Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TCF Control Module: Clarification Needed on Consent Path Logic #12692

Closed
jonalu opened this issue Jan 27, 2025 · 5 comments
Closed

TCF Control Module: Clarification Needed on Consent Path Logic #12692

jonalu opened this issue Jan 27, 2025 · 5 comments

Comments

@jonalu
Copy link

jonalu commented Jan 27, 2025

I have encountered an issue in the TCF Control Module where the consent path for the purpose is hardcoded to false. This is defined as:

const CONSENT_PATHS = { purpose: false, feature: 'specialFeatureOptins' };

Problem:

Due to this hardcoding, the logic currently bypasses checking vendorData.purpose.consents. Instead, it is checking vendorData.publisher.consents. Consequently, the expected behavior for including the publisher-provided ID in bid requests does not function as intended under normal configurations.

Workaround:

To address this, I temporarily configured a vendor exception specifically for the 'storage' purpose in the Prebid configuration. The setup is as follows:

consentManagement: {
      strictStorageEnforcement: true,
      gdpr: {
        cmpApi: 'iab',
        defaultGdprScope: true,
        timeout: 10000,
        rules: [
          {
            purpose: 'storage',
            enforcePurpose: true,
            enforceVendor: true,
            vendorExceptions: ['pubProvidedId'], // <-- workaround
          }
     ]
}

As I am not 100% sure of what is the correct logic here, I am marking this issue as a question.
@dgirardi
Copy link
Collaborator

dgirardi commented Jan 27, 2025
edited
Loading

Related: #10622; same issue in #12373 and #11967

This is intended behavior, according to the IAB consent for the first party should be retrieved from publisher rather than vendor / purpose. My understanding is that the CMP should have some option to ask for publisher consent.

@dgirardi
Copy link
Collaborator

Keeping this open to track documentation improvements.

@dgirardi dgirardi moved this from Triage to Ready for Dev in Prebid.js Tactical Issues table Jan 27, 2025
@patmmccann
Copy link
Collaborator

patmmccann commented Jan 27, 2025
edited
Loading 

Due to this hardcoding, the logic currently bypasses checking vendorData.purpose.consents. Instead, it is checking vendorData.publisher.consents. Consequently, the expected behavior for including the publisher-provided ID in bid requests does not function as intended under normal configurations.

If the publisher does not have consent; it seems you are without any valid legal bases for processing publisher provided ids and the ids should be suppressed according to the TCF spec. Your workaround appears to put you and other implementors outside of IABE directives.

@patmmccann
Copy link
Collaborator

Potentially fixed by prebid/prebid.github.io#5833

@jonalu
Copy link
Author

jonalu commented Jan 28, 2025

Thanks for the feedback. I see now that you have informed of this change in the v9 release notes.

Of particular importance, “vendorless” modules such as the sharedid module no longer rely on vendor consent in the TCF object, but instead rely on publisher purpose consent. Publishers should check their __tcfapi consent data object to confirm publisher purpose consents are requested by their CMP.

@github-project-automation github-project-automation bot moved this from Ready for Dev to Done in Prebid.js Tactical Issues table Jan 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Prebid.js Tactical Issues table
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jonalu @patmmccann @dgirardi