SebastianZimmeck
commented
3 years ago One important point on WordPress sites is also that they are not actually modifying the USPAPI cookie in connection with GPC being enabled or disabled. Instead of reading the cookie value directly, they call into the IAB USP API to get the consent string. They use a wrapper __uspapi(‘getUSPData’, 1, (data) => console.log(data)). If GPC is enabled, then it will override the cookie value with 1YYN for "no consent".
I think RDP is the more important flag at the moment; just posting this as a reminder.
Here is an explanation on detecting RDP and the US Privacy String API (USPAPI):
We can
Basically, when ads are inserted the URL is known as an "ad call". This is just a series of query string parameters that control how the ad server will process the ad. One such parameter is "Restricted Data Processing" aka RDP. It's present in URLs as rdp=1 (I think it can be any truthy int). These should look like:
(Note that I don't know if there are variations on the domain, etc. — the important part is that before Do Not Sell has been activated, rdp should be absent or 0, and after it should be present and truthy.)
For USPAPI, that piece of information should be interceptable too
In addition to RDP we could also look in the US Privacy String (USPAPI). That would be more general as it requires every member of the Interactive Advertising Bureau (IAB) to set the privacy string of a user to opt out if they have opted out. (Google is one of the members of the IAB.) We can keep this in the back of our mind. There is a short paper I wrote with @kalicki1 that has a bit of a discussion in section 5.
We would expect USPAPI (in a cookie) to change from 1YNN to 1YYN when the GPC signal is sent.