-
Notifications
You must be signed in to change notification settings - Fork 720
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GDPR Endpoint Logic #504
Comments
Looks good in general. Some proposed clarifications:
|
More proposed clarifications:
Also, we need to discuss whether we're going to add storageConsent information in the |
Those all sound good... initial post has been updated. Let me know if I misunderstood, missed, or misrepresented anything. |
We're ok stepping back from the per-bidder Purpose 3 checks noted above for now. Purpose 1 (setting the cookie) is the primary requirement. |
Post updated. Last open issue (I think): There are different versions of the Vendor list, and a given consent string only applies to a particular version of this list. Vendors in the vendor list are allowed to claim "information storage and retrieval" as either a consentable purpose ( My amateur understanding is that the user's consent only applies to the Let me know if that gels with your legal team. |
This issue describes incoming changes to the cookie sync endpoints for GDPR support. For an overview of GDPR in Prebid Server, see #501.
For the complementary changes to Prebid.js, see prebid/Prebid.js#2516.
Changes to /cookie_sync
This endpoint will respect two new optional parameters.
gdpr
should be1
if GDPR is in effect,0
if it's not, and undefined if clients are unsure.gdpr_consent
should be the unpadded base64-URLencoded vendor consent string. It is required if
gdpr
is1
, and optional otherwise. Ifgdpr
is undefined, it is optional, but highly encouraged.Changes to /setuid
This endpoint will respect the same values as
/cookie_sync
, but as query params.For example:
GET /setuid?bidder=adnxs&uid=12345&gdpr=1&gdpr_consent=BONciguONcjGKADACHENAOLS1rAHDAFAAEAASABQAMwAeACEAFw
Behavior
If
gdpr
is0
: Thegdpr_consent
string will be ignored, and both endpoints will work exactly like they do today.If
gdpr
is1
: Both endpoints will no-op unless thegdpr_consent
string gives the PBS host permission to save cookies./cookie_sync
will only return syncs for bidders with who have consent to read cookies.If
gdpr
is not defined: The Prebid Server host can configure the behavior to assume that GDPR is in effect or not (see #503). If they think GDPR is in effect, behave like a1
. If not, behave like a0
.Callers should always send in the
gdpr_consent
string if it's available because it will increase your cookie sync rate with publishers who are playing it safe legally.Questions and complex details
Out of scope
Any support for legitimate interest. We only act on explicit consent.
Allowing Bidders to "signal" that their usersync endpoints are GDPR-aware, so that
/cookie_sync
can always return syncs for them, and assume that their endpoint will respect the consent string.The text was updated successfully, but these errors were encountered: