Open bretg opened 1 year ago
Discussed in committee. The naming convention of the privacyreg
syntax was debated along with what will happen for TCF-EU.
gpp
prefix with the idea that there is some common GPP functionality such as parsing the string and a "normalization" step.So what are some ways we can handle tcf-eu with respect to this new functionality?
1) Leave the existing functionality as completely standalone. Publisher activity controls don't work for GDPR/TCF -- exceptions can only be made through existing vendorExceptions
in GDPR config. This system already supports pulling the TCF-EU string out of the GPP string.
2) Integrate the existing GDPR/TCF functionality into this privacy regulation system. Possible approaches: 2a) Integrate as part of the "privacyreg" system, but outside of the GPP infrastructure and just name it "tcf2" or perhaps "iab-tcf2". This gives publishers consistent control over exceptions. GDPR configuration can be exactly the same as currently documented. 2b) Migrate to live within the new GPP infrastructure as "gpp-tcf-eu". It can still look within the ORTB body and prioritize the user.consent over regs.gpp. Look for GDPR configuration in both the current location and in the new GPP location. 2c) Effectively support two TCF-EU modules: a migrated "gpp-tcf-eu" as well as the original "tcf2". The publisher can name these separately in the activityConfig. (This approach seems to have no advantages and could invite confusion)
Discussed additional requirements:
privacyreg
behavior should be to run all known privacy modulesDiscussed GDPR positioning:
Other items discussed
Updated after today's meeting:
PBS-Java 1.126 implements the iab.usgeneral module. Working on the iab.uscustomlogic module still
If activityConfig is not specified, the iab.uscustomlogic should return abstain
.
Done with PBS-Java 1.130
The next steps in GPP are covered by Phase 4 in the requirements document:
Privacy Infrastructure
Prebid Server-Specific Requirements
Any privacy regulation that needs to integrate with the Activity Infrastructure will need to confirm to a new interface. The details of the interface will be left to the Go and Java development teams, but the requirements are:
gpp-tcf-eu
was already called, the reference to*
means all regulations other than gpp-tcf-eu.disallow
takes precedence and 'abstain' is ignored as an answer.Non-Requirements
Linking the Activity and Privacy Infrastructures
See the use cases for how publishers might want to set up the existence of multiple in-scope regulations.
In addition to those use cases, the Prebid Server committee would like to be able to support future non-GPP privacy regulations.
This is the proposed
allowactivities
syntax extension for referring to privacy regulations from within the Activity controls:Notes:
privacyreg
attribute in the activity infrastructure is an interface to a generic layer that can deal with various privacy regulations as they are added to the system.Configuring Privacy Modules
See General GPP Infrastructure requirements for background.
Prebid Server needs to allow accounts to configure privacy regulations. Here's the proposed syntax, which places the config in a new "privacy.modules" block. The proposal is that we define a new type of module interface for privacy modules. All the ones active for the given account would be registered here.
Assumptions:
Example config:
Notes:
Intended Processing:
gpp_sid
parameter and module configuration to determine whether it's in scope for the current request. A future TCF modules may use thegdpr
scope flag and/or geographic information to determine whether it's in-scope.US National Privacy
See US National Infrastructure requirements for background.
Assumptions:
Here's the proposed syntax:
The 'iab.usgeneral' module config field:
The 'iab.uscustomlogic' module is an envisioned (later phase) module that can be used by publishers to override the default interpretation algorithm.
true
, the activity is suppressed (i.e. a "disallow" status is returned). The specific syntax of this has been debated and not finalized. The proposal is to settle on utilizing JSON Logic for Prebid Server for this and future general configuration logic needs.Intended processing:
allowactivities
config, the activity infrastructure calls the relevant privacy module(s) with the supplied module configuration. If a privacy module name is defined more than once in the config, only the first is processed. Others result in emitting a warning and an alert.general metric.