IntentIq ID & Analytics Modules: GDPR support and update documentation #12738
Conversation
…://github.com/DimaIntentIQ/Prebid.js into AGT-389-gdpr-in-modules-and-return-old-params
modules/intentIqIdSystem.md
Outdated
| | params.allowGDPR | Optional | Boolean | This flag determines whether the use of GDPR (General Data Protection Regulation) data is allowed. If set to true, the use of GDPR data will be allowed. The GDPR string can either be provided by the partner or taken from the framework. If set to false, the use of GDPR data will be prohibited. By default, it is set to true. | `true`| | ||
| | params.allowGPP | Optional | Boolean | This flag determines whether the use of USP (US Privacy) data is allowed. If set to true, the use of USP data will be allowed. If set to false, the use of USP data will be prohibited. By default, it is set to true. | `true`| | ||
| | params.allowUSP | Optional | Boolean | This flag determines whether the use of GPP (Global Privacy Platform) data is allowed. If set to true, the use of GPP data will be allowed. If set to false, the use of GPP data will be prohibited. By default, it is set to true. | `true`| | ||
| | params.providedGDPR | Optional | String | This parameter is used to provide the GDPR consent string by the partner. If providedGDPR is empty, the consent string will be taken from the framework. | `"provided_gdpr_string"`| |
There was a problem hiding this comment.
this is not allowed; you must take the string you get from the framework. If you want publishers to be able to override that and you think that is not currently possible, you need to propose a pr the framework, which will be heavily scrutinized given the subject matter
There was a problem hiding this comment.
Hi, in many cases, our partners can obtain the TCF string before configuring the settings. To avoid making an additional framework call, we provide them with the option to directly input this string in the configuration, allowing us to use it. However, since rules are rules, we will remove this option. Thanks.
There was a problem hiding this comment.
to be clear, what you are describing is prohibited as of https://www.dataprotectionauthority.be/citizen/iab-europe-held-responsible-for-a-mechanism-that-infringes-the-gdpr?utm_source=chatgpt.com for the same reason no one can use getTCData any longer. You have to hit the tcf api at event time, you can't refer to some old string. Prebid is keeping track of the current string using the evnet listeners.
modules/intentIqIdSystem.md
Outdated
| @@ -43,6 +43,12 @@ Please find below list of paramters that could be used in configuring Intent IQ | |||
| | params.browserBlackList | Optional | String | This is the name of a browser that can be added to a blacklist. | `"chrome"` | | |||
| | params.manualWinReportEnabled | Optional | Boolean | This variable determines whether the bidWon event is triggered automatically. If set to false, the event will occur automatically, and manual reporting with reportExternalWin will be disabled. If set to true, the event will not occur automatically, allowing manual reporting through reportExternalWin. The default value is false. | `true`| | |||
| | params.domainName | Optional | String | Specifies the domain of the page in which the IntentIQ object is currently running and serving the impression. This domain will be used later in the revenue reporting breakdown by domain. For example, cnn.com. It identifies the primary source of requests to the IntentIQ servers, even within nested web pages. | `"currentDomain.com"` | | |||
| | params.allowGDPR | Optional | Boolean | This flag determines whether the use of GDPR (General Data Protection Regulation) data is allowed. If set to true, the use of GDPR data will be allowed. The GDPR string can either be provided by the partner or taken from the framework. If set to false, the use of GDPR data will be prohibited. By default, it is set to true. | `true`| | |||
There was a problem hiding this comment.
the use of GDPR data will be allowed
it is not clear to me what GDPR data might be, does this mean the contents of the tcf consent string? This is the very thing the Belgian DPA seemed concerned about the potential for misuse of.
There was a problem hiding this comment.
This parameter instructs our submodule on whether to consider GDPR or not. In rare cases, when TCF API is present on a US page for US users, it can be ignored. We provide this option to our partners if they prefer to exclude it.
There was a problem hiding this comment.
. In rare cases, when TCF API is present on a US page for US users, it can be ignored.
No you cannot, what gave you that idea? You must follow the publishers instructions as expressed by the TCF API. This is not optional.
There was a problem hiding this comment.
We wanted to eliminate unnecessary delays and give our partners the option to support or not support GDPR when it is not relevant. Regardless, we have made the changes mentioned above. We kindly ask you to review our pull request again.
There was a problem hiding this comment.
If gdpr isn't relevant, the CMP will respond that gdpr does not apply. Your partners should fix their CMP if it isn't doing so quickly, not ignore its result in prebid
Prebid is not going to allow modules that bypass TCF and GPP protections. Please provide justification for what you're trying to do with this. If we believe there's merit, we will review it with Prebid legal counsel. |
|
@dmytro-po i hate to do this to you, but it seems you're a bit out of date since #12783 merged in. Tagging the author @dgirardi in case he has any quick pointers |
| import AES from 'crypto-js/aes.js'; | ||
| import Utf8 from 'crypto-js/enc-utf8.js'; | ||
| import {detectBrowser} from '../libraries/intentIqUtils/detectBrowserUtils.js'; | ||
| import {appendVrrefAndFui} from '../libraries/intentIqUtils/getRefferer.js'; | ||
| import {getGppValue} from '../libraries/intentIqUtils/getGppValue.js'; | ||
| import { getCmpData } from '../libraries/intentIqUtils/getCmpData.js'; |
There was a problem hiding this comment.
with #12783 you should have all this passed to this module without needing to import this, although, your analytics may still need it
There was a problem hiding this comment.
We tried passing consentData as the second parameter, but when simulating USP, GPP, and GDPR data, we only received an object with the tcString value inside consentString (There were no USP or GPP values).
That's why we decided to keep the logic in a separate utility using multiHandler().
If you don’t mind.
There was a problem hiding this comment.
okay no problem, but did you pull in master? because that just merged a couple days ago
| firstPartyData.gpp_string_value = cmpData.gpp; | ||
| firstPartyData.isOptedOut = false | ||
| firstPartyData.cttl = 0 | ||
| if (!firstPartyData.cttl || Date.now() - firstPartyData.date > firstPartyData.cttl || !isCMPStringTheSame(firstPartyData, cmpData)) { |
There was a problem hiding this comment.
why wouldnt they be the same? Stop trying to get two strings and compare them. You must use the string the module gives you.
There was a problem hiding this comment.
We compare the values to avoid unnecessarily overwriting localStorage.
And we are using the strings that the module provided to us.
There was a problem hiding this comment.
why are you writing or accessing a string in local storage?
Stop trying to use / write / read any other consent string.
There was a problem hiding this comment.
We store the consent string to check if the user's agreements have changed.
Opt-in or opt-out is determined by our server.
If even one character in the consent string is changed, we can no longer be certain whether the user is opted in or opted out, so we make a request to the server to determine it. The server then decides whether to provide the ID or not.
This is the reason why we store the consent string on the device – to know in the next session whether we need to make a request to the server or not.
We are also aware that you store the consent string value as _cmpRepromptHash, but it doesn't work for us because it is not the same as the value returned by multiHandler() (Attached below is a screenshot comparing the strings)
In other words, we read the consent string every time.
If nothing has changed, we do not make a request to the server and follow the opt-in or opt-out status that the server returned last time.
If anything in the current string value has changed, we update the new value in localStorage and make a request to the server.
This approach helps us avoid unnecessary server requests if the consent string hasn't changed.
|
Hi, I see your requst for review but you have merge conflicts to sort out |
| (cmpData.gppString ? '&gpp=' + encodeURIComponent(cmpData.gppString) : '') + | ||
| (cmpData.gdprString | ||
| ? '&gdpr_consent=' + encodeURIComponent(cmpData.gdprString) + '&gdpr=1' | ||
| : '&gdpr=0'); |
There was a problem hiding this comment.
this is a mistake; you cannot assume gdpr does not apply because the string does not exist; you have to look at gdprApplies independently
There was a problem hiding this comment.
see #7775 for more details
There was a problem hiding this comment.
Now using gdprApplies. Thank you
| firstPartyData.gpp_string_value = cmpData.gpp; | ||
| firstPartyData.isOptedOut = false | ||
| firstPartyData.cttl = 0 | ||
| if (!firstPartyData.cttl || Date.now() - firstPartyData.date > firstPartyData.cttl || !isCMPStringTheSame(firstPartyData, cmpData)) { |
There was a problem hiding this comment.
why are you writing or accessing a string in local storage?
Stop trying to use / write / read any other consent string.
|
I think the issue here might be confusion around the responsiblities of the submodule and the parent module. The parent module is responsible for detecting consent changes and refreshing the ids if necessary #10286 . If you don't like how that is done, it should be changes to the parent module that you propose, not your own. |
|
Thanks for the bearing with us here, merging |
prebid#12738) * AGT-389: CMP data to module * AGT-389: Analytics refactoring and changes after PR review * AGT-389: Parameters description, some edits * AGT-389: CMP data tests * AGT-389: Tests fix, export fpd * AGT-389: Fix uh parameter encoding * AGT-389: Refactoring, test for new user * fix linter * AGT-389: Minor fixes * AGT-389: Fix getIntentIqConfig method * AGT-389: Gdpr detected tests, fix gdpr requests addresses * AGT-389: Removed functionality partner to provide cmp data * AGT-389: Clear extra comments, fix test * AGT-389: Removed allow optons for cmpData * AFT-399: Change getCmpData * AFT-399: Change comment * AFT-399: Delete comment * gdprApplies, refactoring, fix tests * AGT-389: Refactoring storageUtils * AGT-389: Change version --------- Co-authored-by: DimaIntentIQ <dmytro.piskun@intentiq.com>
Description of change
Updated CMP data processing. Added support for GDPR.