Prebid Server GDPR updates

[bretg]

Reviewed Prebid Server GDPR support with our legal team and we have some recommended minor changes to the PBS implementation:

1) Allow host companies to optionally consider a request GDPR in-scope if the request contains a valid consent string. (this would be off by default, but Rubicon will turn it on). 2) Do the GDPR-in-scope logic for /cookie-sync calls as well as auction and /setuid 3) Add metrics so we know the split between TCF 1.1 and 2.0

I've updated the doc with the flowcharts and moved it to Prebid.org's GDrive: https://docs.google.com/document/d/1g0zAYc_EfqyilKD8N2qQ47uz0hdahY-t8vfb-vxZL5w/edit#

Note that the flowchart for the auction behavior is quite different under TCF2.0 than it was for TCF1.1. The original flowcharts are here -- https://github.com/rubicon-project/prebid-server-java/blob/master/docs/developers/PrebidServerJava_GDPR_Requirements.pdf

The proposed new metrics are:

• privacy.tcf.{v1,v2}.{in-geo,out-geo,unknown-geo}
• privacy.tcf.invalid
• privacy.coppa.count // when COPPA flag is set
• privacy.usp.specified.count
• privacy.usp.opt-out.count
• privacy.lmt.count // when LMT flag is set

These are in addition to the recommended per-purpose metrics:

• adapter..{openrtb2-web,openrtb2-app,amp}.tcf.userid_removed
• adapter..{openrtb2-web,openrtb2-app,amp}.tcf.geo_masked
• adapter..{openrtb2-web,openrtb2-app,amp}.tcf.request_blocked
• adapter..{openrtb2-web,openrtb2-app,amp}.tcf.analytics_blocked
• cookie_sync..tcf.blocked
• usersync..tcf.blocked

[bretg]

This was discussed and approved in Prebid Server committee.

[bretg]

This is done in PBS-Java

[bretg]

There are a couple of outstanding items in PBS-Go

• Downgrading to the basic enforcement scenario when the GVL file isnt available
• P7 analytics

[bretg]

Might make sense to tackle this one in conjunction with https://github.com/prebid/prebid-server/issues/2789