Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Discussion] <amp-consent> TCFv2 Support #26229

Open
zhouyx opened this issue Jan 7, 2020 · 104 comments
Open

[Discussion] <amp-consent> TCFv2 Support #26229

zhouyx opened this issue Jan 7, 2020 · 104 comments

Comments

@zhouyx
Copy link
Contributor

@zhouyx zhouyx commented Jan 7, 2020

The Transparency and Consent Framework (TCF) is an effort to manage user consents, and have all parties understand the users consent information from regulations like GDPR.

Consent Management Platforms (CMP) helps sites to collect and manage user consent information in the TC data format. Today AMP allows a CMP to integrate with some limitations.
The <amp-consent> CMP integration was designed to work with any framework that is based on a consent string format.

CMP scripts are executed in an CORS iframe that’s controlled by AMP instead of included as first party script. Because AMP handles the lifecycle of the iframe, CMPs don’t have flexibility on when to show its UI, or has the ability to provide mandatory APIs for vendors to get their TC data.

What has Changed

In the past year, the IAB TCF v2.0 has been widely adopted by most vendors. Unlike a year ago when we first designed the feature, now we don’t see the necessity to support other TC framework. This allows AMP to work together with CMPs to understand the TC data and TCF v2 APIs.

With more regulations like GDPR, we are seeing the increasing complexity for site owners to manage user consents. Thus we are seeing the trend to have more CMPs come into the area. That brings a lot more feature requests and many ask for feature parity between AMP and their non-AMP integrations.

Goal

The goal of the design revise is to come up with a solution so that

  1. Vendors don’t find integrating with AMP challenging due to user consent handling.
  2. CMPs and publishers get flexibility to manage consent prompt without hurting general user experience.
  3. AMP pages are still performant.
  4. AMP doesn’t take the liability in managing user consent data.
  5. Engineering effort is manageable.

Proposed solutions

Option 1

Allow CMP script to run in the background, it will still run in a CORS iframe, but it will be initiated at pageload time and always run in the background.
This is very similar to the CMP, non-AMP pages integration as much as possible.

Details

  • Different ad vendors will have different ways to call the TCF standard APIs
    • Fast Fetch: AMP can proxy the __tcfapi() method and send postMessage to CMP iframe
    • In iframe: Same with non AMP, Let vendor communicate with CMP iframe __tcfapiLocator directly using postMessages.
    • Analytics vendors can’t use the TCF standard APIs. AMP can provide macros for them to get vendor specific data from the TCData object. But we will start with the entire consent string.

Pros:

  • Vendors can follow the same implementations, as the same set of APIs will still be supported by CMPs.
  • Because the CMP iframe runs in the background. It has the flexibility to request to display the UI.
  • Easy implementation from the AMP side. As CMPs have all APIs provided, AMP simply passes messages between different parties.
  • This may also enable publishers to work together with CMP to manage vendors that’s not only the GVL list, as long as the two parties reach some agreement on format. (Need declarative inline config added)

Cons

  • Having CORS iframe running in the background can lead to performance and security concerns.

Option 2

This is the current approach. Pass the entire TC data consent string using AMP provided APIs

Design Details

  • AMP will provide APIs for vendors to get the complete TC data in the consent string format.
    • 3P Ad vendors can use the context.initialConsentValue
    • Fast fetch vendors can use the getConsentPolicyInfo() method
    • Analytics vendor and RTC request can use the CONSENT_STRING macro

Pros

  • No extra work on the AMP size. Support future version of the framework by default.
  • Passing TC data and handling them on the server end is the best for performance.

Cons

  • CMPs don’t get flexibility on the consent UI.
  • Difficulties for vendors to interpret TC data on the client side.
  • Ads vendors need to import libraries to do so. This can be a blocker for future vendors to integrate.

To decide if we need to change the design, we'd like to get feedback from CMPs, Ad vendors, Analytics vendors and Publishers.
We are leaning towards Option 2 (The existing option) for performance reason. If so

  1. How difficult it is for ad vendors to interpret consent string without the TCF APIs
  2. Are analytics vendors OK with handling the consent string on server side?
  3. What's the limitation to CMPs having AMP runs their code in CORs iframe, and controls the lifecycle of the iframe?

cc @ampproject/wg-analytics @ampproject/wg-ads

@zhouyx
Copy link
Contributor Author

@zhouyx zhouyx commented Jan 8, 2020

@AmazonPublisherServices @leonardlabat @bretg @wroberts-comscore for feedback since you have dealt with CONSENT_STATE and CONSENT_STRING in AMP.

@yoannOgury @PierigOgury @andresilveirah @jawadst @tla-sirdata for feedback from CMP

Thank you!

@bretg
Copy link
Contributor

@bretg bretg commented Jan 27, 2020

Prebid Server receives RTC calls from AMP. We find it sub-optimal to have to introspect CONSENT_STRING, which could be formatted as a TCF1.0 or CCPA string.

Would it be possible to add a "CONSENT_TYPE" attribute which the CMP can add to provide a clear signal on how the string is formatted? Valid CONSENT_TYPE values could be: TCF1, TCF2, USP, etc.

How difficult it is for ad vendors to interpret consent string without the TCF APIs

Speaking for Prebid, if we had CONSENT_TYPE, we'd be happier parsing strings. We do it already in Prebid Server. In fact, we don't currently use the AMP CONSENT_STATE -- we assume that the user consent state is already encoded in the string.

It's unsatisfying and won't scale well to parse the consent string with a set of rules like:

  • if it's 4 chars and starts with a "1" it must be CCPA
  • else if it passes through the TCF1.0 parsing function, it must be TCF1.0
  • else if it passes through the TCF2.0 parsing function, it must be TCF2.0
  • else it's an error

@zhouyx
Copy link
Contributor Author

@zhouyx zhouyx commented Jan 27, 2020

Thank you @bretg for the feedback.
TCF1.0 and 2.0 should be easy to interpret as the version number is included in the TC string. But I agree that the US privacy string make things more difficult.
Is there a standard name that the AMP team can follow? Could you please let us know how CMPs are passing this information in non AMP page today? Thank you

@bretg
Copy link
Contributor

@bretg bretg commented Jan 28, 2020

In non-AMP pages, there are different IAB functions in the page that serve as the interface. For GDPR, the ad tech javascript infrastructure calls window.__cmp(). For CCPA it's window.__uspapi(). So because these separate interfaces exist, it's quite clear to the ad ecosystem how to parse the results of the call.

Being on the vendor end of RTC is quite different - we're not making the call to the CMP ourselves so don't have the context.

FWIW - prebid.js requires that publishers turn on GDPR and USPrivacy and let it know which specific interfaces to use. e.g.

pbjs.setConfig({
         consentManagement: {
           gdpr: {
            cmpApi: 'iab',  // could also be passed in statically
            ...
           },
           usp: {
             cmpApi: 'iab',  // could also be passed in statically
             ...
           }
         }
       });

@PierigOgury
Copy link
Contributor

@PierigOgury PierigOgury commented Jan 31, 2020

As a CMP first option seems attractive, it will give us more flexibility, each vendors will be able to use the exposed api or the consent string, without any specific intégration for AMP, it is the idea behind tcf implementation.
This option also allows the most limited liability on AMP side.

On AMP side, the second option will need less engineering and is clearly more safe technically, and dealing with CONSENT_TYPE seems a good simple solution .

However it will force vendors to find a solution to be able to decode consent string, with one decoder by consent string type, it could be really painful for vendors, with some performances impact.

Thats why as a CMP, we prefer the first option, but the second one works also with more impacts for vendors.

In all cases, we think that AMP have to keep the hand on which kind of consent string can be provided through the amp-consent.

At the same level as the CONSENT_TYPE remark, it would also be useful to be able to set multiple consent signals (in case of a CMP managing multiple framework/regulation with one notice to the end user) 

@bretg
Copy link
Contributor

@bretg bretg commented Jan 31, 2020

dealing with CONSENT_TYPE seems a good simple solution. However it will force vendors to find a solution to be able to decode consent string, with one decoder by consent string type

Not quite sure I understand you here @PierigOgury - are you suggesting that the existence of CONSENT_TYPE makes parsing harder? My take is that each RTC vendor has to have code to parse all encodings anyhow... having metadata about the encoding format just means no guessing.

@PierigOgury
Copy link
Contributor

@PierigOgury PierigOgury commented Feb 5, 2020

Hi @bretg ,
I mean that the first solution proposed allows to not have a decoder in case the API gives an "easier" to manage information (such as the TCF API regardless of the version). With CCPA framework it is mandatory to have a "decoder" as the API is sending only the encoded part.
With the second solution a decoder is mandatory regardless of the API defined by the framework, for anyone in the amp environment (vendor and publisher). And as you mention, the CONSENT_TYPE allows for no guessing on the type of object received.

@zhouyx
Copy link
Contributor Author

@zhouyx zhouyx commented Feb 6, 2020

Thanks all for the feedback.

After more discussion, the AMP team decided Option #1 is not very practical. As @PierigOgury pointed out it requires a lot engineering resources. Also it's not technically safe because AMP is not a registered CMP. Because of this we decided to stay with the current approach (Option #2)

@zhouyx
Copy link
Contributor Author

@zhouyx zhouyx commented Feb 6, 2020

Re: CONSENT_TYPE. Sounds reasonable to add the additional information.

I only have one concern, the CONSENT_TYPE only makes sense when it is stored with consent string together and can be understand by all parties. @PierigOgury @bretg does this mean that AMP needs to declare the types of consent string framework we support and provide a list of standard type names?

@tla-sirdata
Copy link

@tla-sirdata tla-sirdata commented Feb 6, 2020

Hi,
First sorry for my late feedback.
I would like to bring more elements even if it seems the AMP team has made its decision.

I think the fact CMPs have no control on whether to display the UI is a problem.
When the vendor list changes, we need to display the UI to ask consent for additional vendors while keeping previous choices. With the actual integration, we can only expire the consent string, which is obviously not what we want.
TCF v2.0 also introduces a TCF Policy version that we have to take in consideration to display the UI when it changes.
Additionally, the recent CNIL notice (still in public comment) indicates that the UI should be displayed again in case of "significant change".
These are just some examples but we can see there can be many reasons why CMPs need to display the UI, and they change over time depending regulations and frameworks.
If AMP keeps control on the display, it must ensures those rules will be applied, which I think is painful for AMP engineers and doesn't make sense as AMP is not a CMP.

As a reasonable solution, CMPs could add an attribute in the check endpoint's response to indicate to AMP that we want to display the UI while keeping the existing consent string.
On AMP side, a capping could be managed to prevent CMPs from displaying the UI too often.
This solution doesn't require a CORS iframe.


About reading consent data, it would be indeed very convenient for vendors to call the standard APIs and not have to decode consent strings.
Actually in TCF, vendors are not supposed to decode the consent string by themselves, they should always read consents through the CMP API, which ensures them that signals are valid and the consent string is not corrupted.
That point should probably be discussed with the IAB Europe as they probably didn't design the framework with AMP concerns in mind.

The limitation I see in the actual integration is that CMPs can only transmit a consent string (and maybe a future consent type).
As mentioned in the discussion's description, publishers may need to work with vendors outside the GVL list (example: Google before TCF v2 adoption), so we have to transmit those additional information.

The main idea is to provide CMPs a way to transmit more information (at page load and after user submit), the challenge being to give enough flexibility to CMPs while keeping a standardized AMP structure.
As a workaround to standard APIs, CMPs could then use that feature to expose decoded data to vendors.
Once again no CORS iframe is needed.

@zhouyx
Copy link
Contributor Author

@zhouyx zhouyx commented Feb 14, 2020

Talked to @jeffjose offline. We agreed that AMP can provide such CONSENT_TYPE information. TCF v1, v2 and US privacy string will be the three formats we support for now. In the future we are open to add other format to the list upon requests.
The team is currently focus on adding us-ca detection capability to amp-geo, and doesn't have bandwidth to this API this sprint. We'll update the thread once we pick up the work. Thanks.

@zhouyx
Copy link
Contributor Author

@zhouyx zhouyx commented Feb 14, 2020

As a reasonable solution, CMPs could add an attribute in the check endpoint's response to indicate to AMP that we want to display the UI while keeping the existing consent string.
On AMP side, a capping could be managed to prevent CMPs from displaying the UI too often.
This solution doesn't require a CORS iframe.

The only concern is user experience. @micajuine-ho @jeffjose and @lannka would like to get your thoughts on the tradeoff here.

The main idea is to provide CMPs a way to transmit more information (at page load and after user submit), the challenge being to give enough flexibility to CMPs while keeping a standardized AMP structure.
As a workaround to standard APIs, CMPs could then use that feature to expose decoded data to vendors.
Once again no CORS iframe is needed.

We could provide an API for CMP to pass consent data object to vendors. AMP won't store the data
object or enforce the object format. My concern is that without standard structure, such type of object cannot be parsed by vendors.

@tla-sirdata
Copy link

@tla-sirdata tla-sirdata commented Feb 20, 2020

The only concern is user experience. @micajuine-ho @jeffjose and @lannka would like to get your thoughts on the tradeoff here.

Sorry @zhouyx, are you asking me to give my thoughts about the tradeoff here ?

@cmaurersp
Copy link

@cmaurersp cmaurersp commented Apr 14, 2020

@zhouyx wanted to see where the AMP support for TCF version 2 stands. i'm having trouble understanding it's progress from this thread.

@jawadst
Copy link

@jawadst jawadst commented Apr 17, 2020

@zhouyx Having worked with many vendors in the last months on TCFv1 integration with AMP, the main piece of feedback we have is that most vendors are still unclear on how they can get access to the consent string from their AMP tags.

In particular, they are struggling with two elements:

  • What tags can get access to the consent string and how (macros, usually)
  • How the different parameters on ad tags affect the availability of the consent string or the loading of tags

We have tried to summarize all common cases on https://developers.didomi.io/cmp/amp/consent-status-for-vendors and https://developers.didomi.io/cmp/amp/blocking-behaviors but I'd recommend improving the AMP docs for vendors on that front for the V2. Happy to help if there is a way for us to contribute to the docs.

@zhouyx
Copy link
Contributor Author

@zhouyx zhouyx commented Apr 18, 2020

Thank you @jawadst This is very helpful! I've added you as reviewer to #27855

@zhouyx
Copy link
Contributor Author

@zhouyx zhouyx commented Apr 18, 2020

@cmaurersp any specific detail you need?

AMP attempts to support TCF v2 as a generic TC framework as best as we can.
AMP will collect and store raw consent string from CMP and pass the raw string value to vendors.
As described above AMP decided not to support the TCF v2 APIs though, and expect vendors to parse the string on the server side.

@cmaurersp
Copy link

@cmaurersp cmaurersp commented Apr 23, 2020

@cmaurersp any specific detail you need?

AMP attempts to support TCF v2 as a generic TC framework as best as we can.
AMP will collect and store raw consent string from CMP and pass the raw string value to vendors.
As described above AMP decided not to support the TCF v2 APIs though, and expect vendors to parse the string on the server side.

What do 3rd party CMPs need to do in order to support TCF v2 at this point in time?

@zhouyx
Copy link
Contributor Author

@zhouyx zhouyx commented Apr 23, 2020

If you want to integrate your CMP solution with AMP. For example

<amp-consent type='myCMP'></amp-consent>

Please follow the CMP integration guideline here. https://github.com/ampproject/amphtml/blob/master/extensions/amp-consent/integrating-consent.md
Let me know if there's any question.

@saraneus
Copy link

@saraneus saraneus commented Apr 24, 2020

We are creating a CMP for our publishers and would like to do an integration test locally before we actually create a pull request. How can we create a full working demo?

Our demo looks like the following so far:

<amp-consent id="myUserConsent" layout="nodisplay">
    <script type="application/json">{
        "consentInstanceId": "consent-id",
        "consentRequired": true,
        "promptUIaaa": "consentDialog",
        "postPromptUI": "post-consent-ui",
        "checkConsentHref": "https://open-cmp-local-api.de:5003/consent/check",
        "onUpdateHref": "https://open-cmp-local-api.de:5003/consent/update",
        "promptUISrc": "https://open-cmp-local-iframe.de:5003/demo/amp/cmp-frame.html",
        "storageKey": "cmp_foo_bar"
    }</script>
    <div id="post-consent-ui">
        <button on="tap:myUserConsent.prompt()">Update Consent</button>
    </div>
</amp-consent>

In Dev tools I can see a iframe being created loading promptUISrc, which is the standalone CMP. No errors reported. But the iframe is hidden and only a spinner is displayed. It's probably something I missed, could someone give me a hint?

@tla-sirdata
Copy link

@tla-sirdata tla-sirdata commented Apr 24, 2020

Hi we would like to integrate our TCF v2 CMP to AMP and have some questions :

  • Can you provide information about integration and the new CONSENT_TYPE field ?
  • How are we supposed to add the configuration here ?
  • Is there something to indicate v2 endpoints or should we create another config type (for example : sirdata-v2) ? Same question for CCPA
  • TCF v2 requires a very large amount of information on the 1st layer, which can result to a dense content with the 60vh restriction. Can we consider increase it ?

Thanks

@micajuine-ho
Copy link
Contributor

@micajuine-ho micajuine-ho commented Apr 24, 2020

Hi @saraneus. Thanks for your question. Your current implementation of adding your CMP to AMP seems a little off. To integrate into AMP as a CMP, you need to follow the CMP integration guideline here. https://github.com/ampproject/amphtml/blob/master/extensions/amp-consent/integrating-consent.md

After following these steps, you can test locally with a consent element similar to this (replacing _ping_ with your CMP name):

<amp-consent id='ABC' layout='nodisplay' type='_ping_'>
      <script type="application/json">
      {
        "postPromptUI": "postPromptUI",
        "clientConfig": {
          "CMP_id": "test_id",
          "other_info": "test_info"
        }
      }
      </script>
      <div id="postPromptUI">
        Post Prompt UI
        <button on="tap:ABC.prompt(consent=_ping_)" role="button">Manage</button>
      </div>

Another hint is that

        "checkConsentHref": "https://open-cmp-local-api.de:5003/consent/check",
        "onUpdateHref": "https://open-cmp-local-api.de:5003/consent/update",
        "promptUISrc": "https://open-cmp-local-iframe.de:5003/demo/amp/cmp-frame.html",

should be here under your new CMP name.

Please let me know if you have any further questions.

@micajuine-ho
Copy link
Contributor

@micajuine-ho micajuine-ho commented Apr 24, 2020

Hi @tla-sirdata, thank you for your questions.

Can you provide information about integration and the new CONSENT_TYPE field ?

This is still in the works. Please refer to #27907, and we can continue the discussion there.

How are we supposed to add the configuration here ?

To integrate into AMP as a CMP, you need to follow the CMP integration guideline here. https://github.com/ampproject/amphtml/blob/master/extensions/amp-consent/integrating-consent.md
If you have any questions on these steps, please let me know.

Is there something to indicate v2 endpoints or should we create another config type (for example : sirdata-v2) ? Same question for CCPA

I believe you are asking if there is someway to tell if the consent_string you are passing along through your endpoint satisfies TCF_V1, TCF_V2, or US Privacy String. If this is the case, then I believe that this issue can be solved with the addition of the CONSENT_TYPE field as metadata for the consent string (again, see the issue linked above).

TCF v2 requires a very large amount of information on the 1st layer, which can result to a dense content with the 60vh restriction. Can we consider increase it ?

@zhouyx correct me if I'm wrong, but I believe we decided on 60vh restriction due to the bad UX that would be created if users were to just see a fullscreen consent dialog. However, you can use our fullscreen API to enlarge the consent dialog.

@tla-sirdata
Copy link

@tla-sirdata tla-sirdata commented Apr 24, 2020

@micajuine-ho Thanks for your answers !

I believe you are asking if there is someway to tell if the consent_string you are passing along through your endpoint satisfies TCF_V1, TCF_V2, or US Privacy String. If this is the case, then I believe that this issue can be solved with the addition of the CONSENT_TYPE field as metadata for the consent string (again, see the issue linked above).

I'm talking about the CMP version a publisher chooses to use.
Actually we're already integrated in AMP as a TCF v1 CMP and would like to add our TCF v2 version. I'm wondering if publishers will have to change the <amp-consent> type (from sirdata to sirdata-v2) or if they will be able to switch with a parameter in the JSON config.

Thanks

@micajuine-ho
Copy link
Contributor

@micajuine-ho micajuine-ho commented Apr 24, 2020

@tla-sirdata Thanks for the clarification.

As a CMP do you anticipate that having publishers using v1 and v2 will be a common use case for you?

Something that we could do would be to include a CONSENT_TYPE field within the request to the CMP (in the checkConsentHref endpoint), that could be overriden by the inline publisher, but would otherwise default to the last CONSENT_TYPE stored in local storage.

I don't think we currently have a clear cut solution for this. @zhouyx for ideas/confirmation.

@renebaudisch
Copy link
Contributor

@renebaudisch renebaudisch commented Aug 28, 2020

Sure, what I want to say is, that I want my code inside your amp-ad-frame to be able to do this:

https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20CMP%20API%20v2.md#is-there-a-sample-iframe-script-call-to-the-cmp-api

This way I can consume consent provided by your cmp the same way I can on regular websites.
How your cmp before has collected data or the way it will gather the data to provide it still can be AMP specific.

Hope that explains my proposal.

@ahmedkaludi
Copy link

@ahmedkaludi ahmedkaludi commented Sep 12, 2020

Hi,

I'm the lead developer for AMPforWP & WPQuads plugin. Our users are requesting TCFv2 support in our plugins and we really want to implement it in-order for them to stay up to date with the privacy policies.

Guys, Let's get this rolled out soon and have a solution for us.

@zhouyx
Copy link
Contributor Author

@zhouyx zhouyx commented Sep 14, 2020

@ahmedkaludi

Thanks for reaching out. AMP does provide TCFv2 support. https://github.com/ampproject/amphtml/blob/master/extensions/amp-consent/amp-consent.md#does-amp-support-the-iab-tcf

Not directly via the __tcfapi API because AMP doesn't allow CMP scripts directly running on the AMP doc, also because of how AMP stores values in the AMP viewer. However AMP provides a list of APIs for CMPs and ad vendors to pass TCFv2 information.
Vendor facing doc
CMP facing doc

Let us know if it work for you. And if not what's missing. Thanks!

@Facens
Copy link

@Facens Facens commented Sep 18, 2020

@zhouyx the latest version of the TCF library manages to compress the 8kb string to around 1.7, so we could fit the 2k limit which is also the safe limit for URLs and which could be a good threshold for AMP, up from the 1.2kb that's in place now. Could this change be made? I remember this would be your upper limit, and I'd go for it as it would drastically reduce the edge cases.

@zhouyx
Copy link
Contributor Author

@zhouyx zhouyx commented Sep 18, 2020

@Facens Thanks for the information. Is the 1.7kb the upper limit for TC string now? Could you please refer me to the IAB doc. If it's going to stay like that, then I agree with we could revisit AMP's size limit.

@Facens
Copy link

@Facens Facens commented Sep 20, 2020

@zhouyx the string has no upper limit and could grow, but since 2000 characters is what's generally considered to be the safe maximum threshold in other contexts (e.g. URLs and legacy webservers/browsers), in Tech Lab we're making all possible efforts to shrink down and stay within that limit. I was giving 1.7k as a reference because it's at the moment a size that is reached in a relatively low but significant number of cases and can be a deal breaker for some large publishers when approaching AMP. My suggestion would thus be that you increase the size all the way to 2000 chars which as you referred to previously is the max that you can get to without refactoring, particularly since there's Google's additional consent mode string to fit in too. Please let me know if we're aligned!

@vyoungnyc
Copy link

@vyoungnyc vyoungnyc commented Sep 25, 2020

@zhouyx @micajuine-ho

Hey, we talked about using google's CLIENT_ID to sync up with our internal consent uuids. I seem to be running into a problem with CLIENT_ID being different when the amp page is hosted off the publisher website vs. off the google.com TLD.

e.g.
https://www.google.com/amp/s/www.publisher.com/amp/en-us/content-video-123
has a client id of something like: SPB8rlQkK8dFUnpCGjto31NL7P5g-j06ZJAn8tOoWv3G4oZdpw-deDoCn9YTiqhJ

but when you go to the publishers amp page of that same content in that same browser without clearing any cookies/local storage: www.publisher.com/amp/en-us/content-video-123
the client id is something like amp-nOpe-wXCUM1STTYOlYuSqg

i think the expected behavior would be that the client id's would be the same, so we can properly sync up the client id with our user consent uuid. but because it is different, the consent preferences of the user does not persist.

What is the best way to resolve this? because when amp pages are served off the google.com TLD, the cookies arent accessible when they go to a publishers page, so we are relying on google to provide a consistent CLIENT_ID

@vyoungnyc
Copy link

@vyoungnyc vyoungnyc commented Oct 6, 2020

@zhouyx @micajuine-ho

Havent heard from you guys in awhile, should I create a new issue for the above?

@micajuine-ho
Copy link
Contributor

@micajuine-ho micajuine-ho commented Oct 6, 2020

@vyoungnyc Sorry about that. Yes, it would be appreciated if you could create a new issue, so it's easier to track/discuss. Thanks!

@alextcone
Copy link

@alextcone alextcone commented Oct 19, 2020

@Facens wrote:

@zhouyx the string has no upper limit and could grow, but since 2000 characters is what's generally considered to be the safe maximum threshold in other contexts (e.g. URLs and legacy webservers/browsers), in Tech Lab we're making all possible efforts to shrink down and stay within that limit. I was giving 1.7k as a reference because it's at the moment a size that is reached in a relatively low but significant number of cases and can be a deal breaker for some large publishers when approaching AMP. My suggestion would thus be that you increase the size all the way to 2000 chars which as you referred to previously is the max that you can get to without refactoring, particularly since there's Google's additional consent mode string to fit in too. Please let me know if we're aligned!

Hi. I am the product leader for TCF at IAB Tech Lab. I'm getting a lot of questions about this AMP limitation on string size. Is it possible to make the change @Facens suggested in the quoted comment above?

@zhouyx
Copy link
Contributor Author

@zhouyx zhouyx commented Oct 19, 2020

@alextcone Thanks for reaching out

AMP has removed the consent string size limit when the Storage API is not used. That applies when the AMP page is served directly from the publisher's origin.

Regarding to the AMP viewer case, this is a known technical restriction on AMP. We have expanded the consent string size limit to as much as we can support today. I can reach out to the AMP viewer team on potentially expanding the size limit (maybe by another 50%), but that cannot solve the size limit issue either. I was told that the current size limit could fulfill 95% of all use cases. If that's still true, I am leaning towards keeping the size limit unchanged.

@micajuine-ho
Copy link
Contributor

@micajuine-ho micajuine-ho commented Oct 19, 2020

@SyntaxNode I created an issue to track work for the consent metadata macros for RTC vendors here: #30006

The PR has been merged.

@nicobatalla
Copy link
Contributor

@nicobatalla nicobatalla commented Oct 21, 2020

Hi @zhouyx . I'm creating an amp-consent solution for Quantcast CMP. I have pretty much all working by now, but I have a question. I saw that you can save a consentMetadata like this:

{
"consentStringType": {enum} [1: TCF V1, 2: TCF V2, 3: US Privacy String] (optional),
"gdprApplies": {boolean} (optional),
"additionalConsent": {string} (optional)
}

But how is that read from the amp-ad component? I'm getting the full TC string on initialConsentValue via window.context and the AMP consentState, but I can't seem to find the additionalConsent string anywhere, even though I'm setting it as consentMetadata via postMessage from my iframe.

@micajuine-ho
Copy link
Contributor

@micajuine-ho micajuine-ho commented Oct 22, 2020

Hi @nicobatalla, I assume since you're using window.context to read consentState, that you are trying to read the consentMetadata value from an amp-ad-3p-impl. If so, then here is the relevant issue #30786; we will be looking to expose the consentMetadata value through the window.context soon. Please let me know if this is not the case for you.

@renebaudisch
Copy link
Contributor

@renebaudisch renebaudisch commented Oct 22, 2020

@nicobatalla @zhouyx
Wouldn't this be obsolete when going towards IAB implementation as mentioned here #30385 which is intented to implement?

@micajuine-ho
Copy link
Contributor

@micajuine-ho micajuine-ho commented Oct 22, 2020

Wouldn't this be obsolete when going towards IAB implementation as mentioned here #30385 which is intended to implement?

My understanding is not all vendors/publishers will support an IAB implantations so it is good to accommodate these cases. I also don't think this change would be a large and will not have an impact on performance.

@renebaudisch
Copy link
Contributor

@renebaudisch renebaudisch commented Oct 22, 2020

Taking about advertising everybody SHOULD follow the IAB (International advertising bureau) and if not - you force everyone to go your way, so why not here too, rely on IAB and force everybody to use it?
Right now you/AMP are/is doing the same the other way round, I cannot get tc data as I'm use to, I have to go your idle way, that only exists on AMP.
But it's your baby not mine...

@nicobatalla
Copy link
Contributor

@nicobatalla nicobatalla commented Oct 22, 2020

@micajuine-ho @renebaudisch Thank you guys, I'm going to be following both issues.

@micajuine-ho
Copy link
Contributor

@micajuine-ho micajuine-ho commented Oct 27, 2020

@nicobatalla #30820 has been merged.

@tla-sirdata
Copy link

@tla-sirdata tla-sirdata commented Nov 12, 2020

Hi @micajuine-ho do you have any update on the lightbox flow you were intended to implement ? Thanks !

@micajuine-ho
Copy link
Contributor

@micajuine-ho micajuine-ho commented Nov 12, 2020

Hi @tla-sirdata here is the PR (#29204), and the documentation can be found here.

@tla-sirdata
Copy link

@tla-sirdata tla-sirdata commented Nov 13, 2020

@micajuine-ho oh i completely missed this out! Thanks

@micajuine-ho
Copy link
Contributor

@micajuine-ho micajuine-ho commented Nov 18, 2020

Hi all! FYI, we have gotten some asks to allow for CMPs to pass in a PurposeOne (boolean) signal to amp-consent. This signal, if found will give integrated vendors the option to interpret the signal and make a client-side decision based upon this, rather than sending the full TC String to their servers and making the determination server-side.

Here is the relevant issue. (#31144)

Please feel free questions or concerns to that thread :)

@micajuine-ho
Copy link
Contributor

@micajuine-ho micajuine-ho commented Dec 4, 2020

Hi all!

The purposeOne metadata field change has been merged (#31145). FYI in the future, ad vendors can chose to interpret this signal and potentially drop ad requests when purposeOne consent is not explicitly passed in.

Currently, passing in purposeOne consent will not have any affect on monetization, but including could help guard against a change like this occurring without notice.

@opencmp
Copy link
Contributor

@opencmp opencmp commented Jan 25, 2021

Hi!

As a reasonable solution, CMPs could add an attribute in the check endpoint's response to indicate to AMP that we want to display the UI while keeping the existing consent string.
On AMP side, a capping could be managed to prevent CMPs from displaying the UI too often.
This solution doesn't require a CORS iframe.

Has there been implemented a solution yet? I can't find anything in the docs except expireCache.

Is it possible to give more control to the CMP? Right now AMP is in control of the CMP. But in my opinion the CMP needs to be in control of when to show the popup. Only the CMP knows about changes in the vendorlist and in our case the CMP can be configured by our users to control its behaviour. But all that can't work in AMP because the iframe is not loaded.

A solution where the CMP always loads and takes control of AMP through APIs (show popup, close popup, update consent) would be very helpful. It should also be possible to store meta data with the consent string, i.e. the version of the vendor list or other information.

@micajuine-ho
Copy link
Contributor

@micajuine-ho micajuine-ho commented Jun 29, 2021

Hi @opencmp, this sounds reasonable, can we create a separate GH issue for it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests