- From: Arshad Noor via GitHub <sysbot+gh@w3.org>
- Date: Tue, 03 Aug 2021 14:01:45 +0000
- To: public-webauthn@w3.org
I am familiar with that statement in the spec, Anders (@cyberphone); but, in that transaction the Merchant is attempting to get an _assertion_ from the Consumer. What we're discussing here is the creation of a credential. Without GDPR/CCPA like notices and consents at the time PII is created/collected, the transaction could be deemed in violation of the laws. Additionally, the following sub-article of GDPR Article 7 indicates Merchants/PSPs cannot coerce Consumers into registering FIDO credentials - but Banks could if they changed their terms and required FIDO registration _before_ the payment instrument was used. _4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract._ -- GitHub Notification of comment by arshadnoor Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-891872795 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 3 August 2021 14:01:46 UTC