InteractiveAdvertisingBureau / openrtb

Open RTB is a protocol for real time bidding on digital media
https://iabtechlab.com/openrtb
402 stars 185 forks source link

Add the Global Privacy Control signal to the OpenRTB extensions #98

Open AramZS opened 2 years ago

AramZS commented 2 years ago

The Global Privacy Control is a specification that allows users to--at the browser or browser extension level--specify their preference to opt out of their data collection and into the available privacy regime that might support such a request. According to the specification:

the use of the GPC signal by an individual will be intended to communicate the individual's intention to invoke the following rights, as applicable:

  • Under the CCPA, the GPC signal will be intended to communicate a Do Not Sell request from a global privacy control, as per [CCPA-REGULATIONS] §999.315 for that browser or device, or, if known, the consumer.

    Where the GPC signal conflicts with the existing privacy settings a consumer has with the business, the business shall respect the GPC signal but may notify the consumer of the conflict and give the consumer an opportunity to confirm the business-specific privacy setting or participation in the financial incentive program [CCPA-REGULATIONS] §999.315(c)(2).

While still experimental, GPC could potentially be used to indicate rights in other jurisdictions as well.

Currently the California AG has stated that the GPC signal is a legitimate way to state a Do Not Sell directive under CCPA and as such the primary use for most publishers will be to read the GPC signal and use it to set the preexisting USPAPI signal. However, not all publishers may decide to do this, some may not know to, and some may have legal interpretations that state otherwise.

Additionally, downstream consumers of the OpenRTB signal may decide through their own legal analysis that GPC applies more broadly than just to California residents. At this time, there is no way to enable anyone outside of the publisher who is involved in the bidstream to make such a decision, since the GPC signal--while present on the network request as a header--may not be present on the signals passed through servers and other systems in the form of the OpenRTB objects.

By adding GPC to the OpenRTB spec in the form of an extension, it will enable other bidding system participants to make their own decision as to if they wish to apply a stricter standard of privacy.

patmmccann commented 2 years ago

@AramZS this just got merged at Prebid