Controlling GDPR behavior for AMP

[bretg]

We discussed in the Prebid Server committee that publishers sometimes implement GDPR differently for AMP and Web due to differences in the CMPs available. The request has come up to enable accounts to turn off GDPR enforcement at the integration type level: AMP/Web/App.

The TCF2 requirements at https://docs.google.com/document/d/1fBRaodKifv1pYsWY3ia-9K96VHUjd8kKvxZlOsozm8E/edit# have been updated with proposed config. See requirement 21 in the Prebid Server section.

The proposed account config is:

• account.A.gdpr.integration_enabled.amp: true/false // default to account.A.gdpr.enabled
• account.A.gdpr.integration_enabled.app: true/false // default to account.A.gdpr.enabled
• account.A.gdpr.integration_enabled.web: true/false // default to account.A.gdpr.enabled
• account.A.gdpr.integration_enabled.video: true/false // default to account.A.gdpr.enabled

We don't believe there's a need to control the integration behavior at the purpose level.

Notes:

• /cookie_sync and /setuid are not separately controllable -- they're used across all of the integration types, so depend only on the status of account.A.gdpr.enabled.
• there's no cross-account mechanism for turning off GDPR enforcement for one integration type. This is purely a per-account control.
• if account.A.gdpr.enabled is not defined, then the host-level gdpr.enabled is used as a default for integration_enabled

This is related to Issue #1312

[bretg]

This feature is in PBS-Java 1.41

[SyntaxNode]

This is implemented in PBS-Go 0.137.0.