Default opt-in status for users

[robinwhittleton]

The EU already has legislation (and other markets are converging towards similar legal solutions) that require active consent for processing of user data where it’s non-obvious to them that the processing will take place.

Given that even the existence of Topics would be non-obvious to the vast majority of users, and the draft as stands talks primarily about the benefit of Topics to the users, should a section be added describing the requirement / suggestion that Topics will need opt-in consent? That would put the onus on implementers to properly describe the benefits to users of consenting to the processing, and would remove the threat of lawsuits from improper processing of personal information from the other participants in the ecosystem.

[dmarti]

Consent is not the only basis for processing under GDPR. Topics API is a general-purpose system for categorizing and rating users, and has many uses outside of personalized advertising, such as security screening, education, public health, tax enforcement, and personalized pricing. ( https://github.com/patcg-individual-drafts/topics/issues/96#issuecomment-1265678422). Although it appears that consent is the only valid basis for processing for personalized advertising, callers with other use cases may be able to rely on a basis for processing other than consent.

[robinwhittleton]

Those are potential alternative legal bases for the processing of the exposed data that Topics provides, but I was talking about the processing of the sites the user visits and the exposed resulting data by the user agent they’re engaging with. It’d be hard to argue that this processing is contractual, a legal requirement, in the vital interest of the subject, or under obligation from a public authority. Under GDPR this just leaves consent and legitimate interest.

If Google (and other potential user agent providers) want to argue that there’s legitimate interest in exposing non-selected opt-out user preference information to sites then that’s fine. But I’d expect to see that as part of the specification.

If not, then they only legal basis is consent, and I’d also expect to see that covered in the specification, as in my original post.

[dmarti]

Thank you, I guess I am having trouble figuring out who the controller, or controllers, would be for Topics API. This area may be out of scope for this repository (see #32) and require a separate source of compliance information.

[robinwhittleton]

Right, I’d missed that issue. I imagine that this will be closed as well then.

Having said that, if this issue is closed with “I’m not a lawyer” as well, that doesn’t prevent these questions from being valid and needing to be answered before Topics could become something that could be considered legally compliant in the EU. So I’d hope that this receives some more thought at some point in the near future.

[dmarti]

The place to look may be IAB Europe -- if Topics API offers a subset of the capabilities of third-party cookies, and IAB TCF is a compliant way to manage consent for third-party cookies, it could also be able to manage consent for Topics API.

[eligrey]

Implementors: Regardless of opt-in signals, you must also support existing opt-out signals (e.g. Do Not Track if offered by the browser)

[dmarti]

Related: Privacy Sandbox initiative and AdSense

The use of Privacy Sandbox APIs is subject to Google’s EU User Consent policy requirements (for example, obtaining users’ legally valid consent for the collection, sharing, and use of personal data for ads personalization).

[robinwhittleton]

Somewhat as predicted, Google’s implementation of this doesn’t have an opt-in mechanism that gives the user a full understanding of the system they can agree with. Consequently, it’s lawsuit time: https://noyb.eu/en/google-sandbox-online-tracking-instead-privacy

If other browser engines implement this (I guess unlikely at this point) hopefully they can do a better job with their legal obligations.

So, as originally asked, should the spec detail what the legal minimum requirements are in this area?