Does Google's Topics API have a consent flag that we can use similar to the US Privacy String/USPAPI?

[SebastianZimmeck]

As Google has begun to roll out the Topics API as a replacement for third party cookie tracking, is there a flag in the Topics API similar to the US Privacy String/USPAPI?

For example, in the above picture there is an API call and it shows a GDPR consent flag (albeit, with the value encrypted or serialized). So, that begs the above question. If there is such a flag in the Topics API, could we leverage it in lieu of the US Privacy String/USPAPI?

Is Google possibly using the Restricted Data Processing (RDP) flag in the context of the Topics API?

@OliverWang13 will take the lead on this with @katehausladen helping.

[OliverWang13]

To clarify, is this reporting a call being made by Criteo to the user (possibly, on the site www.fernsehserien.de)

That is to say, it is not what the Topics API returns when called. I ask because it is possible that the line content concerning the GDPR is coming from Criteo's end. Looking through the topics documentation, I do not see any sign of including opt-out signals in the API. I also looked through the open issues on the Topics Github and this issue looks relevant. In it, eligrey (who we have interacted with in our optmeowt repo) says "Implementors: Regardless of opt-in signals, you must also support existing opt-out signals (e.g. Do Not Track if offered by the browser)." This, and the lack of any mention of opting out in the documentation, leads me to believe that the business of opting out will be handled on the browser end and not through the topics API. For example, the browser checks the opt-out signal and if it does not have consent, it does not send any topics information to ad networks.

As a follow up, would the presence of a GPC signal mean that the site itself could not take a look at the topics information?

[OliverWang13]

dmarti, who I believe you are connected to as well, is quite active on the github. In this issue, there is a reference to some opt out language in the readme. It says:

"If the user opts out of the Topics API, or is in incognito mode, or the user has cleared all of their history, the list of topics returned will be empty"

"The Topics API will have a user opt-out mechanism"

However, I believe these indicate that the user can opt out of the topics API, but they will likely not have a tool for opting out of all sales in general.

[Jocelyn0830]

I agree with @OliverWang13 that they will likely not have a tool for opting out of all sales. And I didn't find in their github/documents anything related to consent flag. In their github there are couple issues talking about if topics api should be considered as a "sale" of personal information but the developer refused to directly answer the question.

this issue here points out that it is possible to develop an extension that removes a topic from local topic information store. It seems to me that we can have an extension that checks if the website obeys the law and removes/blacklists those topics. But this should be something we think of a while ago.

Something I plan to do next: I will see if I can try using topics api myself. It may be useful to look at what it returns and check the network tab of the browser inspection tool.

[SebastianZimmeck]

Something I plan to do next: I will see if I can try using topics api myself.

Sounds good! It seems that there is nothing concretely for us to do here. But before we move on, it would be good, indeed, if you can get a basic understanding of the Topics API, @Jocelyn0830. Especially, how does a website request the topics? And are there any settings a website can make, e.g., more privacy-preserving topic serving or something similar? Maybe, spend a week or so on this, @Jocelyn0830.

[SebastianZimmeck]

Does Google's Topics API have a consent flag that we can use similar to the US Privacy String/USPAPI?

The answer is "No."

[SebastianZimmeck]

One side point:

Is Google Topics API selling, sharing, targeting per state privacy laws? So, if people enable GPC, would that require turning off the Topics API? It is not an immediately relevant question for us, but would need to be answered eventually. I do not think anybody looked into that.

[Jocelyn0830]

With the Topics API, the browser observes and records topics that appear to be of interest to the user, based on their browsing activity. This information is recorded on the user's device. The Topics API can then give API callers (such as ad tech platforms) access to a user's topics of interest, but without revealing additional information about the user's browsing activity.

It seems that after calling the Topics API, a website can get the topics directly. (Personally I think that is what Topics API is for)

More in detail,

An API caller is said to have observed a topic for a user if it has called the document.browsingTopics() method in code included on a site that the Topics API has mapped to that topic.

[Jocelyn0830]

Also I didn't find explicitly more privacy preserving settings that websites can make. Based on my understanding, the websites can only get zero to three random topics. As I read in Topics API's document, they claim that their mechanism has reduced fingerprinting which helps ensure that it is difficult to re-identify significant numbers of users across sites using the Topics API alone.

[SebastianZimmeck]

Thanks, @Jocelyn0830!

Based on my understanding, the websites can only get zero to three random topics.

How is it determined how many random topics a caller receives?

Also, in general, from what you are saying then is that there is no "privacy-preserving" topics API call. The Topics API as a whole is sufficiently privacy-preserving, per Google, that no special GDPR, CCPA, etc. mode needs to exist. Is that so?