Implement Handling for Special Purpose 3: Avoid Sending Consent String to SSPs if No Consent

[stefangabric1yieldlove]

Type of issue

Feature request

Description

Special Purpose 3 relates to saving and communicating user privacy choices. According to GDPR guidelines, the choices users make regarding consent must be saved and communicated to entities in the form of digital signals. This ensures that both the service and the entities respect user choices.

However, in the context of Prebid, if a user has not provided consent for Special Purpose 3, it is crucial that the consent string is not sent to SSPs. This is necessary to comply with GDPR and respect user privacy preferences.

Proposal:

I propose that Prebid should implement a check for Special Purpose 3 consent. If consent is not provided, Prebid should ensure that the consent string is not sent to any SSPs. This change will help ensure that we are in compliance with GDPR and respecting user consent preferences.

Acceptance Criteria:

• Implement a check within the Prebid core to verify Special Purpose 3 consent.
• If Special Purpose 3 consent is not provided, ensure that the consent string is not included in any bid requests sent to SSPs.
• Update relevant documentation to reflect this change.

[patmmccann]

However, in the context of Prebid, if a user has not provided consent for Special Purpose 3, it is crucial that the consent string is not sent to SSPs.

This doesn't seem likely to be true. Why might it be true? SSPs can declare LI on SP3. For example, Magnite does and Microsfot does https://vendor-list.consensu.org/v3/vendor-list.json

[patmmccann]

We'd welcome your PR that prevents fetches in the case of missing consent to SP3 as an option, but I don't expect we'd turn it on by default, as we expect most SSP will imminently declare LI on SP3. Stripping the consent string seems unreasonable; I think an SSP would prefer you suppress the request if you don't believe you have legal bases to send a bid request with a string in it, for example if you receive an LI objection. What you'd want to do is add it here

Prebid.js/modules/tcfControl.js

Line 48 in ac84d65

const CONFIGURABLE_RULES = {

as an enforcable purpose and then lower define you do not want any network traffic as you have an LI objection.

https://iabeurope.eu/wp-content/uploads/TCF_V-CMP_comms_TCFv2.2PoliciesAmendmentsIntroductionOfNewSpecialPurpose3-SaveAndCommunicatePrivacyChoices_030624_IABEurope.pdf

[stefangabric1yieldlove]

@patmmccann Do you maybe know is SP3 or any SP reflected into tcData?

[patmmccann]

@stefangabric1yieldlove excellent question! we cannot find it, can you? It seems something might change by October. Currently, I cannot find any special purpose so I'll mark this blocked until we have an example of one.

[patmmccann]

If we do not have consent to pass consent, one proposal ( same as OP? ) is while we may strip the actual consent string, we could continue to convey gdprApplies per the tcf spec and expect parties to do the right thing? We'd have to be very strong to review #7775 for stragglers or missed examples again

[patmmccann]

Of note, In october, assuming we suddenly start seeing sp3 in tcdata, we might not be able to find it for another year reliably, as old strings are still valid?
"The new Policies do not require CMPs to resurface the Framework UIs. After 4 October 2024,
new TC Strings must be created under the policies version 5. TC Strings created before 4
October 2024 under the policies version 4 will remain valid."

[patmmccann]

According to this document none of the special purposes have rights to object or consent as a legal basis, they all are LI only

https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/#headline-524-18959

[stefangabric1yieldlove]

According to this document none of the special purposes have rights to object or consent as a legal basis, they all are LI only

@patmmccann I can't find it either in tcData. So just to confirm with you - “Special Purpose” means one of the defined purposes for processing of data, including users’ personal data, by participants in the Framework that are defined in the Policies or the Specifications for which Vendors declare a Legal Basis in the GVL and for which the user is not given choice by a CMP.
So that means that we should check GVL and not tcData before we send request?

[patmmccann]

So that means that we should check GVL

Prebid.js is unaware of the gvl, and why would anyone be on the gvl and not want to receive consent strings, seems insane, my assumption is every gvl member will register for SP3 over the next few months

[patmmccann]

Perhaps getting the gvl is free if the cmp already has it. Does anyone know if they do and if so, if they could expose it? @janwinkler do you know?

If so, we could have added logic around checking various vendor purpose LI claims

[janwinkler]

i think the gvl is not the right way here. if you take the gvl and compare it, you would also need to check which version is used by the the consent string and get this specific version of the gvl. that doesnt seem feasable in real time. (high effort for low impact)

there also exists the optional command getVendorlist in TCF but most cmps dont seem to support it (ours incldued).

im not 100% sure (confirming with policy group): sending a consent string to a vendors that did not register for SP3 may still be valid. the vendor that receives the consent string simply only may not process the consent string (which indeed doesnt make sense) but it doesnt mean that you cant send the string to them.

[patmmccann]

@stefangabric1yieldlove does your cmp support this optional command?

[stefangabric1yieldlove]

Our cmp doesn't support this optional command.

[jdwieland8282]

TCF is one way to comply with the GDPR regulation, there may be others. If an SSP doesn't get a TCF string they might assume consent was gathered using some other means.

[jdwieland8282]

The Identity PMC recommends that GVL members register for LI - SP3

[patmmccann]

Given Jeff and Jan's comments, the lack of anything to act on in tcData and the gvl not being generally available from the cmp, closing.