Add conditional GDPR Vendor override for publishers.

[hhhjort]

Publishers may have out of band reasons to allow certain user's requests to bypass the vendor checks. They or their affiliates may have special contracts with technology providers (bidders) that keeps all user data siloed as the property of the publisher, rather than the bidder. Or they may have other signals and conditions in place to believe consent for a vendor is in place that is not properly reflected in the consent string. This issue proposes a signal in the request to bypass the consent checking on the GVL side of the equation in the request.

The signal in the request would look something like this:

{ "ext":{ "prebid": {"skip_gvl_bidders": [ "bidder1", "bidder2" ] }}}
In the GDPR processing, checks for that bidder would essentially drop to basic enforcement, and skip the check for the user consenting to the bidder, disabling that bidder from GDPR enforcement just for the context of this one request.

[bretg]

Vendor exceptions are already supported at the account, but in config.

account.A.gdpr.purpose.P.vendorExceptions

Why is this useful (and safe) as a request-level config?

If there is a compelling reason, I'd suggest that we utilize the same naming pattern as the config:

{ "ext":{ "prebid": {"gdpr": {"purpose1": "vendorexceptions": [ "bidder1", "bidder2" ] }}}}

[bretg]

Discussed in committee and clarified that the request here is more nuanced than the original requirements. The goal is to enforce the purpose overall, but not the per-vendor checks. In otherwords, drop back to "basic" enforcement for particular account/bidder combinations. Also, request-level config isn't the important part here and can be deferred. Here's a proposed configuration:

account.A.gdpr.basicEnforcementVendors: ["bidderA", "bidderB"]

The behavior is that when a request for this account comes in, consent for the named bidders follows the "basic" route, which means that GVL checks are not done. Bidders not on the list are still checked for full vendor consent.

[bretg]

I've updated the Prebid TCF doc -- https://docs.google.com/document/d/1fBRaodKifv1pYsWY3ia-9K96VHUjd8kKvxZlOsozm8E/edit#

Proposed generalizing this feature:

• added a new feature called "weakVendorException" which would be added to Prebid.js
• the 'basicEnforcementVendors' feature in PBS does two things: drops the enforcement activity down to "basic" for this bidder AND enables the "weakVendorException" feature.

[SyntaxNode]

GitHub automatically closed this issue when we merged in the PBS-Go PR. Re-opening.

[SyntaxNode]

Implemented in PBS-Go 0.155.0.

[bretg]

released with PBS-Java 1.63