Contrib.social

Drupal CMS-compatible consent management

Open on Drupal.org →
Created on 11 December 2024, about 2 months ago

Problem/Motivation

When using non-self-hosted providers (and that means all providers that will be shipped in CMS 1.0 recipe), user interaction with AI bots, automatic generation of alt text and other tasks performed by AI modules, results in data sent to third-party servers.

This data may contain sensitive information, but even if it doesn't, users initiating an AI transaction, need to consent to data processing by a third party.

Remaining tasks

Discuss possible UX and DX of consent management. Should it be global? Per AI task type (bots/translation/image manipulation), or per task? How will it work with different providers?

User interface changes

TBD

API changes

TBD

📌 Task
Status

Active

Version

1.0

Component

Miscellaneous

Created by

🇧🇬Bulgaria valthebald Sofia

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @valthebald
  • Comment about 2 months ago
    🇬🇧United Kingdom MrDaleSmith

    I don't believe this is an issue for the AI module to resolve: consent management is an issue that affects a website globally, and all organisations are required to come up with a solution for it. It is a complex area legally, needs to take into account the specific data and staff requirements of the organisation processing the data (ie the website owner). Any solution we put in place just for the AI module could conflict with the policy elsewhere, would be onerous to maintain and would give the impression we give legal indemnity for data-related issues, which we don't.

    Drupal has some modules designed to assist with GDPR management: we would be better letting them handle this issue.

  • Comment about 2 months ago
    🇧🇬Bulgaria valthebald Sofia

    @mrdalesmith: this issue is not about consent management in general (this should be handled elsewhere, and Drupal CMS is going to use Klaro manager for that), but about getting user consent when data is sent for external data processing by the provider.

    For locally hosted providers like llama, this is not an issue, but when a user communicates with (as an example) a chatbot, they need to be aware their input may be sent outside of the website.

  • Comment about 2 months ago
    🇬🇧United Kingdom MrDaleSmith

    I'd still say that is something for the site's GDPR and consent management to worry about, not this specific module, but if you want to do it have at it.

  • Comment 17 days ago
    🇩🇪Germany joachim namyslo Kulmbach 🇩🇪 🇪🇺

    It's not that simple.

    There has to be a hint for data transfer as soon as an administrator wants to store a key to activate an AI. This is indeed an issue for all modules that access external data sources. That's why the issue is in good hands here. At the latest before activating the connection between Drupal and the AI service, the site operator should have a corresponding passage in his privacy policy. To do this, however, they must know that we transfer data to third parties as soon as the key has been saved.

    I'm just saying this to make it easier to understand. This will certainly require corresponding interfaces from the Ai module to Klaro and possibly even to the GPR module. That's why the issue fits here. A note that you should check your privacy policy before activating a Ki provider is the minimum.

  • Comment 17 days ago
    🇦🇺Australia pameeela

    Is this issue up to date with the Drupal CMS recipe? The recipe integrates with Klaro and configures consent management as part of the recipe. So I think this can be closed?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024