Skip to content

Latest commit

 

History

History
44 lines (30 loc) · 3.13 KB

gdpr.md

File metadata and controls

44 lines (30 loc) · 3.13 KB
Raw

GDPR Mechanics

Within the framework of GDPR, Prebid Server behaves like a data processor. Cookie syncs save the user ID for each Bidder in the cookie, and each Bidder's ID is sent back to that Bidder during the auction. Prebid Server does not use this ID for any other reason.

IDs during Auction

The /openrtb2/auction endpoint accepts user.regs.gdpr and user.consent fields, as recommended by the IAB.

IDs during Cookie Syncs

The POST /cookie_sync endpoint accepts gdpr and gdpr_consent properties in the request body.

If the Prebid Server host company does not have consent to read/write cookies, /cookie_sync will return an empty response with no syncs. Otherwise, it will return a response limited to syncs for Bidders that have consent to read/write cookies. This limitation is in place for performance reasons; it results in fewer syncs called on the page, and their sync endpoints will almost certainly read from the cookie anyway.

The /setuid endpoint accepts gdpr and gdpr_consent query params. This endpoint will no-op if the Prebid Server host company does not have consent to read/write cookies.

Handling the params

For all endpoints, gdpr should be 1 if GDPR is in effect, 0 if not, and omitted if the caller isn't sure. gdpr_consent should be an unpadded base64-URL encoded Vendor Consent String.

gdpr_consent is required if gdpr is 1 and ignored if gdpr is 0. If gdpr is omitted, the Prebid Server host company can decide whether it behaves like a 1 or 0 through the app configuration. Callers are encouraged to send the gdpr_consent param if gdpr is omitted.

Geo Location

As an additional option for determining whether a client falls under GDPR requirements or not, a geo location service can be used(enabled by default) to determine the country of incoming client request.

Prebid server provides a geo location service interface src/main/java/org/prebid/server/geolocation/GeoLocationService.java, which could be used by the host company to provide its own implementation, as well as a default implementation using MaxMind GeoLite2 Country database(available from https://www.maxmind.com and included in this product) and GeoIP2 Java API. The database file gets downloaded automatically from MaxMind web page during project packing by Maven Download Plugin.

Description of Geo location service configuration can be found here.