Closed stefangabric1yieldlove closed 3 weeks ago
patmmccann
commented
1 month ago However, in the context of Prebid, if a user has not provided consent for Special Purpose 3, it is crucial that the consent string is not sent to SSPs.
This doesn't seem likely to be true. Why might it be true? SSPs can declare LI on SP3. For example, Magnite does and Microsfot does https://vendor-list.consensu.org/v3/vendor-list.json
patmmccann
commented
1 month ago We'd welcome your PR that prevents fetches in the case of missing consent to SP3 as an option, but I don't expect we'd turn it on by default, as we expect most SSP will imminently declare LI on SP3. Stripping the consent string seems unreasonable; I think an SSP would prefer you suppress the request if you don't believe you have legal bases to send a bid request with a string in it, for example if you receive an LI objection. What you'd want to do is add it here https://github.com/prebid/Prebid.js/blob/ac84d657721baff14b54f758e58dfeb557c857bc/modules/tcfControl.js#L48 as an enforcable purpose and then lower define you do not want any network traffic as you have an LI objection.
stefangabric1yieldlove
commented
1 month ago @patmmccann Do you maybe know is SP3 or any SP reflected into tcData?
patmmccann
commented
1 month ago @stefangabric1yieldlove excellent question! we cannot find it, can you? It seems something might change by October. Currently, I cannot find any special purpose so I'll mark this blocked until we have an example of one.
patmmccann
commented
1 month ago If we do not have consent to pass consent, one proposal ( same as OP? ) is while we may strip the actual consent string, we could continue to convey gdprApplies per the tcf spec and expect parties to do the right thing? We'd have to be very strong to review https://github.com/prebid/Prebid.js/issues/7775 for stragglers or missed examples again
patmmccann
commented
1 month ago Of note, In october, assuming we suddenly start seeing sp3 in tcdata, we might not be able to find it for another year reliably, as old strings are still valid? "The new Policies do not require CMPs to resurface the Framework UIs. After 4 October 2024, new TC Strings must be created under the policies version 5. TC Strings created before 4 October 2024 under the policies version 4 will remain valid."
patmmccann
commented
1 month ago According to this document none of the special purposes have rights to object or consent as a legal basis, they all are LI only
https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/#headline-524-18959
stefangabric1yieldlove
commented
1 month ago According to this document none of the special purposes have rights to object or consent as a legal basis, they all are LI only
@patmmccann I can't find it either in tcData. So just to confirm with you - “Special Purpose” means one of the defined purposes for processing of data, including users’ personal data, by participants in the Framework that are defined in the Policies or the Specifications for which Vendors declare a Legal Basis in the GVL and for which the user is not given choice by a CMP. So that means that we should check GVL and not tcData before we send request?
patmmccann
commented
1 month ago So that means that we should check GVL
Prebid.js is unaware of the gvl, and why would anyone be on the gvl and not want to receive consent strings, seems insane, my assumption is every gvl member will register for SP3 over the next few months
patmmccann
commented
1 month ago Perhaps getting the gvl is free if the cmp already has it. Does anyone know if they do and if so, if they could expose it? @janwinkler do you know?
If so, we could have added logic around checking various vendor purpose LI claims
janwinkler
commented
1 month ago i think the gvl is not the right way here. if you take the gvl and compare it, you would also need to check which version is used by the the consent string and get this specific version of the gvl. that doesnt seem feasable in real time. (high effort for low impact)
there also exists the optional command getVendorlist in TCF but most cmps dont seem to support it (ours incldued).
im not 100% sure (confirming with policy group): sending a consent string to a vendors that did not register for SP3 may still be valid. the vendor that receives the consent string simply only may not process the consent string (which indeed doesnt make sense) but it doesnt mean that you cant send the string to them.
patmmccann
commented
1 month ago @stefangabric1yieldlove does your cmp support this optional command?
stefangabric1yieldlove
commented
1 month ago Our cmp doesn't support this optional command.
jdwieland8282
commented
3 weeks ago TCF is one way to comply with the GDPR regulation, there may be others. If an SSP doesn't get a TCF string they might assume consent was gathered using some other means.
jdwieland8282
commented
3 weeks ago The Identity PMC recommends that GVL members register for LI - SP3
patmmccann
commented
3 weeks ago Given Jeff and Jan's comments, the lack of anything to act on in tcData and the gvl not being generally available from the cmp, closing.
Type of issue
Feature request
Description
Special Purpose 3 relates to saving and communicating user privacy choices. According to GDPR guidelines, the choices users make regarding consent must be saved and communicated to entities in the form of digital signals. This ensures that both the service and the entities respect user choices.
However, in the context of Prebid, if a user has not provided consent for Special Purpose 3, it is crucial that the consent string is not sent to SSPs. This is necessary to comply with GDPR and respect user privacy preferences.
Proposal:
I propose that Prebid should implement a check for Special Purpose 3 consent. If consent is not provided, Prebid should ensure that the consent string is not sent to any SSPs. This change will help ensure that we are in compliance with GDPR and respecting user consent preferences.
Acceptance Criteria: