GDPR-compliance for Prebid Server cookiesyncs

[dbemiller]

Prebid.js cookie syncs with Prebid Server violate GDPR. See prebid/prebid-server#501 for more details.

If the GDPR module is included, please include the following properties in the POST /cookie_sync request body to Prebid Server:

{
  "gdpr": 1,
  "gdpr_consent": "vendor-consent-string"
}

If GDPR is in effect:

• gdpr should be 1
• gdpr_consent must be the Unpadded base64-URL
  encoded vendor consent string. This should be the same as you use in request.user.ext.consent for /openrtb2/auction payloads.

If GDPR is not in effect:

• gdpr should be 0
• gdpr_consent should be undefined

If the GDPR status is uncertain:

• gdpr should be undefined
• gdpr_consent is optional, but you should send it if you have it.

If the GDPR module is not included, then the status is uncertain. gdpr should be undefined, and gdpr_consent is optional.

Let me know if you have any questions or concerns.

Thanks!

[bretg]

While we're address this, can we cover #2242 ? I think this is the same piece of code. We haven't been able to get to it.

[jsnellbaker]

@dbemiller if the module is disabled, does that fall into the 'GDPR is not in effect' bucket or should we just not add the gdpr and gdpr_consent fields at all to the POST request?

[jsnellbaker]

@bretg I will aim to include that issue you noted as part of my changes here.

[dbemiller]

@jsnellbaker in that case, don't add the gdpr or gdpr_consent fields at all to the POST request.

I updated the top post to reflect this. Thanks for the catch!

[dbemiller]

@jsnellbaker safe to close this?

[jsnellbaker]

Yes - this change was merged in as part of the 1.11.0 release.