adding PBS privacy FAQ entry #1931
Conversation
|
|
||
| More details are available [here](https://docs.google.com/document/d/1fBRaodKifv1pYsWY3ia-9K96VHUjd8kKvxZlOsozm8E/edit#). | ||
|
|
||
| ### COPPA |
There was a problem hiding this comment.
COPPA and CCPA are laws, we should refer to them as such. The word rule doesn't carry the same weight and gives the impression that these are optional or don't come with penalties.
faq/prebid-server-faq.md
Outdated
| 1. Because the syncs haven't completed yet, the auction call to Prebid Server doesn't yet contain the uids cookie. | ||
| 1. The first auction happens without IDs | ||
| 1. At some point later, the pixels come back to Prebid Server through a /setuid redirect, setting (or updating) the `uids` cookie. | ||
| 1. The second page view will have the IDs available. | ||
|
|
||
| There's a nuance here: the company that's hosting Prebid Server can configure it to read and utilize their exchange's |
There was a problem hiding this comment.
This should be a note:
Note: The company that's hosting Prebid Server can configure it to read and utilize their exchange's native cookie. i.e. if you're using Rubicon Project's Prebid Server, it can read their 'khaos' cookie, and if you're using AppNexus' Prebid Server, it can read their 'uuid2' cookie. If the host company is an exchange and the user has the exchange cookie, the host company will have an ID one page-view sooner than the other bidders. This gives a slight edge to the hosting company in some scenarios, but it's technically unavoidable and better for both buyers and sellers to have one ID available rather than zero.
faq/prebid-server-faq.md
Outdated
| @@ -77,18 +77,94 @@ creates or updates the `uids` cookie. | |||
|
|
|||
| The most common source of requests for Prebid Server is from Prebid.js: | |||
|
|
|||
There was a problem hiding this comment.
Step 1 should be removed as it's not actually a step. I could be wrong but it sounds like a scenario description. I made a few tweaks to the rest of the content:
The most common source of requests for Prebid Server is from Prebid.js in a scenario where the user doesn't have any cookies for the Prebid Server domain.
1. The user loads a page with Prebid.js that's going to call Prebid Server -- i.e. the pub has set up s2sConfig.
2. Immediately after confirming that s2sConfig is setup, Prebid.js calls Prebid Server's /cookie-sync endpoint to initiate syncing
3. Prebid Server determines there are no uids cookie and responds to the browser with a list of pixel syncs for bidders that need to be synced.
4. Prebid.js places all of the pixels on the page and initiates the auction.
5. Because the syncs haven't completed, the auction call to Prebid Server will not contain the uids cookie.
6. The first auction occurs without IDs
7. At some point later, the pixels come back to Prebid Server through a /setuid redirect, setting (or updating) the uids cookie.
8. The second page view will have the IDs available.
On #3 - Prebid Server determines there are no uids cookie - is uids an acronym or var name or is it uid cookies? If uids is correct then it should read:
Prebid Server determines there is no uids cookie
or
Prebid Server determines there are no uids cookies
faq/prebid-server-faq.md
Outdated
| If `regs.ext.us_privacy` is parsed to find that the user has opted-out of a "sale", | ||
| the following anonymization steps are taken: | ||
|
|
||
| - Mask take off the last byte of the IPv4 address and the last 2 bytes of IPv6 addresses |
There was a problem hiding this comment.
Is this a typo?
Mask take off the last byte...
faq/prebid-server-faq.md
Outdated
|
|
||
| ### CCPA / US-Privacy | ||
|
|
||
| The [California Consumer Privacy Act](https://oag.ca.gov/privacy/ccpa) is another rule in the US. The IAB has generalized |
There was a problem hiding this comment.
We should just say:
The California Consumer Privacy Act is a law in the US.
though I think we should provide a minimal idea of what the law covers:
The California Consumer Privacy Act is a law in the US. which covers consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.
| ### CCPA / US-Privacy | ||
|
|
||
| The [California Consumer Privacy Act](https://oag.ca.gov/privacy/ccpa) is another rule in the US. The IAB has generalized | ||
| this state-specific rule into a [US Privacy](https://iabtechlab.com/standards/ccpa/) compliance framework. |
There was a problem hiding this comment.
Again, should be law, not rule.
faq/prebid-server-faq.md
Outdated
|
|
||
| ### COPPA | ||
|
|
||
| The [Children's Online Privacy Protection Act (COPPA)](https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule) is a rule in the US. |
There was a problem hiding this comment.
We should provide minimal detail on what this law covers:
The Children's Online Privacy Protection Act (COPPA) is a law in the US which imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
|
Glad I asked for review. :-). All comments incorporated @MartianTribe |
| If `regs.coppa` is set to '1' on the OpenRTB request, the following anonymization actions take place before going to the adapters: | ||
|
|
||
| - Removes all ID fields: device.ifa, device.macsha1, device.macmd5, device.dpidsha1, device.dpidmd5, device.didsha1, device.didmd5 | ||
| - Truncate ip field - remove lowest 8 bits. |
There was a problem hiding this comment.
We describe the policy in bits here and in bytes in the other sections. Consider using bytes here as well for consistency.
| If `regs.ext.us_privacy` is parsed to find that the user has opted-out of a "sale", | ||
| the following anonymization steps are taken: | ||
|
|
||
| - Mask the last byte of the IPv4 address and the last 2 bytes of IPv6 addresses |
There was a problem hiding this comment.
For PBS-Go, the user.id and request.device.ifa is not removed for CCPA. We only remove those for COPPA. We additionally remove request.device.didmd5, request.device.dpidsha1, request.device.dpidmd5, and request.device.dpidsha1, and also round user.geo in addition to device.geo.
Seems like we need to sync up between Go and Java variants.
| The [Children's Online Privacy Protection Act (COPPA)](https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule) is a law in the US which imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. | ||
| If `regs.coppa` is set to '1' on the OpenRTB request, the following anonymization actions take place before going to the adapters: | ||
|
|
||
| - Removes all ID fields: device.ifa, device.macsha1, device.macmd5, device.dpidsha1, device.dpidmd5, device.didsha1, device.didmd5 |
There was a problem hiding this comment.
Confirmed PBS-Go behaves this way. We remove both user and device geo.
| to *all* of the vendor's 'purposes' as declared in the Global Vendor List, it 'anonymizes' | ||
| the request to the adapters: | ||
|
|
||
| - Mask take off the last byte of the IPv4 address and the last 2 bytes of IPv6 addresses |
There was a problem hiding this comment.
We use the same logic for TCF 1.1 and CCPA. Same comments here as for that section:
For PBS-Go, the user.id and request.device.ifa is not removed for GDPR. We only remove those for COPPA. We additionally remove request.device.didmd5, request.device.dpidsha1, request.device.dpidmd5, and request.device.dpidsha1, and also round user.geo in addition to device.geo.
|
|
||
| ### Mobile 'Limit Ad Tracking' flag | ||
|
|
||
| If PBS receives 'device.lmt' flag in the OpenRTB request, it does the following anonymization: |
There was a problem hiding this comment.
Doesn't look like PBS-Go supports this. Added as a high priority item in our backlog.
No description provided.