GDPR Endpoint Logic

[dbemiller]

This issue describes incoming changes to the cookie sync endpoints for GDPR support. For an overview of GDPR in Prebid Server, see #501.

For the complementary changes to Prebid.js, see prebid/Prebid.js#2516.

Changes to /cookie_sync

This endpoint will respect two new optional parameters.

{
  "gdpr": 1,
  "gdpr_consent": "BONciguONcjGKADACHENAOLS1rAHDAFAAEAASABQAMwAeACEAFw"
}

gdpr should be 1 if GDPR is in effect, 0 if it's not, and undefined if clients are unsure.

gdpr_consent should be the unpadded base64-URL
encoded vendor consent string. It is required if gdpr is 1, and optional otherwise. If gdpr is undefined, it is optional, but highly encouraged.

Changes to /setuid

This endpoint will respect the same values as /cookie_sync, but as query params.

For example: GET /setuid?bidder=adnxs&uid=12345&gdpr=1&gdpr_consent=BONciguONcjGKADACHENAOLS1rAHDAFAAEAASABQAMwAeACEAFw

Behavior

If gdpr is 0: The gdpr_consent string will be ignored, and both endpoints will work exactly like they do today.

If gdpr is 1: Both endpoints will no-op unless thegdpr_consent string gives the PBS host permission to save cookies. /cookie_sync will only return syncs for bidders with who have consent to read cookies.

If gdpr is not defined: The Prebid Server host can configure the behavior to assume that GDPR is in effect or not (see #503). If they think GDPR is in effect, behave like a 1. If not, behave like a 0.

Callers should always send in the gdpr_consent string if it's available because it will increase your cookie sync rate with publishers who are playing it safe legally.

Questions and complex details

1. Will the endpoints delete the cookie if the host company doesn't have consent?

No. See section 7, response 3 of this doc

2. How do we verify that the PBS host has permission to set cookies?

The Consent string must allow Purpose 1 ("Information Storage and Retrieval") and Vendor {id}
(where id` is configurable by the PBS host company in #505). In addition, that PBS host must
declare itself as using Purpose 1 in the Global Vendor List version encoded by the consent string.

The PBS host must declare this purpose in the GLV because that affects how the CMP UI
describes choices to the user. See section 4, number 5, bullet 1, sub-bullet 3 of this doc

• List of vendors with corresponding purposes and links to their privacy policies

Out of scope

Any support for legitimate interest. We only act on explicit consent.

Allowing Bidders to "signal" that their usersync endpoints are GDPR-aware, so that /cookie_sync can always return syncs for them, and assume that their endpoint will respect the consent string.

[bretg]

Looks good in general. Some proposed clarifications:

• perform usersyncs for /cookie-sync means "write usersync URLs into the response"
• perform usersyncs for /setuid means "update the uids cookie value"

[bretg]

More proposed clarifications:

• if Purpose 1 is granted, but no bidder is allowed Purpose 3:
  • for /cookie-sync, the response will not set any URLs
  • for /setuid, the uids cookie will still be set, but it will not contain any bidder keys
• if PBS finds a uids cookie but no longer has Purpose 1 consent to update the cookie, it needs to be deleted.
• if PBS finds a bidder that formerly had a uid in the uids cookie, but no longer has consent for Purpose 3, the uid for that bidder must be removed.

Also, we need to discuss whether we're going to add storageConsent information in the uids cookie as described in #501 -- Rubicon is implementing a similar 'pseudo-audit-trail' in a different GDPR context to be able to explain to users (and regulators I suppose) why that cookie exists.

[dbemiller]

Those all sound good... initial post has been updated. Let me know if I misunderstood, missed, or misrepresented anything.

[bretg]

We're ok stepping back from the per-bidder Purpose 3 checks noted above for now. Purpose 1 (setting the cookie) is the primary requirement.

[dbemiller]

Post updated.

Last open issue (I think): There are different versions of the Vendor list, and a given consent string only applies to a particular version of this list.

Vendors in the vendor list are allowed to claim "information storage and retrieval" as either a consentable purpose (purposeId), or a "legitimate interest" (legIntPurposeId).

My amateur understanding is that the user's consent only applies to the purposeId values in that vendor list. If they list 1 as a legIntPurposeId, then that host should be allowed to sync regardless of user consent. And if 1 isn't listed in either key, then they should not be allowed to write to the cookie regardless of the user's consent with that particular company.

Let me know if that gels with your legal team.