it really cut into my, like, general life. :) (It's fine! I'm fine!) Literally right in the middle of drafting the policy! So we had to put some shit on hold until I could sit up and work at a computer.

The drafting process was fun and interesting, and while I am not a huge fan of the legalistic language (I spent months slugging it out on school board to create a non-legalistic bullying policy that 3rd graders could read and understand!), that is just where the law is right now. These laws aren't really intended for a low-info-gathering small site like MetaFilter, but for giant multinationals that are sucking your data dry. But we now have our compliance spelled out! And that's good stuff.
posted by Eyebrows McGee (staff) at 6:27 PM on July 16, 2021 [10 favorites]

Yay! I know this was a slog and boilerplate just wasn't going to work, and I'm really pleased to see what looks to me to be a reasonably readable and comprehensive document.

(Also, eep, Eyebrows, I'm glad you're ok!)
posted by restless_nomad (retired) at 8:38 AM on July 17, 2021 [1 favorite]

One item I see missing is that of the payment method used (say Paypal) and therefore the ability for you to identify sockpuppet accounts. I get that this could be covered by something already written though.

Yep, that's covered by the Order Placement item (and a bit as well by Account Registration); we collect (a subset of) the information laid out there during the PayPal transaction on signup, for those accounts that we don't process for free instead.
posted by cortex (staff) at 8:44 AM on July 17, 2021

"Where required by law, we base the use of third party cookies upon consent and limit use where possible. "

Y'all don't seem like the kind of folks who would be using squirrely language to obfuscate intent, so I'm maybe reading this in a weird way. I'm guessing there's some kind of third-party cookie legal thing I'm not aware of? To clarify:

- Are third party cookies required by law sometimes?

- Are you only using third-party cookies when they are required by law? When is that?

- Are you only basing use on consent in those cases where it's required by law, and not basing it on consent in other cases?

- Um, is it impossible to _limit_ use of _third party_ cookies sometimes?

Sorry, I'm waaay low on sleep. Would sincerely appreciate any clarification.
posted by amtho at 11:50 AM on July 17, 2021

Some combination of GDPR and CCPA is being read to interpret that sites have to obtain explicit consent for cookies that are not strictly necessary for the site to operate. (On example I can think of where you presumably need a third party cookie is if you're using Google as an OAuth provider.) This seems to be why a) we've gone from those "this site uses cookies - accept" banners on European sites to banners that actually have preferences to disable some cookies and b) the same thing has started popping up on some US sites.

See Cookies, GDPR and the ePrivacy Directive (official EU docs) and CCPA FAQ on Cookies from some random law firm (PDF).
posted by hoyland at 12:15 PM on July 17, 2021

That's definitely one of the cases of there not being any straightforward statement that the law and hence the lawyers would be happy with, and I am not a laywer and not your lawyer, but: my understanding is that is saying that where the law requires consent to use third party cookies, we do so, and that in general we limit our use of third party cookies in any case.

In practice, we don't use any third party cookies if we can help it and we definitely don't choose to do so, but it's sufficiently difficult to be absolutely sure that we never do in the context of e.g. Adsense or Amazon stuff that it'd be legally irresponsible for us to flatly state we never do and never will. MetaFilter can as site flatly decline to court any of the ad-economy, surveillance-economy horseshit that is so hugely prevalent in tech entities like Facebook et al but an aspiration toward rejecting all of that isn't the same as being able to be 100% sure we're severed from anything that falls under that description.
posted by cortex (staff) at 12:16 PM on July 17, 2021 [9 favorites]

Seems straightforward. I like that you’ve eschewed the cutesy summaries that some sites go with.
posted by michaelh at 3:58 PM on July 17, 2021 [2 favorites]

Congratulations on having a shiny new privacy policy!

For some reason I had imagined this would also magically come with a big red button on the settings page for deleting and/or anonymizing all our own comments and posts.
posted by aniola at 8:11 PM on July 17, 2021 [1 favorite]

OK, sorry to nit-pick. Thank you so much for doing this, and it looks really thorough and not out of character. Big thank you.

So, follow up to clarify my earlier question:

"Where required by law, we base the use of third party cookies upon consent and limit use where possible. "

I think it's maybe just a little hard to parse...

Is the following true?
We limit the use of third party cookies where possible. Where consent to use third party cookies is required by law, we base such use on consent.
Also, I'm wondering what about where consent to use third party cookies is _not_ required by law.
posted by amtho at 9:52 PM on July 18, 2021 [1 favorite]

Is the following true?

That restatement aligns with my understanding of it, yeah.

Also, I'm wondering what about where consent to use third party cookies is _not_ required by law.

This is a good question for a lawyer, ultimately; we talked over what we do and don't do and what we don't intend to do when finagling over that language with the legal folks, and the takeaway was MeFi as an organization doesn't do anything that falls into that kind of required-consent territory and doesn't intend to but that if we ever did we'd need to provide that consent, hence this vague CYA umbrella phrasing.

If MeFi ever changes its use of cookies in a significant way it's something we'd need to do our homework on about providing new cookie consent check-ins.
posted by cortex (staff) at 7:47 AM on July 19, 2021

Changes To Your Personal Information. We rely on you to update and correct your personal information. Our website allows you to modify or delete your account profile. If our website does not permit you to update or correct certain information, you can contact us at the address described below in order to request that your information be modified. Note that we may keep historical information in our backup files as permitted by law.

If I live in California and would like all my posts and comments removed with a bare minimum of fuss, what does that process currently look like? Are there any plans for that process to change in the future? What would you keep as a backup permitted by law? Would that differ if I move to Europe?
posted by aniola at 3:55 PM on July 20, 2021

Mod note: Right now, all deletions are still done manually by frimble; you contact us and we take care of it. The process is the same everywhere in the world.

In general, because we collect very little data, we don't sell or buy data, and we're very small, we're well below the threshhold where most privacy laws start to apply. The CCPA, for example, only applies to businesses that: 1) Have a gross annual revenue of over $25 million; 2) Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or 3) Derive 50% or more of their annual revenue from selling California residents’ personal information. (here) -- which is not us.

BUT we've always been a site with an ethos of limiting data collection and using it only for clear and necessary purposes, so spelling out our privacy policy in the ways that are becoming legally-standard, and ensuring we were above and beyond on compliance was important to us. And good business practice, because several other states have just passed or are in the process of passing privacy laws largely modeled on the CCPA, and having already gone through a CCPA compliance process will make it much quicker and easier to ensure we're prepared for Colorado, and Illinois, and all the other states bringing out new privacy laws. (Ditto GDPR, for a US-based site with users in non-US jurisdictions.)

I will say the privacy lawyers kind-of could not believe how little data we collect, and we had to go over with them a few times how, no, we DON'T collect X, Y, or Z; we don't sell data; we don't do this that or the other. I got the impression that if they were our everything lawyers, they'd be like, "Uh, collect a lot more information, you should know more about your users," but they understood that that's not the kind of site we are or want to be. I think it was interesting for them to work with us as well, because we're so lightweight on data collection, and most of what they deal with is very big companies with very big data footprints! We are a very different model than most of their clients, and they seemed intrigued by the different privacy compliance challenges presented by our small, data-collection-light site.
posted by Eyebrows McGee (staff) at 7:47 PM on July 20, 2021 [7 favorites]

Thanks! That answers most of my questions and I learned some interesting things. It has always been nice knowing that Metafilter has an ethos of limiting data collection.

Are there any plans to install a figurative or literal big red button for anonymizing and/or deleting all posts/comments in the near or distant future? What backup information do you keep?

After having spent some time with the CCPA and GDPR, what are your thoughts and opinions on these privacy laws?
posted by aniola at 10:11 AM on July 21, 2021

Are there any plans to install a figurative or literal big red button for anonymizing and/or deleting all posts/comments in the near or distant future?

We don't currently have any plans to make it a DIY button press without mod intervention. As EM said, it's a use-the-contact-form thing.

What backup information do you keep?

We keep most of what little we collect in the first place after an account has been closed; we've had enough issues with account abuse by returning users, spammers, etc. that it's, in the legal parlance of the privacy policy, a legitimate business need to retain that stuff. But we also make a point of never selling it or (in the more familiar lay sense of the term) disclosing it to third parties.

After having spent some time with the CCPA and GDPR, what are your thoughts and opinions on these privacy laws?

My impression overall is that these are laws doing good things—a formal, legal reinforcement of people's privacy rights and a reduction of the ethical free-for-all that big internet tech has been for decades is a really good, necessary, and overdue idea—and also that they're doing them in ways that are a weird, poor fit for businesses that aren't the tech megacorporations that made them so obviously necessary in the first place.

So it's a frustrating position to be in, as a tiny company that was already on principle refusing to do all the gross horseshit that companies like Facebook have been aggressively pursuing, to have to try and navigate compliance on paper with these laws not written with us in mind in the first place. And they are written broadly to try and mitigate a great many avenues of abuse, but as a result they are also—between that breadth, and their newness—hard to interpret in practical terms a lot of the time. One of the main things we have heard from lawyers when discussing things like GDPR's scope and triggers and practical meaning is "well, nobody's really sure yet", which isn't a great place to be: sitting around waiting for some big lawsuits to happen so people better know what the law is actually going to do.

But, in the end, these laws should exist, and my hope is we'll proceed from this weird teething period to something more clear and well-established that better serves the intended purpose. Like, hopefully what we'll see in the not-too-long run is a US federal privacy law, as states continue to spin up their own individual versions which are likely to all differ somewhat in scope and requirements and create more and more of a nightmare of compliance. In the mean time, we'll just keep trying to do the right thing on principle regardless.
posted by cortex (staff) at 3:18 PM on July 21, 2021

« Older A change in moderator coverage of the site   |   Metatalktail Hour: Sneaky pet/kid stories Newer »

You are not logged in, either login or create an account to post comments