Please consider opt in instead of opt out

[fungiboletus]

Hei,

I can read "The Topics API will have a user opt-out mechanism". I would strongly advise to go with opt in instead of opt out to go together with the stated privacy goals.

Just a note that opt out is very much not compatible with the GDPR:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
https://eur-lex.europa.eu/eli/reg/2016/679/oj

floc was opt out (and using the ad blocking EasyList to track people for ads...) so it couldn't be enabled in Europe.

[dmarti]

Consent is one basis for processing under GDPR and similar laws in other jurisdictions. According to the GDPR,

For consent to be informed, the data subject should be aware at least of the identity of the controller

I added a related issue that covers making it clear who the controller is, and whether consent is the basis for processing: #32

[jdelhommeau]

Since Topics will require read (write?) access to user's terminal, you will need consent under ePrivacy in EMEA. I think both aspects need to be considered before moving forward with test in EMEA: who is controller? Consent modality ? who is responsible for collecting the consent, for which part of the API

[dmarti]

There are also specific regulatory issues in the USA for health-related sites covered by HIPAA. See Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Under HIPAA, sites must "Protect against reasonably anticipated, impermissible uses or disclosures." Because an unpermitted Topics API call by a third-party script on a page could happen as the result of a "reasonably anticipated" software defect or misconfiguration, sites regulated by HIPAA would end up having to do the work of either setting the opt-out header or removing third-party scripts. It would be more reasonable for sites expecting to benefit from Topics API to have to do the work.

[jkarlin]

IANAL so can't comment on any legality issues directly, but I do believe that Chrome does have different opt-in vs opt-out behavior for Topics in different regions of the world.