Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prebid.js sends wrong gdpr flags to prebid-server #6414

Closed
rsnigel opened this issue Mar 14, 2021 · 6 comments
Closed

Prebid.js sends wrong gdpr flags to prebid-server #6414

rsnigel opened this issue Mar 14, 2021 · 6 comments

Comments

@rsnigel
Copy link

rsnigel commented Mar 14, 2021

Prebid.js is interpreting __tcfapi incorrect and sending wrong flags to prebid-server when GDPR does not apply.

When GDPR applies, the handling is correct.
If GDPR does not apply, https://github.com/prebid/Prebid.js/blob/master/modules/prebidServerBidAdapter/index.js#L192 checks for if (typeof gdprConsent.consentString !== 'undefined') which is incorrect.

A certified IAB CMP does not need to return a valid tcString outside of GDPR. Typical CMP's only return gdprApplies = false.

Example of typical CMP response:

__tcfapi('getTCData', 2, (tcData, success) => { console.log(success); console.log(tcData); });

cmpId: 3
cmpVersion: 1
gdprApplies: false
tcfPolicyVersion: 2

If there is a __tcfapi available, the line payload.gdpr = (gdprConsent.gdprApplies) ? 1 : 0; is enough and the if should be removed.

What is the result of this bug. Prebid-server does not get a gdpr=0 flag and if usersync_if_ambiguous=false, prebid-server rejects all user syncs which breaks prebid-server completely outside of gdpr. The workaround is to set usersync_if_ambiguous=true which is questionable from a legal point of view.
@patmmccann
Copy link
Collaborator

As an example of a typical response one can see on wsj.com

__tcfapi('getTCData', 2, (tcData, success) => { console.log(success); console.log(tcData); }); VM238:1 true VM238:1 t {cmpId: 6, cmpVersion: 1, gdprApplies: false, tcfPolicyVersion: undefined, eventStatus: "tcloaded", …} addtlConsent: "1~" cmpId: 6 cmpStatus: "loaded" cmpVersion: 1 eventStatus: "tcloaded" gdprApplies: false listenerId: null tcfPolicyVersion: undefined __proto__: t.Response

@wqi1972 as potentially affected

@bretg
Copy link
Collaborator

bretg commented Mar 17, 2021

Nice analysis @rsnigel - care to open a PR to fix?

@patmmccann
Copy link
Collaborator

patmmccann commented Mar 17, 2021
edited
Loading

Linking the blame, @jaiminpanchal27 added this to avoid empty string errors #2766 #2530 introduced

@patmmccann patmmccann mentioned this issue Mar 17, 2021
Merged
@ChrisHuie
Copy link
Collaborator

closing with merge of #6429

@patmmccann
Copy link
Collaborator

patmmccann commented Apr 1, 2021
edited
Loading

Fyi @rsnigel usersync if ambiguous default is changing with prebid/prebid-server#1786 @SyntaxNode do you agree with OPs concern around legality?

@hhhjort
Copy link
Contributor

hhhjort commented Apr 6, 2021

prebid/prebid-server#1786 is now on hold as the legality is being called into question. One one hand, all publishers impacted by GDPR should be sending GDPR signals by now, and seems that small publishers with no EU presence should not be forced to send gdpr signals to confirm that the gdpr does not apply. On the other hand, not knowing if a user is in the EU does not absolve us from following the GDPR if the user actually is in the EU.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@patmmccann @ChrisHuie @bretg @hhhjort @rsnigel