Technical specifications for IAB Europe Transparency and Consent Framework that will help the digital advertising industry interpret and comply with EU rules on data protection and privacy - notably the General Data Protection Regulation (GDPR) that comes into effect on May 25, 2018.
860
stars
360
forks
source link
Clarify if `__tcfapi` is required to be present in scenarios where gdprApplies is false #318
Some of the wording in this spec leads me to believe that it is expected for __tcfapi to always be available synchronously regardless of whether or not GDPR applies or not.
The function __tcfapi must always be a function and cannot be any other type, even if only temporarily on initialization – the API must be able to handle calls at all times.
A CMP-provided synchronous "stub" script must be added by the publisher to their page before any other scripts that rely on __tcfapi (this usually means between the
tags of the HTML document).
It seems like in practice though, the __tcfapi is left undefined on many sites using CMPs when GDPR is not applicable. The above sections of the spec makes me think it really ought to be available regardless, but I could see room for interpretation and I'm left wondering if it's something that the spec takes a position on or if it's left up to the implementation.
Just to briefly touch on why this distinction could matter: for a site that conditionally defines __tcfapi based on whether GDPR applies or not, as another third-party script integrating with CMPs, it is impossible to know without doing a GDPR check yourself whether the site is being loaded where GDPR does not apply, or if the site simply isn't running a CMP. If __tcfapi is mandated to always be defined, you would still be able to setup a listener and end up receiving an event with gdprApplies: false and can differentiate between these two cases and avoid needing to do the GDPR check as well.
Some of the wording in this spec leads me to believe that it is expected for
__tcfapito always be available synchronously regardless of whether or not GDPR applies or not.Namely,
__tcfapi
TcData
Stub script
It seems like in practice though, the
__tcfapiis left undefined on many sites using CMPs when GDPR is not applicable. The above sections of the spec makes me think it really ought to be available regardless, but I could see room for interpretation and I'm left wondering if it's something that the spec takes a position on or if it's left up to the implementation.Just to briefly touch on why this distinction could matter: for a site that conditionally defines
__tcfapibased on whether GDPR applies or not, as another third-party script integrating with CMPs, it is impossible to know without doing a GDPR check yourself whether the site is being loaded where GDPR does not apply, or if the site simply isn't running a CMP. If__tcfapiis mandated to always be defined, you would still be able to setup a listener and end up receiving an event withgdprApplies: falseand can differentiate between these two cases and avoid needing to do the GDPR check as well.