search

prebid / prebid-server

Open-source solution for running real-time advertising auctions in the cloud.
https://prebid.org/product-suite/prebid-server/
Apache License 2.0
435 stars 744 forks source link

Extend GPC to sync endpoints #2859

Open bretg opened 1 year ago

bretg commented 1 year ago

The Global Privacy Control (GPC) header is currently used only in the /auction and /amp endpoints.

Would like to discuss extending impacts to the remaining endpoints.

Configuration

account config:

Both of these flags are boolean, defaulting to false.

/cookie_sync endpoint

Process the syncUser activity control, using the SEC-GPC header as the input to the gpc condition.

  1. If cookie-sync.enforce-gpc config is false, ignore GPC.
  2. If there's a Sec-GPC HTTP header with a value of "1" or 1, treat it as regs.ext.gpc: "1".
  3. No need to do a geo-lookups for the activity control. If there's a geo-condition on the control, it will fail.
  4. Look up the activity control. If the syncUser activity is not allowed:
    1. Do not respond with any usersync URLs
    2. In debug mode, return a message "activity control suppresses syncs"
    3. Add a new metric: cookie_sync_requests.disallowed.count

/setuid endpoint

Process the syncUser activity control, using the SEC-GPC header as the input to the gpc condition.

  1. If setuid.enforce-gpc config is false, ignore GPC.
  2. If there's a Sec-GPC HTTP header with a value of "1" or 1, treat it as regs.ext.gpc: "1".
  3. No need to do geo-lookups. i.e. geo-targeting in the activity control may fail.
  4. Look up the activity control. If there's no account parameter on the request, use the global account settings. If the syncUser activity is not allowed:
    1. Do not set a cookie
    2. Just respond with requested format (image/blank)
    3. Add a new metric: setuid.disallowed.count

/event

No change. GPC should not affect analytics.

bretg commented 1 year ago

Question around whether this should be global or configured by the publisher. Will bring it up in the Identity/Privacy committee.

jdwieland8282 commented 1 year ago

The Id and Privacy committee recommends making the application of GPC restrictions to various endpoints configurable where the default is "on" or enforced. This guidance should be considered along guidance from council.

bretg commented 1 year ago

Thanks Jeff. I suspect that we can't check account-level config for the /setuid endpoint because the account ID is not available. But it can respect the host-level config.

bretg commented 1 year ago

Discussed in committee: there's concern over implementing this before the account ID is generally available for /setuid.