USP module support for GPC

[patmmccann]

Type of issue

Feature request

Description

CA government officials have indicated GPC should be treated as peer with USP string https://twitter.com/AGBecerra/status/1354850321692934144 . We'd like to allow publishers to do a setConfig to read from the GPC api and change us privacy strings that consentmanagementusp.js passes to core from 1YYY (or 1---) to 1YNY when the GPC api is more conservative than the existing setting.

We imagine the workflow would be publishers would set this config everywhere, nowhere, or only when CCPA or similar legislation applies according to their own perogative and if the third option, they would remain responsible for detecting if it applies.

[bretg]

Spoke with a couple of different privacy lawyers on this. The advice we received is to just pass the GPC HTTP header through the system and let bidders deal with it for now. I've also reached out to the IAB to get their take.

When CA writes a law linking CCPA and GPC more formal than a tweet, hopefully the IAB will react quickly and we'll follow their lead.

So for now, nothing to do on Prebid.js. I've opened prebid/prebid-server#1712 to track the Prebid Server update. Once the issue of jurisdiction is more clear, we'll update this and PBS may tie the header to US Privacy or perhaps treat it like LMT.

[dmarti]

It seems like it makes the most sense to have the us-privacy string as the canonical value, and check GPC in one place only, then write us-privacy as appropriate given the GPC value. The publisher can do this, since they already have to set us-privacy when the "Do Not Sell" link on the page is clicked.

[gglas]

@dmarti closing, thanks so much