Writes in local storage before CMP validation - prebid.cookieTest - criteoID #6289
Comments
|
Hi @haroldpussat thank you for reporting that, Criteo team will have a look! |
|
After some investigation, we concluded that this works as expected. Please notice this is not exclusive to Criteo UserId module. This behaviour was applied on this commit: The explanation is documented here: https://github.com/prebid/Prebid.js/blob/master/src/storageManager.js#L292
|
|
@bretg i think this should be documented in multiple places on prebid docs, potentially gdpr module and userid module pages. Anywhere else? |
|
Thanks for the feedback @allanjun . But our DPO maintains that in the scope of advertising, even if Prebid is not a vendor, the consent is mandatory before write in local storage. |
|
@Fawke fyi, can we put this behavior behind consent or config? |
|
@patmmccann @haroldpussat This behaviour sits behind consent, but you need to make sure
|
|
Prebid does have a GVLID now -- 887. If we're setting cookies for our own purposes (e.g. test), it needs to be done with the user's approval for this vendor ID. |
|
Hi @bretg, This would require us to change a few things. We currently have two ways of accessing storage in Prebid.js. One is access required by core modules (doesn't require user consent) and other by third party modules (sits behind consent). For now, I see few core modules bypassing GDPR checks namely: If we were to enforce checks on core, is there an interface where a publisher can grant/deny access to Prebid.js? Do we wanna create a config option in setConfig or is there another simple solution. I don't know at the moment how inner workings of Prebid.js will get impacted with no storage access, so I'll have to dig into this a bit more. And do we wanna warn publisher the impact of disabling storage access to Prebid.js core? |
|
The publisher runs prebid software, often custom modified and proprietary,
and sets this cookie in its own domain. I am not following the logic on the
publisher needing to gather consent on the prebid gvl id.
…On Mon, Feb 22, 2021, 7:22 AM Neelanjan Sen ***@***.***> wrote:
Hi @bretg <https://github.com/bretg>,
This would require us to change a few things. We currently have two ways
of accessing storage in Prebid.js. One is access required by core modules
(doesn't require user consent) and other by third party modules (sits
behind consent).
For now, I see few core modules bypassing GDPR checks namely:
categoryTranslation.js, userId, userSync and a file in bidderFactory.js
is using storage without consent.
If we were to enforce checks on core, is there an interface where a
publisher can grant/deny access to Prebid.js? Do we wanna create a config
option in setConfig or is there another simple solution.
I don't know at the moment how inner workings of Prebid.js will get
impacted with no storage access, so I'll have to dig into this a bit more.
And do we wanna warn publisher the impact of disabling storage access to
Prebid.js core?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6289 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAM25ZZBEZKT5TEMHZEXSH3TAI47BANCNFSM4XKWRMGA>
.
|
|
The software that sets the cookie is not the party that sets the cookie;
publishers don't need to get consent for nginx, apache, or Javascript. The
only time this isn't true for prebid should be sharedid.org cookies, right?
…On Mon, Feb 22, 2021, 7:33 AM Patrick McCann ***@***.***> wrote:
The publisher runs prebid software, often custom modified and proprietary,
and sets this cookie in its own domain. I am not following the logic on the
publisher needing to gather consent on the prebid gvl id.
On Mon, Feb 22, 2021, 7:22 AM Neelanjan Sen ***@***.***>
wrote:
> Hi @bretg <https://github.com/bretg>,
>
> This would require us to change a few things. We currently have two ways
> of accessing storage in Prebid.js. One is access required by core modules
> (doesn't require user consent) and other by third party modules (sits
> behind consent).
>
> For now, I see few core modules bypassing GDPR checks namely:
> categoryTranslation.js, userId, userSync and a file in bidderFactory.js
> is using storage without consent.
>
> If we were to enforce checks on core, is there an interface where a
> publisher can grant/deny access to Prebid.js? Do we wanna create a config
> option in setConfig or is there another simple solution.
>
> I don't know at the moment how inner workings of Prebid.js will get
> impacted with no storage access, so I'll have to dig into this a bit more.
> And do we wanna warn publisher the impact of disabling storage access to
> Prebid.js core?
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#6289 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAM25ZZBEZKT5TEMHZEXSH3TAI47BANCNFSM4XKWRMGA>
> .
>
|
|
We think this is resolved by #6323 pending some documentation -- please let us know if we need to reopen |
Type of issue
BUG
Description
Prebid.js with criteoId module writes in local storage a entry called 'prebid.cookieTest' with value '1' before CMP validation, and so before consent for write cookie / local storage is available.
Steps to reproduce
Build a prebid.js with criteoID sub module (tester with prebid.js 4.15)
Setup the criteo module in userSync.userIds.name: "criteo" for pbjs.settings
Navigate on below test page in private navigation.
If I build a prebid.js version without criteoId sub module, it seems the local storage is not written before CMP validation.
Test page
private navigation with Chrome, before validate the CMP : https://lp.additi.fr/interne/hpu/criteoID-module/index_20200909.html
Expected results
Before CMP validation, no writes in local storage or cookie is allowed (legal basis)
Actual results
prebid.cookieTest is recorded in local storage (see enclosed screenshot)
Platform details
Tested on Prebid.js 4.15 and 4.24 with criteoID sub module built in.
Other information
seems linked to #5616
The text was updated successfully, but these errors were encountered: