New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Global Privacy Platform (regs.gpp) #2380
Comments
Thank you for bringing this to our attention @robhazan. There's a lot to read through in the Global Privacy Platform (GPP) spec. At a high level, this is a new consent string / privacy signals container which will incorporate all existing IAB standards (TCF v1, TCF v2, CCPA) and will be the exclusive home to future standards, like the upcoming TCF for Canada and new signals related to CPRA. The current TCF v2 string can be embedded as-is. The CCPA string can also be embedded as-is and they're introducing a new more compact format with the exact same fields. For the most part, we need to write a parser for the GPP container and can interpret the embedded consent strings with our existing code. The current approach in OpenRTB may become "messy" as many more jurisdictions introduce their own privacy frameworks. With at least three new frameworks in development now, this is a problem that needs to be addressed. GPP expands on the technical approach of TCF v2 to create a new container format uniform across the ecosystem / not specific to just OpenRTB. I expect this to especially help with AMP where PBS can simply place the GPP string in the created OpenRTB request and our main auction logic can run normally. PBS-Go and PBS-Java should already pass PBS will need to implement:
PBS should not create a a GPP consent string as that is a job reserved for CMPs. If a request is received with the soon-to-be legacy |
@SyntaxNode My primary question is whether Prebid Server needs to actually enforce based on what's in the GPP string. In other words, determine which bid adapters should or shouldn't make bid requests based on the user's consent preferences. |
Discussed in committee today. We agreed that it makes sense to consider at least two phases:
Open questions:
|
I spoke with the IAB Working Groups about our questions and have the following responses/guidance:
No. We should keep the privacy signals exactly the same as we received them. Doing otherwise might introduce liability. Let' discuss at the next meeting if we feel strongly agains this guidance.
Yes. TCF2 (retroactively renamed TCF-EU2) and USP are a "shift and lift" into GPP so our current logic is fine as a middle phase.
Soon. The current target is October 2022, although this may slip a little a 2022 release seems highly likely. They are currently working on updates from the public comment feedback. |
Also, the plan for |
I've taken a cut at outlining a Prebid path for GPP support. https://docs.google.com/document/d/1dRxFUFmhh2jGanzGZvfkK_6jtHPpHXWD7Qsi6KEugeE/edit?usp=sharing Would suggest reviewing in next week's meeting. |
Discussed in committee
Go and Java dev teams can design these features and plan the release strategy. Full GPP support will be tracked by a separate issue. |
Notes from the Prebid Server Committee:
GPP Phase 1 support as defined in this thread has been given a higher priority on the PBS Road Map. The IAB offers a JavaScript implementation. The PBS-Go team is building https://github.com/prebid/go-gpp . There may not yet bet a Java library. |
There's a Java library being built by the IAB at https://github.com/IABTechLab/iabgpp-java |
To reiterate: the scope of this issue's "ready-for-dev" status is the 'Phase 1' work. There will be a separate issue for the refined enforcements and multi-state work. |
Added "regs.gpp_sid" support as defined in the latest revision of GPP. |
Did you see pr 25 that defines 0 and -1 gpp_sid? |
No, which repo is PR 25 in? |
Was reading through the IAB's doc at and ran across this syntax I don't understand: GPP_STRING_XXXXX
Does anyone understand why they're making this distinction? When the /cookie_sync endpoint receives the gpp string in the POST body, it needs to be the full cross-vendor string. Is there some vendor splitting we need to do there in order to pass the string through the sync urls? |
This use case seems to apply specifically to situations where Javascript cannot execute, so AMP. We'll need to learn more about the intent to understand if the cooke sync macros would need to be "addressed" to the PBS Host GPP ID or if we can use the adapter IDs here. |
As an agenda item for next year, GPP SID works a bit differently than the GDPR flag. The flag can be nil, 0, or 1. If it's nil, we replace it with a required default value. For SID, it's an array of all policies in play. In practice, this is one.. maybe 2, values. So far, it appears the industry is treating a nil SID array and an empty SID array the same - as no privacy policy to enforce for the request. Do we allow the host to set default values if none are provided? .. and does this need to have logic since it applies to GDPR/TCF2, CCPA, the new US Privacy laws, and many others on the horizon? |
My take: in the short term, no need for host-level defaults. Once we built out full GPP support, we're going to need PBS to be able to resolve the user's geo. Each regulation should have a 'module' that can take all the known information about the request, including geo, and determine the scope. |
Looking over the discussion on For us, I don't think it will be too big of an issue. We only have access to a singular GPP string, so either PBS hosts will have to strip off the vendor identifier from supplied cookie sync URLs, or PBS will search and replace |
As we started implementing for PBS-Java, found the spec for wrapper behavior was not well-defined. I've revised Phases 1 and 2 in the Prebid GPP doc. Some pretty major changes to phase 2, so we should discuss in light of PBS-Go already working on this. In the meantime, continuing on to Phase 3 |
Talking at an IABTL meeting abouit the string_XXXX macros now. Apparently we shouldn't call user syncs that have the macro XXX in them if vendor XXX does not have purpose 1 consent. Related: InteractiveAdvertisingBureau/Global-Privacy-Platform#60 |
Interesting. There's no "purpose 1 consent" in GPP, but anyhow, Prebid Server will be able to suppress usersyncs for vendors that need to be anonymized without need of XXXX. The usersync macro supplied by bidders in the YAML file will be {{gpp}}, replaced by the full GPP string. But I think this observation may have implications on bid adapters utilizing iframes that do a 'second-level' DSP sync. That iframe code may need to be responsible for suppressing syncs to other entities. Worth noting, though, that not all GPP SIDs have the concept of vendor ID. e.g. TCF-CA will, but USNat doesn't. In the case of USNat, it's probably easy -- if PBS is letting the bidder's iframe run, syncs are ok since that regulation doesn't differentiate vendors (thank goodness). But in the case of TCF, I suppose it means the iframe code needs to 'Do The Thing': parse the string for allowed GVL IDs. That's a lot of replicated parsing of a complex string. If that's a problem, Prebid could make that easier by passing a list of P1-approved GVLIDs into the iframe. That would entail a bunch of refactoring by any bidder doing this. |
Closing this issue. See related issues for phases 3, 3.5, and 4. |
Feature Request
The IAB Tech Lab has published a proposal for Global Privacy Platform that seems very likely to be ratified in 2022 and poised for adoption in 2023.
CPRA will take effect in California and VCDPA will take effect in Virginia on January 1, 2023, and IAB Tech Lab is only planning to provide new signals that support these regulations in GPP. This means that usprivacy as it’s currently implemented in Prebid Server will effectively be deprecated. I’m not sure what adoption of GPP will look like from CMPs, but Prebid Server likely needs to be ready so that all upstream ad tech participants can comply with the legislation.
The text was updated successfully, but these errors were encountered: