Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support GPP sections 13-22 (FL, MT, OR, TX, DE, IA, NE, NH, NJ, TN) #11978

Open
bretg opened this issue Jul 15, 2024 · 5 comments
Open

Support GPP sections 13-22 (FL, MT, OR, TX, DE, IA, NE, NH, NJ, TN) #11978

bretg opened this issue Jul 15, 2024 · 5 comments

Comments

@bretg
Copy link
Collaborator

bretg commented Jul 15, 2024
edited
Loading

Type of issue

Enhancement

Description

The GPP Control US State module supports SIDs 8-12 for the original 5 states in the GPP string. Prebid's approach for each state is to normalize it into the US National attributes and then compare those attributes for certain values for each defined activity. See Prebid US Compliance for details.

The IAB has finalized 10 additional states and we've analyzed the differences and discussed with Prebid legal counsel.

The proposal is to extend the GPP Control US State module to normalize each of the new states.

Renamed attributes

Several of the new states mention a ProcessingNotice attribute that is a synonym of the original SharingNotice.

Most of the new states refer to AdditionalDataProcessingConsent, which is a renamed version of PersonalDataConsents.

Normalizing Florida (SID 13)

  1. ProcessingNotice maps to SharingNotice
  2. AdditionalDataProcessingConsent maps to PersonalDataConsents
  3. Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[9-12]
  4. KnownChild - SID 13 does distinguish ages aligned with SID 7
    1. If SID 13 string KnownChildSensitiveDataConsents[1, 2, and 3] are all 0 then assume the user is not a child and set the normalized SID 7 KnownChildSensitiveDataConsents[1 through 3]=0 (N/A)
    2. SID 13 age ranges do not align with National SID 7. Prebid defaults to not processing data for kids 13 and under, so if KnownChildSensitiveDataConsents[1]>0 then set normalized KnownChildSensitiveDataConsents[2] = 1 (no consent). Note that array element 1 is "under 13" for SID 13, but array element 2 is "under 13" for the national string.
    3. SID 13 age ranges are fairly close National SID 7. Here's how they map:
      1. State string entry 1 (under 13) maps to SID 7 entry 2.
      2. State string entry 2 (age 13-15) maps to SID 7 entry 1 (13-16).
      3. State string 3 (age 16-18) maps to national entry 3 (age 16-17).
  5. All other fields pass through.

Normalizing Montana (SID 14)

  1. AdditionalDataProcessingConsent maps to PersonalDataConsents
  2. Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[9-12]
  3. KnownChild - SID 14 does distinguish ages aligned with SID 7
    1. If SID 14 string KnownChildSensitiveDataConsents[1, 2, and 3] are all 0 then assume the user is not a child and set the normalized SID 7 KnownChildSensitiveDataConsents[1 through 3]=0 (N/A)
    2. SID 14 age ranges do not align with National SID 7. Prebid defaults to not processing data for kids 13 and under, so if KnownChildSensitiveDataConsents[1]>0 then set normalized KnownChildSensitiveDataConsents[2] = 1 (no consent). Array element 1 is "all ages" for SID 14 which could be under 13. Array element 2 is "under 13" for the national string.
    3. SID 14 age ranges do not align with National SID 7. Prebid does not distinguish between permissions to "process" or "sell". State string array entries 2 (sell age 13-15) and 3 (process age 13-15) both map to national entry 1 (age 13-16).
      1. If both SID 14 KnownChildSensitiveDataConsents[2 and 3] are 0, then normalized KnownChildSensitiveDataConsents[1] is 0.
      2. If both SID 14 KnownChildSensitiveDataConsents[2 and 3] are 2, then normalized KnownChildSensitiveDataConsents[1] is 2 (consent).
      3. Otherwise, normalized KnownChildSensitiveDataConsents[1] is 1 (no consent).
  4. All other fields pass through.

Note: SID 14 does not define ProcessingNotice like all others in this batch.

Normalizing Oregon (SID 15)

  1. ProcessingNotice maps to SharingNotice
  2. AdditionalDataProcessingConsent maps to PersonalDataConsents
  3. Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[10,11,12]
  4. SensitiveDataProcessing fields do not are not aligned, so we need to map:
    1. SID 15 SensitiveDataProcessing[1-4] are ok - they map straight through to normalized SensitiveDataProcessing[1-4].
    2. SID 15 SensitiveDataProcessing[5] (transgender status) is normalized to SensitiveDataProcessing[16]. However, Prebid will not normalize consent by default. If SID 15 SensitiveDataProcessing[5]=0, then normalized SensitiveDataProcessing[16]=0, otherwise, normalized SensitiveDataProcessing[16]=1 (no consent).
    3. SID 15 SensitiveDataProcessing[6] (immigration status) is normalized to SensitiveDataProcessing[5]
    4. SID 15 SensitiveDataProcessing[7] (national origin) is normalized to SensitiveDataProcessing[15]
    5. SID 15 SensitiveDataProcessing[8] is normalized to SensitiveDataProcessing[9]. However, Prebid will not normalize consent by default. If SID 15 SensitiveDataProcessing[8]=0, then normalized SensitiveDataProcessing[9]=0, otherwise, normalized SensitiveDataProcessing[9]=1 (no consent).
    6. SID 15 SensitiveDataProcessing[9] is normalized to SensitiveDataProcessing[6]
    7. SID 15 SensitiveDataProcessing[10] is normalized to SensitiveDataProcessing[7]
    8. SID 15 SensitiveDataProcessing[11] is normalized to SensitiveDataProcessing[8]
  5. KnownChild - SID 15 does distinguish ages aligned with SID 7
    1. If SID 15 string KnownChildSensitiveDataConsents[1, 2, and 3] are all 0 then assume the user is not a child and set the normalized SID 7 KnownChildSensitiveDataConsents[1 through 3]=0 (N/A)
    2. SID 15 age ranges do not align with National SID 7. Prebid defaults to not processing data for kids under 13 , so if KnownChildSensitiveDataConsents[1]>0 then set normalized KnownChildSensitiveDataConsents[2] = 1 (no consent). Array element 1 in SID 15 is "all ages" which could be under 13. Array element 2 is "under 13" for the national string.
    3. Prebid does not distinguish between permissions to "process" or "sell". State string array entries 2 (sell age 13-15) and 3 (process age 13-15) both map to national entry 1 (age 13-16).
      1. If both SID 15 KnownChildSensitiveDataConsents[2 and 3] are 0, then normalized KnownChildSensitiveDataConsents[1] is 0.
      2. If both SID 15 KnownChildSensitiveDataConsents[2 and 3] are 2, then normalized KnownChildSensitiveDataConsents[1] is 2 (consent).
      3. Otherwise, normalized KnownChildSensitiveDataConsents[1] is 1 (no consent).
  6. All other fields pass through.

Normalizing Texas (SID 16)

  1. ProcessingNotice maps to SharingNotice
  2. AdditionalDataProcessingConsent maps to PersonalDataConsents
  3. Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[9-12]
  4. KnownChild - Similar to SIDs 9,10, and 11, SID 16 does distinguish ages, so Prebid will never normalize a positive KnownChild consent.
    1. If the SID 16 KnownChildSensitiveDataConsents value is 1 or 2, normalize to SID 7 KnownChildSensitiveDataConsents[1 through 3]=1 (no consent)
    2. If the SID 16 KnownChildSensitiveDataConsents value is 0, assume the user is not a child and normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=0 (N/A)
  5. All other fields pass through.

Normalizing Delaware (SID 17)

  1. ProcessingNotice maps to SharingNotice
  2. AdditionalDataProcessingConsent maps to PersonalDataConsents
  3. Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[9-12]
  4. SensitiveDataProcessing is aligned except for SID 17 entry 9. If SID 17 SensitiveDataProcessing[9] (transgender) is 0, then - normalized SensitiveDataProcessing[16]=0. However, Prebid doesn't normalize consent on this field, so if SID 17 SensitiveDataProcessing[16]>0 normalize SensitiveDataProcessing[16] to 1 (no consent)
  5. KnownChild - SID 17 definitions do not align with SID 7.
    1. If all SID 17 string KnownChildSensitiveDataConsents[1 through 5] are all 0 then assume the user is not a child and set the normalized SID 7 KnownChildSensitiveDataConsents[1 through 3]=0 (N/A)
    2. SID 17 age ranges do not align with National SID 7. Prebid defaults to not processing data for kids 13 and under, so SID 17 if KnownChildSensitiveDataConsents[1]>0 then set normalized KnownChildSensitiveDataConsents[2] = 1 (no consent). Array element 1 in SID 17 is "all ages" which could be under 13. Array element 2 is "under 13" for the national string.
    3. Prebid does not distinguish between permissions to "process" or "sell", so state string array entries 2 and 3 map to national entry 1 (age 13-16).
      1. If both SID 17 KnownChildSensitiveDataConsents[2 and 3] are 0, then normalized KnownChildSensitiveDataConsents[1] is 0.
      2. If both SID 17 KnownChildSensitiveDataConsents[2 and 3] are 2, then normalized KnownChildSensitiveDataConsents[1] is 2 (consent).
      3. Otherwise, normalized KnownChildSensitiveDataConsents[1] is 1 (no consent).
    4. Prebid does not distinguish between permissions to "process" or "sell", so state string array entries 4 and 5 map to national entry 3 (age 16-17).
      1. If both SID 17 KnownChildSensitiveDataConsents[4 and 5] are 0, then normalized KnownChildSensitiveDataConsents[1] is 0.
      2. If both SID 17 KnownChildSensitiveDataConsents[4 and 5] are 2, then normalized KnownChildSensitiveDataConsents[1] is 2 (consent).
      3. Otherwise, normalized KnownChildSensitiveDataConsents[3] is 1 (no consent).
  6. All other fields pass through.

Normalizing Iowa (SID 18)

  1. ProcessingNotice maps to SharingNotice
  2. AdditionalDataProcessingConsent maps to PersonalDataConsents - Note the IAB page for SID 18 is missing AdditionalDataProcessingConsent -- we assume this is an error and that implementations will support it.
  3. Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessing[9-12]. (Note: unlike the other states in this batch, Iowa supports SensitiveDataOptOutNotice, so don't NULL it out.)
  4. KnownChild - Similar to SIDs 9,10, and 11, SID 18 does distinguish ages, so Prebid will never normalize a positive KnownChild consent.
    1. If the SID 18 KnownChildSensitiveDataConsents value is 1 or 2, normalize to SID 7 KnownChildSensitiveDataConsents[1 through 3]=1 (no consent)
    2. If the SID 18 KnownChildSensitiveDataConsents value is 0, assume the user is not a child and normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=0 (N/A)
  5. All other fields pass through.

Normalizing Nebraska (SID 19)

  1. ProcessingNotice maps to SharingNotice
  2. AdditionalDataProcessingConsent maps to PersonalDataConsents
  3. Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[9-12]
  4. KnownChild - Similar to SIDs 9,10, and 11, SID 16 does distinguish ages, so Prebid will never normalize a positive KnownChild consent.
    1. If the SID 19 KnownChildSensitiveDataConsents value is 1 or 2, normalize to SID 7 KnownChildSensitiveDataConsents[1 through 3]=1 (no consent)
    2. If the SID 19 KnownChildSensitiveDataConsents value is 0, assume the user is not a child and normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=0 (N/A)
  5. All other fields pass through.

Normalizing New Hampshire (SID 20)

  1. ProcessingNotice maps to SharingNotice
  2. AdditionalDataProcessingConsent maps to PersonalDataConsents
  3. Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[9-12]
  4. KnownChild - SID 20 does distinguish ages aligned with SID 7
    1. If SID 20 string KnownChildSensitiveDataConsents[1, 2, and 3] are all 0 then assume the user is not a child and set the normalized SID 7 KnownChildSensitiveDataConsents[1 through 3]=0 (N/A)
    2. SID 20 age ranges do not align with National SID 7. Prebid defaults to not processing data for kids 13 and under, so if SID 20 KnownChildSensitiveDataConsents[1]>0 then set normalized KnownChildSensitiveDataConsents[2] = 1 (no consent). Array element 1 in SID 20 is "all ages" which could be under 13. Array element 2 is "under 13" for the national string.
    3. SID 20 age ranges do not align with National SID 7. Prebid does not distinguish between permissions to "process" or "sell". State string array entries 2 (sell age 13-15) and 3 (process age 13-15) both map to national entry 1 (age 13-16).
      1. If both SID 15 KnownChildSensitiveDataConsents[2 and 3] are 0, then normalized KnownChildSensitiveDataConsents[1] is 0.
      2. If both SID 15 KnownChildSensitiveDataConsents[2 and 3] are 2, then normalized KnownChildSensitiveDataConsents[1] is 2 (consent).
      3. Otherwise, normalized KnownChildSensitiveDataConsents[1] is 1 (no consent).
  5. All other fields pass through.

Normalizing New Jersey (SID 21)

  1. ProcessingNotice maps to SharingNotice
  2. AdditionalDataProcessingConsent maps to PersonalDataConsents
  3. Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[9-12]
  4. SensitiveDataProcessing is aligned except for SID 21 entry 9. If SID 21 SensitiveDataProcessing[9] (transgender) is 0, then - normalized SensitiveDataProcessing[16]=0. However, Prebid doesn't normalize consent on this field, so if SID 21 SensitiveDataProcessing[16]>0 normalize SensitiveDataProcessing[16] to 1 (no consent)
  5. KnownChild - SID 21 definitions do not align with SID 7.
    1. If all SID 21 string KnownChildSensitiveDataConsents[1 through 5] are all 0 then assume the user is not a child and set the normalized SID 7 KnownChildSensitiveDataConsents[1 through 3]=0 (N/A)
    2. SID 21 age ranges do not align with National SID 7. Prebid defaults to not processing data for kids under 13, so if SID 21 KnownChildSensitiveDataConsents[1]>0 then set normalized KnownChildSensitiveDataConsents[2] = 1 (no consent). Array element 1 in SID 17 is "all ages" which could be under 13. Array element 2 is "under 13" for the national string.
    3. Prebid does not distinguish between permissions to "process" or "sell", so state string array entries 2 and 3 map to national entry 1 (age 13-16).
      1. If both SID 21 KnownChildSensitiveDataConsents[2 and 3] are 0, then normalized KnownChildSensitiveDataConsents[1] is 0.
      2. If both SID 21 KnownChildSensitiveDataConsents[2 and 3] are 2, then normalized KnownChildSensitiveDataConsents[1] is 2 (consent).
      3. Otherwise, normalized KnownChildSensitiveDataConsents[1] is 1 (no consent).
    4. Prebid does not distinguish between permissions to "process" or "sell", so state string array entries 4 and 5 map to national entry 3 (age 16).
      1. If both SID 21 KnownChildSensitiveDataConsents[4 and 5] are 0, then normalized KnownChildSensitiveDataConsents[1] is 0.
      2. If both SID 21 KnownChildSensitiveDataConsents[4 and 5] are 2, then normalized KnownChildSensitiveDataConsents[1] is 2 (consent).
      3. Otherwise, normalized KnownChildSensitiveDataConsents[3] is 1 (no consent).
  6. All other fields pass through.

Normalizing Tennessee (SID 22)

  1. ProcessingNotice maps to SharingNotice
  2. AdditionalDataProcessingConsent maps to PersonalDataConsents
  3. Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[9-12]
  4. KnownChild - Similar to SIDs 9,10, and 11, SID 16 does distinguish ages, so Prebid will never normalize a positive KnownChild consent.
    1. If the SID 19 KnownChildSensitiveDataConsents value is 1 or 2, normalize to SID 7 KnownChildSensitiveDataConsents[1 through 3]=1 (no consent)
    2. If the SID 19 KnownChildSensitiveDataConsents value is 0, assume the user is not a child and normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=0 (N/A)
  5. All other fields pass through.
@patmmccann patmmccann mentioned this issue Jul 16, 2024
Closed
@patmmccann patmmccann moved this from Triage to Ready for Dev in Prebid.js Tactical Issues table Jul 17, 2024
@patmmccann patmmccann moved this from Ready for Dev to Blocked in Prebid.js Tactical Issues table Jul 17, 2024
@patmmccann
Copy link
Collaborator

Marking as blocked until next 6 state specs are released

@bretg bretg mentioned this issue Aug 13, 2024
Merged
@bretg
Copy link
Collaborator Author

bretg commented Sep 10, 2024

FYI - we're waiting on InteractiveAdvertisingBureau/Global-Privacy-Platform#121 to be finalized and add the additional 6 states.

@bretg bretg changed the title Support GPP sections 13-16 (FL, MT, OR, TX) Support GPP sections 13-22 (FL, MT, OR, TX, DE, IA, NE, NH, NJ, TN) Sep 23, 2024
@bretg bretg moved this from Blocked to Needs Req in Prebid.js Tactical Issues table Sep 23, 2024
@bretg
Copy link
Collaborator Author

bretg commented Sep 23, 2024

Ok - added the other states. Ready for review.

@patmmccann patmmccann moved this from Needs Req to Ready for Dev in Prebid.js Tactical Issues table Sep 25, 2024
@bretg bretg mentioned this issue Oct 11, 2024
Open
@patmmccann patmmccann moved this from Ready for Dev to Blocked in Prebid.js Tactical Issues table Oct 18, 2024
@patmmccann
Copy link
Collaborator

I think this is blocked by #12454, as you would normalize to the version 2 string, which isnt yet support afaik

@bretg
Copy link
Collaborator Author

bretg commented Nov 18, 2024

Updated the normalizations to US Nat SID 7 v2.0.

@bretg bretg mentioned this issue Nov 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Prebid.js Tactical Issues table
Status: Blocked
Milestone
No milestone
Development

No branches or pull requests
2 participants
@patmmccann @bretg