Adapters that may not handle GDPR-Applies correctly

[bretg]

Description

As uncovered in #7156 , there are are several bid adapters that may not be properly handling the gdprApplies flag.

Background: the Consent Management Platform (CMP) is responsible for knowing whether the current user is "in-scope" for GDPR, i.e. they reside in the European Economic Area (EEA). It signals this information to Prebid along with the consent string. Bid adapters must be able to handle all of these scenarios:

1. CMP provides gdprApplies:true and a valid consent string - normal GDPR processing
2. CMP provides gdprApplies:false and a valid consent string - bidder endpoints may choose to verify the user's GDPR scope or to trust the CMP.
3. CMP provides gdprApplies:true but no consent string - processing depends on vendor's Legitimate Interest claims and legal advice from the bidder's lawyers.
4. CMP provides gdprApplies:false and no consent string - bidder endpoints may choose to verify the user's GDPR scope or to trust the CMP.
5. CMP provides only a valid consent string - if the CMP declines to define the GDPR scope, bidder processing depends on whether the endpoint can detect the user's location and legal advice from their lawyers.
6. CMP provides neither value - if the CMP doesn't define the scope or the consent, bidder processing depends on whether the endpoint can detect the user's location and legal advice from their lawyers.

Bid adapters that need to be reviewed

These bidders don't look for gdprApplies. Please confirm your implementation with your legal team. Prebid recommends passing the gdprApplies flag along with the consent string.

• [x] addefend - @addefend
• [ ] apstream - @frstua
• [x] glimpse - @samueldobbie , @tim-hm
• [ ] improveDigital - @jbartek25 , @agregorio-improve "there's no plan to add support for gdprApplies param in the current adapter generation as our server does IP lookups. The next generation adapter launching in Q1 will include gdprApplies"

These bidders currently only consider gdprApplies if a consent string is available. Please confirm your implementation with your legal team. Prebid recommends using the gdprApplies flag even if it's available even if there's no consent string.

• [ ] cleanmedianet - @sa1omon
• [ ] engageya - @mikomgk
• [ ] gamoshi - @sa1omon
• [ ] stroeer - @PavlaKanova , @lukashavrlant
• [x] bliink - @Kola-Kola
• [ ] logan - @WlsLogan
• [ ] mathildeads - @mathilde-ads
• [x] mediasquare - @matthieularere-msq
• [x] onetag - @onetag-dev
• [x] richaudience - @richaudience
• [x] rubicon - @robertrmartinez
• [ ] smilewanted - @MaxSmileWanted
• [x] triplelift - @nllerandi - "We fallback to the determination of applicability based on geo IP resolution if our params are not present."
• [ ] videoreach - @VideoReach

These modules don't send gdprApplies to their endpoints. There's a possible problem in these scenarios where gdprApplies:true and there's no consent string. If endpoints are doing IP-address lookups, then they may be ok, but if not, the adapter should be passing gdprApplies so the endpoint has all the info it needs to process correctly.

• [ ] adnuntius - @mikael-lundin
• [ ] beop - @bloodyowl , @sebrobert
• [ ] criteoIdSystem - @allanjun

[dgirardi]

@samueldobbie that does not look like it handles case 3 correctly (gdprApplies: true, consentString: undefined would fall down to the last return which says gdprApplies: false).

https://github.com/prebid/Prebid.js/blob/a5b0d6416215e0d28f035a47341e718da770239b/modules/glimpseBidAdapter.js#L138-L154

[samueldobbie]

Good catch @dgirardi, thanks! Should be fixed here.

[matthieularere-msq]

I guess this is related with user sync for mediasquare bidder, if that's so it should be fixed by PR #7780

[mikael-lundin]

We do IP-address lookups but we can add a gdpr applies true as well. :)

On Tue, Nov 30, 2021 at 6:52 PM bretg @.***> wrote:

Description

As uncovered in #7156 https://github.com/prebid/Prebid.js/issues/7156 , there are are several bid adapters that may not be properly handling the gdprApplies flag.

Background: the Consent Management Platform (CMP) is responsible for knowing whether the current user is "in-scope" for GDPR, i.e. they reside in the European Economic Area (EEA). It signals this information to Prebid along with the consent string. Bid adapters must be able to handle all of these scenarios:

1. CMP provides gdprApplies:true and a valid consent string - normal GDPR processing
2. CMP provides gdprApplies:false and a valid consent string - bidder endpoints may choose to verify the user's GDPR scope or to trust the CMP.
3. CMP provides gdprApplies:true but no consent string - processing depends on vendor's Legitimate Interest claims and legal advice from the bidder's lawyers.
4. CMP provides gdprApplies:false and no consent string - bidder endpoints may choose to verify the user's GDPR scope or to trust the CMP.
5. CMP provides only a valid consent string - if the CMP declines to define the GDPR scope, bidder processing depends on whether the endpoint can detect the user's location and legal advice from their lawyers.
6. CMP provides neither value - if the CMP doesn't define the scope or the consent, bidder processing depends on whether the endpoint can detect the user's location and legal advice from their lawyers.

Bid adapters that need to be reviewed

These bidders don't look for gdprApplies. Please confirm your implementation with your legal team. Prebid recommends passing the gdprApplies flag along with the consent string.

• addefend - @addefend https://github.com/addefend
• apstream - @frstua https://github.com/frstua
• glimpse - @samueldobbie https://github.com/samueldobbie , @tim-hm https://github.com/tim-hm
• improveDigital - @jbartek25 https://github.com/jbartek25 , @agregorio-improve https://github.com/agregorio-improve

These bidders currently only consider gdprApplies if a consent string is available. Please confirm your implementation with your legal team. Prebid recommends using the gdprApplies flag even if it's available even if there's no consent string.

• cleanmedianet - @sa1omon https://github.com/sa1omon
• engageya - @mikomgk https://github.com/mikomgk
• gamoshi - @sa1omon https://github.com/sa1omon
• stroeer - @PavlaKanova https://github.com/PavlaKanova , @lukashavrlant https://github.com/lukashavrlant
• bliink - @Kola-Kola https://github.com/Kola-Kola
• districtmDMX - @steve-a-districtm https://github.com/steve-a-districtm , @MenelikTucker-districtm https://github.com/MenelikTucker-districtm
• logan - @WlsLogan https://github.com/WlsLogan
• mathildeads - @mathilde-ads https://github.com/mathilde-ads
• mediasquare - @matthieularere-msq https://github.com/matthieularere-msq
• onetag - @onetag-dev https://github.com/onetag-dev
• richaudience - @richaudience https://github.com/richaudience
• rubicon - @robertrmartinez https://github.com/robertrmartinez
• smilewanted - @MaxSmileWanted https://github.com/MaxSmileWanted
• triplelift - @nllerandi https://github.com/nllerandi
• trustx - @PWyrembak https://github.com/PWyrembak
• videoreach - @VideoReach https://github.com/VideoReach

These modules don't send gdprApplies to their endpoints. There's a possible problem in these scenarios where gdprApplies:true and there's no consent string. If endpoints are doing IP-address lookups, then they may be ok, but if not, the adapter should be passing gdprApplies so the endpoint has all the info it needs to process correctly.

• adnuntius - @mikael-lundin https://github.com/mikael-lundin
• beop - @bloodyowl https://github.com/bloodyowl , @sebrobert https://github.com/sebrobert
• criteoIdSystem - @allanjun https://github.com/allanjun

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/prebid/Prebid.js/issues/7775, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAH64BLITODJP275TJOH2GTUOUFPNANCNFSM5JCFYVJA .

[richaudience]

Hi,

The change to use "gdprApplies" has been completed. Please check the pull request: #7788

Cheers

[kola-kola]

Hi,

We change the support of "gdprApplies", please you can check the PR here : #7860 .

Thanks.

[nllerandi3lift]

We fallback to the determination of applicability based on geo IP resolution if our params are not present.

[jbartek25]

Improve Digital adapter: there's no plan to add support for gdprApplies param in the current adapter generation as our server does IP lookups. The next generation adapter launching in Q1 will include gdprApplies.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[patmmccann]

Let's handle this with an adapter documentation warning

[patmmccann]

@jbartek25 your next generation adapter that includes this change has been released, correct?

[jbartek25]

@jbartek25 your next generation adapter that includes this change has been released, correct? @patmmccann correct. it was released in Q1/2022

[patmmccann]

adnuntias appears to handle here with a diff endpoint https://github.com/prebid/Prebid.js/blob/467f78f211775702ac61e2ade86ed393ada26b9a/modules/adnuntiusBidAdapter.js#L134

[patmmccann]

Criteo handles here https://github.com/prebid/Prebid.js/blob/48cd24551a633d1421e10a8dad4f8a957f14d87a/modules/criteoIdSystem.js#L99

[patmmccann]

I reviewed triplelift just now, should be very easy to relax this https://github.com/prebid/Prebid.js/blob/48cd24551a633d1421e10a8dad4f8a957f14d87a/modules/tripleliftBidAdapter.js#L90

@patrickloughrey