GDPR: no data should be stored on the device until consent is given

[benjaminclot]

Type of issue

• [x] Bug

Description

Today, when no consent is explicitly given through an IAB-compliant CMP (e.g. Quantcast) or when consent is "off", data is still being stored on the user device. We are beginning to receive complaints from official government organizations and need a quick resolution so that GDPR is enforced for each and every module.

List of modules that seem to store cookies no matter what the consent is:

• userid: Criteo
• userid: ID5
• userid: PubCommonID
• AdYouLike
• AppNexus
• Criteo (also stores data in the LocalStorage)
• Improve Digital
• Index Exchange
• JustPremium
• OpenX

Steps to reproduce

1. Go to any website with an IAB-compliant CMP (and possibly usersync enabled)
2. Do not scroll or give consent and wait for the CMP timeout for bids to be sent (and for userync to trigger)
3. Data is stored on the device (some 1st party, some 3rd party)

Expected results

No data should be stored (or read...).

Actual results

Data (mainly cookies) is stored.

Other information

May be related to issue #4572 ? Should usersync be disabled in the absence of consent?

[jsnellbaker]

Tagging a few people to help comment on this topic. @bretg @harpere @mkendall07

We could implement some temporary changes to the userId module and the userSync feature to disable the syncs to be on the safe side. May also want to look at this logic for the recent USP/CCPA as well (really to see if it applies, since the default state of consent is different than GDPR).

[bretg]

We will discuss.

[bretg]

FYI - discussions are underway. Will update by Thurs.

[bretg]

@benjaminclot - if you're satisfied that https://github.com/prebid/Prebid.js/issues/4747 generally addresses the issue here, please close this issue and feel free to comment in the other thread. Thanks for bringing it up.