-
Notifications
You must be signed in to change notification settings - Fork 760
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GDPR and Prebid.js #501
Comments
Thanks for posting this Dave. Talking with folks here, another thing to add: In order to set a cookie on a user's device, the PBS host needs to verify that its vendor ID has consent for Purpose 1: Information storage and access. i.e. Rubicon (vendor 52) will need consent for Purpose 1 in order for our PBS cluster to set the uids cookie. This implies that each PBS cluster will need to know its vendor ID, so another config entry. |
… PubMatic adaptor (prebid#501)
Disclaimer: I'm a software engineer, not a lawyer. This is not intended as legal advice, and concerned parties should check with their legal counsel.
Summary
I don't believe that Prebid Server is GDPR-ready for host companies. I believe we can make it compliant before the May 25 deadline.
Publishers will need to update Prebid.js versions once some issues in those projects are fixed (see below)
Concerns
Prebid Server uses a Cookie to store the user's ID for each Bidder. A summary of GDPR and Cookies can be found here.
Prebid Server has two endpoints involved in cookie syncing:
/cookie_sync
and/setuid
. Docs about these can be found at:Specifically, the
/setuid
endpoint writes to the Cookie of the Prebid Server host company, which I believe is a GDPR liability for them.How does Prebid.js use these?
Prebid.js
calls the/cookie_sync
URL during the call tosetConfig
, unless thesyncEndpoint
is undefined in that payload.These syncs occur in the source code here.
Compliance
The IAB includes a spec for passing consent strings through HTTP Services. Given the May 25 deadline, we plan to support a subset of their guidelines for now.
Specifically, we plan to add optional
gdpr
andgdpr_consent
query params to/cookie_sync
and/setuid
. If given, these endpoints will be no-ops unless the Prebid Server Host company has the user's consent to save cookies. If not present, the host company will be able to configure PBS so that the code allows all syncs, or prevents all syncs.For May 25, Prebid Server will also avoid syncs with Bidders who don't have consent for ad personalization. In the future Bidders may be allowed to override this behavior if their usersync endpoints are GDPR-aware.
In the future, we will add support for GeoIP lookup services to PBS. However, we do not expect this to be done by May 25. Any help designing or building GeoIP support more quickly are welcome.
For code changes, the plan is to:
Usersyncer
so that Bidders can identify themselves as one of the global vendors (GDPR-aware Usersyncers #502)gdpr
params aren't present (Added GDPR to the app config #505)gdprApplies
andvendorConsents
string during cookie syncs with Prebid Server. (GDPR - add consent information to PBS cookie_sync request Prebid.js#2530)What does this mean for me?
Prebid.js Publishers
Make sure you're using Prebid.js 1.11 or later (see prebid/Prebid.js#2516), and include the GDPR module in your build.
Check with the company hosting your Prebid Server instance to see how they're setting the GDPR config options from #503 in production.
If you don't like their policy, or this ticket doesn't get closed before May 25, you can take a "safe" approach by changing your
s2sConfig.syncEndpoint
to be undefined. This will prevent cookie syncs altogether.Prebid Server Host Companies
Register as a GDPR vendor and update your app config per when releasing #505. Make sure you're running the newest tag of PBS in production come May 25.
Bidders
If you're already on the global vendor list, check #502 and make sure that the ID added to your
Usersyncer
is in fact the right one.If not, register as one and then submit a PR updating your
Usersyncer
in the project. If you fail to do this, your cookie sync rate will go down as PBS host companies deploy GDPR-aware code.If your Sync endpoint accepts GDPR consent info, you may also want to submit a PR to forward them. The consent params are passed to the Usersyncers in #517.
Out of scope
These are out of scope for now, because they're simply too big to finish by May 25. They'll likely be scheduled for the future though. If you're interested in contributing, please speak up!
If the
gdpr
query flag is undefined, we should do a GeoIP lookup to find out if the request is coming from the EU. Since there are many GeoIP services out there, this will probably be another module like the Metrics or Stored Request backends.Some publishers intend to claim a Legitimate Interest with adtech vendors in their pubvendors.json file. This will not be supported for this ticket.
The text was updated successfully, but these errors were encountered: