zlacker

[parent] [thread] 5 comments
1. stanfo+(OP)[view] [source] 2020-04-21 23:32:58
From a legal perspective, isn't the burden of communicating privacy to the customer on the website/content provider, not Stripe?

Stripe.js is an API -- developers use this API to build something used by their customers. The customer is the one who's data is being collected, and the developers are the one's facilitating that collection via their service. The fact that it got sent to Stripe is not really relevant to who bears responsibility on clarifying data rights to the customer.

replies(3): >>abioge+V2 >>threep+O3 >>riquit+X7
2. abioge+V2[view] [source] 2020-04-22 00:00:56
>>stanfo+(OP)
The data is collected by Stripe, though. The content provider doesn't have access to the mouse movement data, and might not be even aware of that the data is collected.
replies(1): >>stanle+k5
3. threep+O3[view] [source] 2020-04-22 00:10:45
>>stanfo+(OP)
It’s specifically different in this case: a big part of Stripe's value to a web vendor is that Stripe can collect credit-card info directly from the buyer (thereby exempting the vendor from PCI compliance and other issues related to storing and processing CCs).

"The simplest way for you to be PCI compliant is to never see (or have access to) card data at all. Stripe makes this easy for you as we can do the heavy lifting to protect your customers’ card information." [1]

Interesting question whether Stripe incurs statutory privacy duties to the web vendor and the buyer separately. I would imagine so, because given the "triangular" nature of this kind of Stripe transaction, Stripe ends up collecting data from two parties.

[This is not legal advice]

[1] https://stripe.com/docs/security

◧◩
4. stanle+k5[view] [source] [discussion] 2020-04-22 00:25:29
>>abioge+V2
That doesn't necessarily mean the content provider isn't responsible though. I can break a law even if I don't know that the law exists.
replies(1): >>abioge+hc
5. riquit+X7[view] [source] 2020-04-22 00:52:07
>>stanfo+(OP)
> From a legal perspective, isn't the burden of communicating privacy to the customer on the website/content provider, not Stripe?

They get the burden, but they wouldn't be able to know about evil activities from the third party provider.

In the unlikely case where Stripe was a bad player, the customer would sue the website, the website would countersue Stripe

◧◩◪
6. abioge+hc[view] [source] [discussion] 2020-04-22 01:44:53
>>stanle+k5
Fair enough, but this specific collection of data has not been clearly disclosed by Stripe (until now?).
[go to top]