search

InteractiveAdvertisingBureau / iabtcf-es

Official compliant tool suite for implementing the Transparency and Consent Framework (TCF) v2.0. The essential toolkit for CMPs.
Apache License 2.0
128 stars 94 forks source link

Vendors without any purposes #456

Open jedlikk opened 1 month ago

jedlikk commented 1 month ago

Version 1.5.13

Module (core, cmpapi, cli, stub, or testing) Core

Describe with reproduction steps – What is the expected behavior? Hello, wanted to ask about expected behaviour and potentially report a bug. We have for example this vendor (ID: 279), that doesn't have any purposes, but do have special purposes and legitimate interest. LegInt works normally, but when trying to save normal consent for this vendor, it's not being included in TcString. I use function tcModel.vendorConsents.set(), pass this array as value: [279], and get this tcstring: CQCQqgAQCQqgAF-feBENAXEgAAAAAAAAAB5YAAAAAAAA.YAAAAAAAAAAA, by using this function TCString.encode(tcModel);

image

I saw some people reporting that it's expected behaviour and vendors without purposes should be ignored, but here https://www.uniconsent.com/ and here https://iabtcf.com/#/encode they are being saved into TCstring. So i'm super confused.

So my question is: How should we treat and handle vendors without purposes, but only with special purposes? Should we have toggle for users to opt-in/out? But if so, how could we implement it into TCstring if it's being ignored during encoding?

sevriugin commented 1 month ago

The IAB vendor 279 does not have any consent legal basis purposes, so it is not possible to enable or disable this vendor with consent legal basis. It has legitimate interest purposes and in this case the Vendor Legitimate Interest status will work for this vendor, and the vendor will appears in this vector in tcModel. The special purposes is LIs but "No right-to-object to processing under legitimate interests via the Framework." based on IAB TCF Policy and there is not any way to collect / save user choice for special purposes

jedlikk commented 1 month ago

The IAB vendor 279 does not have any consent legal basis purposes, so it is not possible to enable or disable this vendor with consent legal basis. It has legitimate interest purposes and in this case the Vendor Legitimate Interest status will work for this vendor, and the vendor will appears in this vector in tcModel. The special purposes is LIs but "No right-to-object to processing under legitimate interests via the Framework." based on IAB TCF Policy and there is not any way to collect / save user choice for special purposes

Thank you for your answer, so another question. How does encoder and this cmp (https://www.uniconsent.com/) managed to save it as both Legitimate Interest and normal consent? CQCT9cAQCT9cABEADBPLA-FoAP_gAEPgAAwIH7NV_G__bXln-X716ftkeY1f9_h7rsQxBhfJs-4FyLvW_JwX32EzNE36pqYKmRIAu3bBIQNtHIjUTUChaogVrTDsak2MoTNKJ6BkiHMRe2dYCF5vmwlD-QKZ5vr_93d52R_tdr-3dzyz5Vnv3a9-b1WJidK58tH_v_bROb-IwP2ar-N-2vLP8v3r0_bI8xq_7_D3XYhiDC-TZ9wLkXet-TgvvsJmaJv1TUwVMiQBdu2CQgbaORGomoFC1RArWmHY1JsZQmaUT0DJEOYi9s6wELzfNhKH8gUzzfX_7u7zsj_b-7X9u7nlnyrPfu17_83qsTE6Vz5aP_f-2ic39-RgAA

sevriugin commented 1 month ago

Thank you for your answer, so another question. How does encoder and this cmp (https://www.uniconsent.com/) managed to save it as both Legitimate Interest and normal consent? CQCT9cAQCT9cABEADBPLA-FoAP_gAEPgAAwIH7NV_G__bXln-X716ftkeY1f9_h7rsQxBhfJs-4FyLvW_JwX32EzNE36pqYKmRIAu3bBIQNtHIjUTUChaogVrTDsak2MoTNKJ6BkiHMRe2dYCF5vmwlD-QKZ5vr_93d52R_tdr-3dzyz5Vnv3a9-b1WJidK58tH_v_bROb-IwP2ar-N-2vLP8v3r0_bI8xq_7_D3XYhiDC-TZ9wLkXet-TgvvsJmaJv1TUwVMiQBdu2CQgbaORGomoFC1RArWmHY1JsZQmaUT0DJEOYi9s6wELzfNhKH8gUzzfX_7u7zsj_b-7X9u7nlnyrPfu17_83qsTE6Vz5aP_f-2ic39-RgAA The format of the string is not correct, so it's difficult to say what is inside

Screenshot 2024-07-25 at 10 28 51
jedlikk commented 1 month ago

Thank you for your answer, so another question. How does encoder and this cmp (https://www.uniconsent.com/) managed to save it as both Legitimate Interest and normal consent? CQCT9cAQCT9cABEADBPLA-FoAP_gAEPgAAwIH7NV_G__bXln-X716ftkeY1f9_h7rsQxBhfJs-4FyLvW_JwX32EzNE36pqYKmRIAu3bBIQNtHIjUTUChaogVrTDsak2MoTNKJ6BkiHMRe2dYCF5vmwlD-QKZ5vr_93d52R_tdr-3dzyz5Vnv3a9-b1WJidK58tH_v_bROb-IwP2ar-N-2vLP8v3r0_bI8xq_7_D3XYhiDC-TZ9wLkXet-TgvvsJmaJv1TUwVMiQBdu2CQgbaORGomoFC1RArWmHY1JsZQmaUT0DJEOYi9s6wELzfNhKH8gUzzfX_7u7zsj_b-7X9u7nlnyrPfu17_83qsTE6Vz5aP_f-2ic39-RgAA The format of the string is not correct, so it's difficult to say what is inside

Screenshot 2024-07-25 at 10 28 51

Sorry, mistake in pasting:

CQCT9cAQCT9cABEADBPLA-FoAP_gAEPgAAwIH7NV_G__bXln-X716ftkeY1f9_h7rsQxBhfJs-4FyLvW_JwX32EzNE36pqYKmRIAu3bBIQNtHIjUTUChaogVrTDsak2MoTNKJ6BkiHMRe2dYCF5vmwlD-QKZ5vr_93d52R_t_dr-3dzyz5Vnv3a9_-b1WJidK58tH_v_bROb-_IwP2ar-N_-2vLP8v3r0_bI8xq_7_D3XYhiDC-TZ9wLkXet-TgvvsJmaJv1TUwVMiQBdu2CQgbaORGomoFC1RArWmHY1JsZQmaUT0DJEOYi9s6wELzfNhKH8gUzzfX_7u7zsj_b-7X9u7nlnyrPfu17_83qsTE6Vz5aP_f-2ic39-RgAA

sevriugin commented 1 month ago

Sorry, mistake in pasting:

I think they use tcModel.vendorConsents.set(279); that did not check any constraints and as result the generated sting is not correct from regulation (policy) point of view.

jedlikk commented 1 month ago

Sorry, mistake in pasting:

I think they use tcModel.vendorConsents.set(279); that did not check any constraints and as result the generated sting is not correct from regulation (policy) point of view.

I tried it that way and still can't see, image

but good to know that's not my mistake and that's just the way it's supposed to be. Thanks for your answers.

HeinzBaumann commented 2 weeks ago

We reviewed this in the TCF compliance team. It is possible for vendors do not declare any purposes but only special purposes. The behavior of the library is correct. The CMP that you list, if it allows to set purposes for vendors that are not exposing purposes, is not compliant with the TCF policy. This would need to be fixed by the CMP.