InteractiveAdvertisingBureau / GDPR-Transparency-and-Consent-Framework

Technical specifications for IAB Europe Transparency and Consent Framework that will help the digital advertising industry interpret and comply with EU rules on data protection and privacy - notably the General Data Protection Regulation (GDPR) that comes into effect on May 25, 2018.
868 stars 359 forks source link

Clarify implications of gdprApplies=false #249

Closed MarkusWollny closed 2 years ago

MarkusWollny commented 4 years ago

I have now come across two occasions where a vendor implementation of the getTCData-callback, after checking for presence of the TCF-API, then calling getTCData, checking the success-boolean, would go straight on to checking the vendor.consents-property without checking the gdprApplies property first.

When such code is called and gdprApplies is false, the vendors property is not defined, so the implementation throws an error. This is very likely going to be missed by developers from within the EU, as they'd only see the problem when testing their implementation via VPN or with a non-EU-VM. I contacted the vendor in question and alerted them to the issue - in this case, the problem is affecting a service provider who provides the industry standard for digital audience measurement in Germany.

There is just this one mention of that behaviour in a paragraph below the section "What required API commands must a CMP support?": "If GDPR does not apply to this user in this context (gdprApplies=false) then this user will have no Transparency and Consent values and a TCData object with no Transparency and Consent values for any Vendors will be passed to the callback function."

There's no explicit mention of vendor/vendor.consents missing at all anywhere in the documentation as far as I am aware. There is specifically no mention at all in the section "What does the gdprApplies value mean?". There is no mention which parts of the TCData object can be relied upon to be always set and which may be optional under specific circumstances.

The documentation should be made much clearer in that regard. In the current version, there's just too much room for error.

anderagakura commented 2 years ago

This issue continues here : #307