prebid-server icon indicating copy to clipboard operation
prebid-server copied to clipboard

Published 20 hours ago verified publisher icon prebid

Aligning TCF and Activity Controls

Open bretg opened this issue 1 year ago • 9 comments

Prebid Server side of the PBJS issue https://github.com/prebid/Prebid.js/issues/10184

  1. Split the transmitUfpd Activity Control. We thought we could get away with combining, but that's not the case.
    1. transmitUfpd covers user.ext.data, user.data, user.id, user.buyeruid, user.yob, user.gender, user.keywords, user.kwarray ,and device.{ifa, macsha1, macmd5, dpidsha1, dpidmd5, didsha1, didmd5}
    2. transmitEids covers user.eids and user.ext.eids
    3. It's likely that not many have used this activity yet, but the release notes should highlight the change
    4. Add a configuration (privacy.gdpr.purposes.p4.eid.activity_transition) which defaults to true.
    5. If the config is true and transmitEids is not specified, but transmitUfpd is specified, then use the logic of transmitUfpd. This is to avoid breaking changes to existing configurations. In a future release, we'll change the default of the flag.
  2. Align the outcome of the TCF consent checks to the Activities as described in the updated Prebid+GDPR doc.
  3. Add an account-level flag to let the publisher define the transmitEids behavior of TCF

transmitEids config

It's proposed that there's a new account-level config

privacy.gdpr.purposes.p4.eid.require_consent: true/false  // if true, eids require P4 legal basis unless excepted below
privacy.gdpr.purposes.p4.eid.exceptions: ["pubcid.org"]   // doesn't do anything when eids-require-consent: false.
  1. If eid.require_consent is true, P4 must have consent (or not being enforced) or else user.eids and user.ext.eids will be removed. Except any source in eid-exceptions can be present if any Purpose 2-10 is consented.
  2. If eid.require_consent is false, any Purpose 2-10 must have consent or user.eids and user.ext.eids will be removed. (existing logic)
  3. The default for eid.require_consent is false.

bretg avatar Jul 05 '23 21:07 bretg

Point 1 Split the transmitUfpd Activity Control will be addressed in PR https://github.com/prebid/prebid-server/pull/2906

VeronikaSolovei9 avatar Jul 06 '23 22:07 VeronikaSolovei9

Confirmed points 1 and 2 in committee. Ran out of time, will cover the privacy.gdpr.purposes.p4.eids-require-consent config in the next meeting.

bretg avatar Sep 13 '23 21:09 bretg

Discussed in committee. There's skepticism that the P4 flag will be used without some kind of EID exception ability. Will add that to the proposal and we'll discuss again.

bretg avatar Oct 11 '23 14:10 bretg

My understanding of the desire for exceptions is to have some of the EIDs suppressed without explicit P4 consent and others to have the broader filter where they can be passed on any P2-P10.

privacy.gdpr.purposes.p4.eid.require_consent: true/false  // if true, eids require P4 legal basis unless excepted below
privacy.gdpr.purposes.p4.eid.exceptions: ["pubcid.org"]   // doesn't do anything when eids-require-consent: false.

When eids-require-consent: true, any eid.source in eid-exceptions falls back to being passed when any consent P2-P10 is found.

bretg avatar Nov 08 '23 14:11 bretg

Approved by committee pending final legal review.

bretg avatar Dec 01 '23 15:12 bretg

Received legal counsel approval

bretg avatar Dec 06 '23 15:12 bretg

In order to avoid the potential for breaking changes, the system should utilize the activity control config for transmitUfpd for transmitEids if the latter is not specified, at least until 3.0.

bretg avatar Dec 06 '23 15:12 bretg

To clarify the statement "Align the outcome of the TCF consent checks to the Activities as described in the updated Prebid+GDPR doc.":

  1. This issue is not intended to fully integrate Prebid Server's TCF enforcement into the Activities Infrastructure. That may happen in the future, but is a larger project.
  2. The goal is to make the following changes to the existing TCF/GDPR feature (highlighted in blue in the doc)
    1. At the same location as the transmitUfpd activity, do a consent check for Purpose 4. Same consent logic as used for other Purposes: full consent logic when GVL is available, configured exceptions, etc. If the P4 consent check results in "no consent", then the results are the same as if the transmitUfpd activity were disallowed. (i.e. suppress fields from the bidder)
    2. If privacy.gdpr.purposes.p4.eid.require_consent is true, then at the same location as the new transmitEids activity, also do a consent check for Purpose 4. If the P4 consent check results in "no consent", then the results are the same as if the transmitEids activity were disallowed. (i.e. suppress fields from the bidder, but allow any configured exceptions.)
    3. If privacy.gdpr.purposes.p4.eid.require_consent is false, run the consent checks for Purposes 2-10. If even one of them is consented, leave the EIDs in the request. If none of the 9 Purposes has consent, then remove the EIDs array.

bretg avatar Dec 21 '23 17:12 bretg

Released with PBS-Java 2.12. Working on docs...

bretg avatar Mar 14 '24 13:03 bretg