jlurien
commented
6 months ago Interesting topic. GDPR does not forbid the targeted ads use case, as long as proper consent by the user s gathered. Indeed many of other use cases listed for location-retrieval, or other location based APIs, will need as well consent from the user, or at least some opt-out mechanism.
Consent gathering is a transversal topic to all CAMARA APIs, being discussed in Identity and Consent Management subproject. The process for consent gathering happens during the auth phase, and applies to all CAMARA APIs, prior to API invocation. Clients have to declare the purpose for API usage in order to get the access token, and users have to consent for it, and have the right to remove it at any time.
We can discuss the convenience to remove or nuance sensitive examples for the API doc, in order to avoid susceptibility, but it is wrong to assume that targeted advertisement is against GDPR, or that Device Location APIs may be used without proper consent management. Any suggestion to make this clear is welcome.
nickvenezia
Problem Description
Remove "Location-based advertising" from YAML.
The API’s reference to location-based advertising is problematic for GDPR. There’s uncertainty about whether users have agreed to let their location data be used for targeted advertising.
Expected Action
I strongly urge the group to remove that specific use case from the YAML, "Location-based advertising, to trigger targeted advertising after verifying the user is in the area of interest" from the API documentation.
Additional Context
For GDPR this API does not meet the standards of data ethics and legal compliance.
GDPR concerns
Consent for Data Processing Section 4(1) stipulates that personal data can only be processed with the consent of the Data Principal for lawful purposes. The device location API, as described, seems to lack a clear mechanism for obtaining user consent, particularly for the purpose of location-based targeted advertising especially since this is in essence granting consent through a back door approach.
Potential for Unlawful Data Profiling and Automated Decision-Making The use of data for automated decision-making or profiling without proper safeguards or consent contravenes Article 22 on automated individual decision-making, including profiling.
Non-Compliance with Children’s Data Protection: If the API processes children’s data for advertising without proper consent, it would violate Article 8 concerning conditions applicable to child’s consent in relation to information society services rights.