search

InteractiveAdvertisingBureau / GDPR-Transparency-and-Consent-Framework

Technical specifications for IAB Europe Transparency and Consent Framework that will help the digital advertising industry interpret and comply with EU rules on data protection and privacy - notably the General Data Protection Regulation (GDPR) that comes into effect on May 25, 2018.
860 stars 360 forks source link

Usefulness of gdprApplies to vendors within the EU? #307

Open viblo opened 2 years ago

viblo commented 2 years ago

Im trying to understand when to look at gdprApplies, from the point of view of a vendor inside the EU. It is my understanding that the publisher / CMP sets this value, e.g. by geolocation of the user or other methods as described here: https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20CMP%20API%20v2.md#what-does-the-gdprapplies-value-mean

However, as a vendor within the EU the GDPR always applies to my processing regardless of where the user is located or where the publisher is located. Therefor it seems to me that neither the publisher nor the CMP can make decisions if GDPR should apply or not for the vendor, meaning that as a vendor within the EU receiving gdprApplies=false is the same as no TC String at all.

dmdabbs commented 2 years ago

See also Issue 249.

anderagakura commented 2 years ago

Comment from #249 by @MarkusWollny

I have now come across two occasions where a vendor implementation of the getTCData-callback, after checking for presence of the TCF-API, then calling getTCData, checking the success-boolean, would go straight on to checking the vendor.consents-property without checking the gdprApplies property first.

When such code is called and gdprApplies is false, the vendors property is not defined, so the implementation throws an error. This is very likely going to be missed by developers from within the EU, as they'd only see the problem when testing their implementation via VPN or with a non-EU-VM. I contacted the vendor in question and alerted them to the issue - in this case, the problem is affecting a service provider who provides the industry standard for digital audience measurement in Germany.

There is just this one mention of that behaviour in a paragraph below the section "What required API commands must a CMP support?": "If GDPR does not apply to this user in this context (gdprApplies=false) then this user will have no Transparency and Consent values and a TCData object with no Transparency and Consent values for any Vendors will be passed to the callback function."

There's no explicit mention of vendor/vendor.consents missing at all anywhere in the documentation as far as I am aware. There is specifically no mention at all in the section "What does the gdprApplies value mean?". There is no mention which parts of the TCData object can be relied upon to be always set and which may be optional under specific circumstances.

The documentation should be made much clearer in that regard. In the current version, there's just too much room for error.