Closed fungiboletus closed 1 year ago
dmarti
commented
2 years ago Consent is one basis for processing under GDPR and similar laws in other jurisdictions. According to the GDPR,
For consent to be informed, the data subject should be aware at least of the identity of the controller
I added a related issue that covers making it clear who the controller is, and whether consent is the basis for processing: #32
jdelhommeau
commented
2 years ago Since Topics will require read (write?) access to user's terminal, you will need consent under ePrivacy in EMEA. I think both aspects need to be considered before moving forward with test in EMEA: who is controller? Consent modality ? who is responsible for collecting the consent, for which part of the API
dmarti
commented
1 year ago There are also specific regulatory issues in the USA for health-related sites covered by HIPAA. See Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.
Under HIPAA, sites must "Protect against reasonably anticipated, impermissible uses or disclosures." Because an unpermitted Topics API call by a third-party script on a page could happen as the result of a "reasonably anticipated" software defect or misconfiguration, sites regulated by HIPAA would end up having to do the work of either setting the opt-out header or removing third-party scripts. It would be more reasonable for sites expecting to benefit from Topics API to have to do the work.
jkarlin
commented
1 year ago IANAL so can't comment on any legality issues directly, but I do believe that Chrome does have different opt-in vs opt-out behavior for Topics in different regions of the world.
Hei,
I can read "The Topics API will have a user opt-out mechanism". I would strongly advise to go with opt in instead of opt out to go together with the stated privacy goals.
Just a note that opt out is very much not compatible with the GDPR:
floc was opt out (and using the ad blocking EasyList to track people for ads...) so it couldn't be enabled in Europe.