GDPR and Prebid.js

[dbemiller]

Disclaimer: I'm a software engineer, not a lawyer. This is not intended as legal advice, and concerned parties should check with their legal counsel.

Summary

I don't believe that Prebid Server is GDPR-ready for host companies. I believe we can make it compliant before the May 25 deadline.

Publishers will need to update Prebid.js versions once some issues in those projects are fixed (see below)

Concerns

Prebid Server uses a Cookie to store the user's ID for each Bidder. A summary of GDPR and Cookies can be found here.

Prebid Server has two endpoints involved in cookie syncing: /cookie_sync and /setuid. Docs about these can be found at:

• Technical details
• /cookie_sync API
• /setuid API

Specifically, the /setuid endpoint writes to the Cookie of the Prebid Server host company, which I believe is a GDPR liability for them.

How does Prebid.js use these?

Prebid.js calls the /cookie_sync URL during the call to setConfig, unless the syncEndpoint is undefined in that payload.

These syncs occur in the source code here.

Compliance

The IAB includes a spec for passing consent strings through HTTP Services. Given the May 25 deadline, we plan to support a subset of their guidelines for now.

Specifically, we plan to add optional gdpr and gdpr_consent query params to /cookie_sync and /setuid. If given, these endpoints will be no-ops unless the Prebid Server Host company has the user's consent to save cookies. If not present, the host company will be able to configure PBS so that the code allows all syncs, or prevents all syncs.

For May 25, Prebid Server will also avoid syncs with Bidders who don't have consent for ad personalization. In the future Bidders may be allowed to override this behavior if their usersync endpoints are GDPR-aware.

In the future, we will add support for GeoIP lookup services to PBS. However, we do not expect this to be done by May 25. Any help designing or building GeoIP support more quickly are welcome.

For code changes, the plan is to:

1. Enhance the Usersyncer so that Bidders can identify themselves as one of the global vendors (GDPR-aware Usersyncers #502)
2. Add some app config params so that host companies can also identify themselves as one of the global vendors, and configure whether PBS should take a "safe" (sync nothing) or "risky" (sync everything) strategy if the gdpr params aren't present (Added GDPR to the app config #505)
3. Update the Prebid.js GDPR module to forward the gdprApplies and vendorConsents string during cookie syncs with Prebid Server. (GDPR - add consent information to PBS cookie_sync request Prebid.js#2530)

What does this mean for me?

Prebid.js Publishers

Make sure you're using Prebid.js 1.11 or later (see prebid/Prebid.js#2516), and include the GDPR module in your build.

Check with the company hosting your Prebid Server instance to see how they're setting the GDPR config options from #503 in production.

If you don't like their policy, or this ticket doesn't get closed before May 25, you can take a "safe" approach by changing your s2sConfig.syncEndpoint to be undefined. This will prevent cookie syncs altogether.

Prebid Server Host Companies

Register as a GDPR vendor and update your app config per when releasing #505. Make sure you're running the newest tag of PBS in production come May 25.

Bidders

If you're already on the global vendor list, check #502 and make sure that the ID added to your Usersyncer is in fact the right one.

If not, register as one and then submit a PR updating your Usersyncer in the project. If you fail to do this, your cookie sync rate will go down as PBS host companies deploy GDPR-aware code.

If your Sync endpoint accepts GDPR consent info, you may also want to submit a PR to forward them. The consent params are passed to the Usersyncers in #517.

Out of scope

These are out of scope for now, because they're simply too big to finish by May 25. They'll likely be scheduled for the future though. If you're interested in contributing, please speak up!

1. If the gdpr query flag is undefined, we should do a GeoIP lookup to find out if the request is coming from the EU. Since there are many GeoIP services out there, this will probably be another module like the Metrics or Stored Request backends.

2. Some publishers intend to claim a Legitimate Interest with adtech vendors in their pubvendors.json file. This will not be supported for this ticket.

[bretg]

Thanks for posting this Dave. Talking with folks here, another thing to add:

In order to set a cookie on a user's device, the PBS host needs to verify that its vendor ID has consent for Purpose 1: Information storage and access. i.e. Rubicon (vendor 52) will need consent for Purpose 1 in order for our PBS cluster to set the uids cookie. This implies that each PBS cluster will need to know its vendor ID, so another config entry.