Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TCF2 docs #1892

Merged
merged 4 commits into from
Apr 1, 2020
Merged

TCF2 docs #1892

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
89ccedf
TCF2 docs
bretg Mar 31, 2020
9d2e0c9
Edit the note on GVL ids.
Mar 31, 2020
906fd1b
edits
jeanstemp Mar 31, 2020
4545512
wordsmithing
bretg Mar 31, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions _data/sidebar.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -431,6 +431,14 @@
sectionTitle:
subgroup: 5

- sbSecId: 1
title: GDPR Enforcement
link: /dev-docs/modules/gdprEnforcement.html
isHeader: 0
isSectionHeader: 0
sectionTitle:
subgroup: 5

- sbSecId: 1
title: Consent Management - US Privacy (CCPA)
link: /dev-docs/modules/consentManagementUsp.html
Expand Down
25 changes: 17 additions & 8 deletions dev-docs/modules/consentManagement.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,18 +24,19 @@ This consent management module is designed to support the EU General Data Protec

This module works with supported [Consent Management Platforms](https://www.cmswire.com/information-management/what-is-a-consent-management-platform/) (CMPs) to fetch an encoded string representing the user's consent choices and make it available for adapters to consume and process.

{: .alert.alert-info :}
See also the [Prebid Consent Management - US Privacy Module](/dev-docs/modules/consentManagementUsp.html) for supporting the California Consumer Protection Act (CCPA)

{: .alert.alert-warning :}
Prebid functionality created to address regulatory requirements does not replace each party's responsibility to determine its own legal obligations and comply with all applicable laws.
**We recommend consulting with your legal counsel before determining how to utilize these features in support of your overall privacy approach.**

Here's a summary of the interaction process:
This base EU GDPR consent management module performs these actions:

1. Fetch the user's GDPR consent data from the CMP.
2. Incorporate this data into the auction objects for adapters to collect.
3. Proceed with the auction.

The optional [GDPR enforcement module](/dev-docs/modules/gdprEnforcement.html) adds on these actions:

3. Allows the page to define which activities should be enforced at the Prebid.js level.
4. Actively enforces those activities based on user consent data.

In the case of a new user, CMPs will generally respond only after there is consent information available (i.e., the user has made their consent choices).
Making these selections can take some time for the average user, so the module provides timeout settings.
Expand Down Expand Up @@ -184,10 +185,12 @@ Follow the basic build instructions in the GitHub Prebid.js repo's main [README]
gulp build --modules=consentManagement,bidAdapter1,bidAdapter2
{% endhighlight %}

You can also use the [Prebid.js Download](/download.html) page.

## Adapter Integration

{: .alert.alert-info :}
Prebid.js adapters don't need to change to support TCF v2.0 if they already support TCF 1.1 -- the consent string is passed through the same bidrequest location. The bidder's endpoint, however, will need to change to support TCF v2.0. Once the endpoint supports TCF2, you can update the documentation.md file as described below above the table showing the list of TCF2-compliant bidders.
Prebid.js adapters don't need to change to support TCF v2.0 if they already support TCF 1.1 -- the consent string is passed through the same bidrequest location. The bidder's endpoint, however, will need to change to support TCF v2.0. Once the endpoint supports TCF2, you can update the documentation.md file as described below above the table showing the list of TCF2-compliant bidders.

If you are submitting changes to an adapter to support this approach, please also submit a PR to the [docs repo](https://github.com/prebid/prebid.github.io) to add the `gdpr_supported: true` variable to your respective page in the [bidders directory](https://github.com/prebid/prebid.github.io/tree/master/dev-docs/bidders). **This will ensure that your adapter's name will automatically appear on the list of adapters supporting GDPR.**

Expand Down Expand Up @@ -379,7 +382,7 @@ This should be be set to true once the parameters listed above are processed.

## Adapters Supporting TCF v1.1

Bidders on this list have self-declared their TCF 1.1 support in their https://github.com/prebid/prebid.github.io/tree/master/dev-docs/bidders md file by adding "gdpr_supported: true".
Bidders on this list have self-declared their TCF 1.1 support in their https://github.com/prebid/prebid.github.io/tree/master/dev-docs/bidders md file by adding "gdpr_supported: true".

<script src="/assets/js/dynamicTable.js" type="text/javascript"></script>

Expand All @@ -405,7 +408,7 @@ var idx_gdpr=0;

## Adapters Supporting TCF v2.0

Bidders on this list have self-declared their TCF 2.0 support in their https://github.com/prebid/prebid.github.io/tree/master/dev-docs/bidders md file by adding "tcf2_supported: true".
Bidders on this list have self-declared their TCF 2.0 support in their https://github.com/prebid/prebid.github.io/tree/master/dev-docs/bidders md file by adding "tcf2_supported: true".

<script type="text/javascript">
var adaptersSupportingGdpr2=[];
Expand All @@ -426,3 +429,9 @@ var idx_gdpr=0;
writeDynamicTable({div: "adaptersTableGdpr2", data: "adaptersSupportingGdpr2", sort: "rowFirst", striped: false} );
</script>
</div>

## Further Reading

- [GDPR Enforcement Module](/dev-docs/modules/gdprEnforcement.html)
- [IAB Transparancy and Consent Framework Policies](https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/)
- [Prebid Consent Management - US Privacy Module](/dev-docs/modules/consentManagementUsp.html)
201 changes: 201 additions & 0 deletions dev-docs/modules/gdprEnforcement.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,201 @@
---
layout: page_v2
page_type: module
title: GDPR Enforcement Module
description: Module to enforce GDPR consent
module_code : gdprEnforcement
display_name : GDPR Enforcement
enable_download : true
sidebarType : 1
---

# GDPR Enforcement Module
{: .no_toc }

* TOC
{: toc }

{: .alert.alert-warning :}
This module requires the [EU GDPR consent management module](/dev-docs/modules/consentManagement.html), which reads consent values from the Consent Management Platform (CMP). The GDPR enforcement module
will then enforce the results. See the base module page for general background, usage, and legal disclaimers.

## Overview

The base [EU GDPR consent management module](/dev-docs/modules/consentManagement.html) performs the following actions:

1. Fetch the user's GDPR consent data from the CMP.
2. Incorporate this data into the auction objects for adapters to collect.

This GDPR enforcement module adds the following:

3. Allows the page to define which activities should be enforced at the Prebid.js level.
4. Actively enforces those activities based on user consent data.

The following table details the Prebid.js activities that fall under the [Transparency and Consent Framework (TCF)](https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/) scope:

{: .table .table-bordered .table-striped }
| TCF Purpose | In-Scope Activity | Enforcement Activity | Optional Controls |
| --- | --- | --- | --- |
| Purpose 1 - Store and/or access information on a device | usersync pixels | May result in preventing one or more usersync activities for one or more vendors. | Do not enforce Purpose 1. Do not enforce Purpose 1 vendor signals. Do not enforce Purpose 1 for vendor V. |
| Purpose 1 - Store and/or access information on a device | user ID modules | May result in preventing one or more UserID modules to not activate. | Do not enforce Purpose 1. Do not enforce Purpose 1 vendor signals. Do not enforce Purpose 1 for vendor V. |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we get rid of the double negative here (prevent...to not)? Either "May prevent one or more UserID modules from activating" or "May allow one or more UserID modules to activate". (I wasn't sure which was correct.)

| Purpose 1 - Store and/or access information on a device | device storage | May result in preventing one or more adapters or modules not being able to read or write cookies or localstorage in the user's browser. | Do not enforce Purpose 1. Do not enforce Purpose 1 vendor signals. Do not enforce Purpose 1 for vendor V. |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix the double negative here, it's confusing (preventing...not being able to). Preventing not being able to would be allowing, but not sure that's what's meant.


There are plans to add more TCF Purposes and activities in future releases.

## Page Integration

A page needs to define configuration rules about how Prebid.js should enforce each in-scope activity.

{: .alert.alert-warning :}
**Important Legal Note:** Prebid.org cannot provide legal advice about GDPR or any other governmental regulation. Our aim is to provide a toolkit of functionality that will let publishers configure header bidding as defined by their legal counsel. We will consider feature suggestions, and review any code offered by the community.

These are the fields related to GDPR enforcment that are supported in the [`consentManagement.gdpr`](/dev-docs/modules/consentManagement.html) object:

{: .table .table-bordered .table-striped }
| Param | Type | Description | Example |
| --- | --- | --- | --- |
| gdpr.rules | `Array of Objects` | Lets the publisher override the default behavior. | |
| gdpr.rules[].purpose | `String` | The only currently supported value is "storage", corresponding to TCF Purpose 1. | "storage" |
| gdpr.rules[].enforcePurpose | `Boolean` | Determines whether to enforce the purpose consent or not. The default in Prebid.js 3.x is not to enforce purposes. The plan for Prebid.js 4.0 is to enforce consent for Purpose 1 and no others. | true |
| gdpr.rules[].enforceVendor | `Boolean` | Determines whether to enforce vendor signals for this purpose or not. The default in Prebid.js 3.x is not to enforce vendor signals. The plan for Prebid.js 4.0 to enforce signals for Purpose 1 and no others. | true |
| gdpr.rules[].vendorExceptions | `Array of Strings` | Defines which biddercodes or module names do not fall under the enforcement of either enforcePurpose=true or enforceVendors=true. Publishers will not be able to validate that any vendor in this list is enforcing the appropriate GDPR rules. | true |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Went with Steve's suggestion here.


Note:

- The vendorExceptions list is based on Prebid.js biddercodes instead of Global Vendor List (GVL) IDs, i.e. "rubicon" instead of "52". This was done to accomodate Prebid.js modules and adapters that don't have GVL IDs.

### Examples

The following examples cover a range of use cases and how Prebid.js supports
configuration of different business rules.

1) Enforce that the user consents to DeviceAccess as an activity and consider their per-vendor selection.

```
pbjs.setConfig({
consentManagement: {
gdpr: {
...
rules: [{
purpose: "storage",
enforcePurpose: true,
enforceVendor: true
}
}
}
});
```

2) Enforce that the user consents to DeviceAccess as an activity and consider their per-vendor selection. However, BidderA is a special case - the publisher has entrusted BidderA for this activity regardless of what the user says.

...
rules: [{
purpose: "storage",
enforcePurpose: true,
enforceVendor: true,
vendorExceptions: ["bidderA"]
}

3) Enforce that the user consents to DeviceAccess as an activity, but don't consider their per-vendor selection.

...
rules: [{
purpose: "storage",
enforcePurpose: true,
enforceVendor: false,
}

4) Enforce that the user consents to DeviceAccess as an activity, but don't consider their per-vendor selection for any bidders except BidderA. BidderA is entrusted to enforce the rules on their own.

...
rules: [{
purpose: "storage",
enforcePurpose: true,
enforceVendor: false,
vendorExceptions: ["bidderA"]
}

5) Turn off enforcement of Purpose 1: don't enforce either the user's DeviceAccess consent or their per-vendor selection.

...
rules: [{
purpose: "storage",
enforcePurpose: false,
enforceVendor: false
}

6) Don't enforce the user's DeviceAccess consent, but do consider their per-vendor selection.

...
rules: [{
purpose: "storage",
enforcePurpose: false,
enforceVendor: true
}

7) Don't enforce the user's DeviceAccess consent, but do consider their per-vendor selection; don't enforce vendor selection for BidderA.

...
rules: [{
purpose: "storage",
enforcePurpose: false,
enforceVendor: true,
vendorExceptions: ["bidderA"]
}

## Basic Enforcement

Prebid.js does not have access to the Global Vendor List (GVL), so it implements
a "basic" form of TCF validation using the supplied consent string.

A goal of basic enforcement is to confirm that there's enough evidence of consent to pass data on to vendors who do have access to the GVL and can fully parse and enforce.

Before allowing an activity tied to a TCF-protected Purpose for a given vendor, one of these scenarios must be true:

- Configuration rules enforce both consent and vendor signals and either:
- we have the user’s purpose consent and the user’s vendor consent, or
- we confirmed the user’s LI (Legitimate Interest) Transparency is established for this purpose and the user’s Vendor LI field didn’t reject this vendor.
- Configuration rules enforce only purpose consent and either:
- we have the user’s purpose consent, or
- we confirmed the user’s LI Transparency is established for this purpose.
- Configuration rules enforce only vendor signals and either:
- we have the user’s vendor consent, or
- we confirmed the user’s Vendor LI field didn’t reject this vendor
- Configuration rules enforce neither purpose consent nor vendor signal.

Technically these rules are defined as follows:

1. enforcePurpose[P]==true AND PurposesConsent[P]==1 AND enforceVendor[P,V]==true AND VendorConsentBitfield[V]==1
1. enforcePurpose[P]==true AND PurposesConsent[P]==1 AND enforceVendor[P,V]==false
1. enforcePurpose[P]==false AND enforceVendor[P,V]==true AND VendorConsentBitfield[V]==1
1. enforcePurpose[P]==true AND PurposesLITransparency[P]==1 AND enforceVendor[P,V]==true AND VendorLegitimateInterestBitfield[V]==1
1. enforcePurpose[P]==true AND PurposesLITransparency[P]==1 AND enforceVendor[P,V]==false
1. enforcePurpose[P]==false AND enforceVendor[P,V]==true AND VendorLegitimateInterestBitfield[V]==1
1. enforcePurpose[P]==false AND enforceVendor[P,V]==false

Where:

- P is the Purpose number
- V is the vendor ID
- 'enforcePurpose' and 'enforceVendor' are Prebid.js config rules
- 'PurposesConsent' is the consent string field of the same name
- 'VendorConsentBitfield' is the consent string 'Vendor Consent Section'
- 'PurposesLITransparency' is the consent string field of the same name
- 'VendorLegitimateInterestBitfield' is the consent string 'Vendor Legitimate Interest Section'

See the [IAB TCF Consent String Format](https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20Consent%20string%20and%20vendor%20list%20formats%20v2.md) for details.

## Build the Package

Follow the basic build instructions in the GitHub Prebid.js repo's main [README](https://github.com/prebid/Prebid.js/blob/master/README.md). Include the base consent management module and this enforcement module as additional options on the **gulp build** command:

{% highlight bash %}
gulp build --modules=consentManagement,gdprEnforcement,bidAdapter1,bidAdapter2
{% endhighlight %}

You can also use the [Prebid.js Download](/download.html) page.

## Further Reading

- [EU GDPR Consent Management Module](/dev-docs/modules/consentManagement.html)
- [IAB TCF Consent String Format](https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20Consent%20string%20and%20vendor%20list%20formats%20v2.md)
2 changes: 1 addition & 1 deletion dev-docs/modules/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ If you are looking for bidder adapter parameters, see [Bidders' Params]({{site.b
| Module | Description |
|---------------------+--------------|
| [**Currency**](/dev-docs/modules/currency.html) | Converts bid currency into ad server currency based on data in a supplied exchange rate file. |
| **ConsentManagement** | Facilitates collecting and passing consent information in support of privacy regulations: [EU GDPR](/dev-docs/modules/consentManagement.html) and [US Privacy](/dev-docs/modules/consentManagementUsp.html) (CCPA). |
| **ConsentManagement** | Collecting and passing consent information in support of privacy regulations:{::nomarkdown}<ul><li><a href="/dev-docs/modules/consentManagement.html">EU GDPR</a> with optional <a href="/dev-docs/modules/gdprEnforcement.html">GDPR Enforcement</a> module</li><li><a href="/dev-docs/modules/consentManagementUsp.html">US Privacy</a> (CCPA)</li></ul>{:/} |
| [**Google Ad Manager Express**](/dev-docs/modules/dfp_express.html) | A simplified installation mechanism for publishers that have Google Publisher Tag (GPT) ad calls in their pages. |
| [**Supply Chain Object**](/dev-docs/modules/schain.html) | Validates and makes the Supply Object available to bidders |
| [**User ID**](/dev-docs/modules/userId.html) | Sub-modules are available to support a range of identification approaches: Criteo RTUS, DigiTrust, ID5 Universal ID, IdentityLink, PubCommon ID, and Unified ID. |
Expand Down