This module requires the EU GDPR consent management module (the base consent module), which reads consent values from the Consent Management Platform (CMP). The GDPR Enforcement Module will then enforce the results. See the base module page for general background, usage, and legal disclaimers.
The base consent module performs the following actions:
The GDPR Enforcement Module adds the following:
The following table details the Prebid.js activities that fall under the Transparency and Consent Framework (TCF) scope:
In-Scope Activity | TCF Legal Basis Required | Enforcement Activity | Prebid.js Version |
---|---|---|---|
Invoke usersync pixels | Purpose 1 - Store and/or access information on a device | May prevent one or more vendor usersyncs. | 3.14+ |
Invoke user ID modules | Purpose 1 - Store and/or access information on a device | May prevent one or more UserID modules from activating. | 3.14+ |
Read and write data to device | Purpose 1 - Store and/or access information on a device | May prevent one or more adapters or modules from being able to read or write cookies or localstorage in the user’s browser. | 3.14+ |
Perform header bidding auction | Purpose 2 - Basic ads | May prevent one or more bid adapters from participating in the auction. | 4.0+ |
Invoke analytics adapters | Purpose 7 - Measurement | May prevent one or more analytics adapters from participating in the auction. | 4.x+ |
A page needs to define configuration rules about how Prebid.js should enforce each in-scope activity.
Important Legal Note: Prebid.org cannot provide legal advice about GDPR or any other governmental regulation. Our aim is to provide a toolkit of functionality that will let publishers configure header bidding as defined by their legal counsel. We will consider feature suggestions, and review any code offered by the community.
To turn on Prebid.js enforcement you must:
1) Include the gdprEnforcement module in the Prebid.js build
and 2) setConfig consentManagement.gdpr.cmp
to either ‘iab’ or ‘static’
The following fields related to GDPR enforcement are supported in the consentManagement
object:
Param | Type | Description | Example |
---|---|---|---|
gdpr.rules | Array of Objects |
Lets the publisher override the default behavior. | |
gdpr.rules[].purpose | String |
Supported values: “storage” (Purpose 1), “basicAds” (Purpose 2), “measurement” (Purpose 7) | “storage” |
gdpr.rules[].enforcePurpose | Boolean |
Determines whether to enforce the purpose consent. The default in Prebid.js 3.x is not to enforce purposes. Prebid.js 4.0 enforces legal basis for Purposes 1 and 2 by default. | true |
gdpr.rules[].enforceVendor | Boolean |
Determines whether to enforce vendor signals for this purpose. The default in Prebid.js 3.x is not to enforce vendor signals. Prebid.js 4.0 enforces legal basis for Purposes 1 and 2 by default. | true |
gdpr.rules[].vendorExceptions | Array of Strings |
Defines a list of biddercodes or module names that are exempt from the enforcement of this Purpose. | [“bidderA”, “userID-module-B”] |
strictStorageEnforcement | Boolean |
If false (the default), allows some use of storage regardless of purpose 1 consent - see note below | true |
Notes:
strictStorageEnforcement
is true, purpose 1 consent will always be enforced for any access to storage.pbjs.setConfig({
gvlMapping: {
bidderA: 12345,
bidderB: 67890
}
});
The following examples cover a range of use cases and show how Prebid.js supports configuration of different business rules.
1) Enforce device access activity and basic ads. These are the default values (in Prebid.js 4.0) if the module is included in the build.
pbjs.setConfig({
consentManagement: {
gdpr: {
cmpApi: 'iab', // activates the enforcement module
defaultGdprScope: true,
rules: [{ // these are the default values
purpose: "storage",
enforcePurpose: true,
enforceVendor: true
},{
purpose: "basicAds",
enforcePurpose: true,
enforceVendor: true
},{
purpose: "measurement",
enforcePurpose: true,
enforceVendor: true
}]
}
}
});
2) Enforce that the user consents to DeviceAccess as an activity and consider their per-vendor selection. However, idSystemA is a special case - the publisher has confirmed that this system obtains a user ID every auction and does not write to the local device.
...
rules: [{
purpose: "storage",
enforcePurpose: true,
enforceVendor: true,
vendorExceptions: ["idSystemA"]
}]
3) Enforce legal basis for both storage and basicAds, with the exception of “firstPartyBidder”, which is always allowed to run an auction. Assumes the publisher has special legal basis for this entity.
...
rules: [{
purpose: "storage",
enforcePurpose: true,
enforceVendor: true
},{
purpose: "basicAds",
enforcePurpose: true,
enforceVendor: true,
vendorExceptions: ["firstPartyBidder"]
}]
4) Turn off enforcement of Purpose 1: don’t enforce either the user’s DeviceAccess consent or their per-vendor selection.
...
rules: [{
purpose: "storage",
enforcePurpose: false,
enforceVendor: false
}]
5) Allow the user to suppress analtyics provider A, but make an exception for analytics provider B.
...
rules: [{
purpose: "measurement",
enforcePurpose: true,
enforceVendor: true,
vendorExceptions: ["analyticsB"]
}]
Prebid.js does not have access to the Global Vendor List (GVL), so it implements a “basic” form of TCF ‘legal basis’ validation using the supplied consent string.
A goal of basic enforcement is to confirm that there’s enough evidence of consent to pass data on to vendors who do have access to the GVL and can fully parse and enforce.
Before allowing an activity tied to a TCF-protected Purpose for a given vendor, one of these scenarios must be true:
See the IAB TCF Consent String Format for details.
Follow the basic build instructions in the GitHub Prebid.js repo’s main README. Include the base consent management module and this enforcement module as additional options on the gulp build command:
You can also use the Prebid.js Download page.