search

prebid / Prebid.js

Setup and manage header bidding advertising partners without writing code or confusing line items. Prebid.js is open source and free.
https://docs.prebid.org
Apache License 2.0
1.28k stars 2.05k forks source link

Adapters that may not handle GDPR-Applies correctly #7775

Closed bretg closed 1 year ago

bretg commented 2 years ago

Description

As uncovered in #7156 , there are are several bid adapters that may not be properly handling the gdprApplies flag.

Background: the Consent Management Platform (CMP) is responsible for knowing whether the current user is "in-scope" for GDPR, i.e. they reside in the European Economic Area (EEA). It signals this information to Prebid along with the consent string. Bid adapters must be able to handle all of these scenarios:

1) CMP provides gdprApplies:true and a valid consent string - normal GDPR processing 2) CMP provides gdprApplies:false and a valid consent string - bidder endpoints may choose to verify the user's GDPR scope or to trust the CMP. 3) CMP provides gdprApplies:true but no consent string - processing depends on vendor's Legitimate Interest claims and legal advice from the bidder's lawyers. 4) CMP provides gdprApplies:false and no consent string - bidder endpoints may choose to verify the user's GDPR scope or to trust the CMP. 5) CMP provides only a valid consent string - if the CMP declines to define the GDPR scope, bidder processing depends on whether the endpoint can detect the user's location and legal advice from their lawyers. 6) CMP provides neither value - if the CMP doesn't define the scope or the consent, bidder processing depends on whether the endpoint can detect the user's location and legal advice from their lawyers.

Bid adapters that need to be reviewed

These bidders don't look for gdprApplies. Please confirm your implementation with your legal team. Prebid recommends passing the gdprApplies flag along with the consent string.

These bidders currently only consider gdprApplies if a consent string is available. Please confirm your implementation with your legal team. Prebid recommends using the gdprApplies flag even if it's available even if there's no consent string.

These modules don't send gdprApplies to their endpoints. There's a possible problem in these scenarios where gdprApplies:true and there's no consent string. If endpoints are doing IP-address lookups, then they may be ok, but if not, the adapter should be passing gdprApplies so the endpoint has all the info it needs to process correctly.

dgirardi commented 2 years ago

@samueldobbie that does not look like it handles case 3 correctly (gdprApplies: true, consentString: undefined would fall down to the last return which says gdprApplies: false).

https://github.com/prebid/Prebid.js/blob/a5b0d6416215e0d28f035a47341e718da770239b/modules/glimpseBidAdapter.js#L138-L154

samueldobbie commented 2 years ago

Good catch @dgirardi, thanks! Should be fixed here.

matthieularere-msq commented 2 years ago

I guess this is related with user sync for mediasquare bidder, if that's so it should be fixed by PR #7780

mikael-lundin commented 2 years ago

We do IP-address lookups but we can add a gdpr applies true as well. :)

On Tue, Nov 30, 2021 at 6:52 PM bretg @.***> wrote:

Description

As uncovered in #7156 https://github.com/prebid/Prebid.js/issues/7156 , there are are several bid adapters that may not be properly handling the gdprApplies flag.

Background: the Consent Management Platform (CMP) is responsible for knowing whether the current user is "in-scope" for GDPR, i.e. they reside in the European Economic Area (EEA). It signals this information to Prebid along with the consent string. Bid adapters must be able to handle all of these scenarios:

  1. CMP provides gdprApplies:true and a valid consent string - normal GDPR processing
  2. CMP provides gdprApplies:false and a valid consent string - bidder endpoints may choose to verify the user's GDPR scope or to trust the CMP.
  3. CMP provides gdprApplies:true but no consent string - processing depends on vendor's Legitimate Interest claims and legal advice from the bidder's lawyers.
  4. CMP provides gdprApplies:false and no consent string - bidder endpoints may choose to verify the user's GDPR scope or to trust the CMP.
  5. CMP provides only a valid consent string - if the CMP declines to define the GDPR scope, bidder processing depends on whether the endpoint can detect the user's location and legal advice from their lawyers.
  6. CMP provides neither value - if the CMP doesn't define the scope or the consent, bidder processing depends on whether the endpoint can detect the user's location and legal advice from their lawyers.

Bid adapters that need to be reviewed

These bidders don't look for gdprApplies. Please confirm your implementation with your legal team. Prebid recommends passing the gdprApplies flag along with the consent string.

These bidders currently only consider gdprApplies if a consent string is available. Please confirm your implementation with your legal team. Prebid recommends using the gdprApplies flag even if it's available even if there's no consent string.

These modules don't send gdprApplies to their endpoints. There's a possible problem in these scenarios where gdprApplies:true and there's no consent string. If endpoints are doing IP-address lookups, then they may be ok, but if not, the adapter should be passing gdprApplies so the endpoint has all the info it needs to process correctly.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/prebid/Prebid.js/issues/7775, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAH64BLITODJP275TJOH2GTUOUFPNANCNFSM5JCFYVJA .

richaudience commented 2 years ago

Hi,

The change to use "gdprApplies" has been completed. Please check the pull request: #7788

Cheers

Kola-Kola commented 2 years ago

Hi,

We change the support of "gdprApplies", please you can check the PR here : #7860 .

Thanks.

nllerandi3lift commented 2 years ago

We fallback to the determination of applicability based on geo IP resolution if our params are not present.

jbartek25 commented 2 years ago

Improve Digital adapter: there's no plan to add support for gdprApplies param in the current adapter generation as our server does IP lookups. The next generation adapter launching in Q1 will include gdprApplies.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

patmmccann commented 1 year ago

Let's handle this with an adapter documentation warning

patmmccann commented 1 year ago

@jbartek25 your next generation adapter that includes this change has been released, correct?

jbartek25 commented 1 year ago

@jbartek25 your next generation adapter that includes this change has been released, correct? @patmmccann correct. it was released in Q1/2022

patmmccann commented 1 year ago

adnuntias appears to handle here with a diff endpoint https://github.com/prebid/Prebid.js/blob/467f78f211775702ac61e2ade86ed393ada26b9a/modules/adnuntiusBidAdapter.js#L134

patmmccann commented 1 year ago

Criteo handles here https://github.com/prebid/Prebid.js/blob/48cd24551a633d1421e10a8dad4f8a957f14d87a/modules/criteoIdSystem.js#L99

patmmccann commented 1 year ago

I reviewed triplelift just now, should be very easy to relax this https://github.com/prebid/Prebid.js/blob/48cd24551a633d1421e10a8dad4f8a957f14d87a/modules/tripleliftBidAdapter.js#L90

@patrickloughrey