US Privacy Consent Management Module
- Overview
- Page Integration
- Build the Package
- Adapter Integration
- Adapters Supporting US Privacy / CCPA
Overview
This consent management module is designed to support the California Consumer Privacy Act (CCPA). The IAB has generalized these guidelines to cover future regulations, referring to the feature as “US Privacy.”
This module works with supported Consent Management Platforms (CMPs) to fetch an encoded string representing the user’s consent choices and make it available for adapters to consume and process.
See also the Prebid Consent Management - GDPR Module for supporting the EU General Data Protection Regulation (GDPR)
Prebid functionality created to address regulatory requirements does not replace each party’s responsibility to determine its own legal obligations and comply with all applicable laws. We recommend consulting with your legal counsel before determining how to utilize these features in support of your overall privacy approach.
Here’s a summary of the interaction process:
- Fetch the user’s US Privacy (CCPA) consent data from the CMP.
- Incorporate this data into the auction objects for adapters to collect.
- Proceed with the auction.
In the the case of a new user, CMPs will generally respond only after there is consent information available (i.e., the user has made their consent choices). Making these selections can take some time for the average user, so the module provides timeout settings.
If the timeout period expires or an error from the CMP is thrown, the auction proceeds without the user’s consent information.
Page Integration
To utilize this module, a CMP compatible with the IAB 1.1 TCF spec needs to be implemented onthe site to interact with the user and obtain their consent choices.
Though implementation details for the CMP are not covered by Prebid.org, we do recommend to that you place the CMP code before the Prebid.js code in the head of the page in order to ensure the CMP’s framework is loaded before the Prebid code executes.
Once the CMP is implemented, simply include this module into your build and add a consentManagement object in the setConfig() call. Adapters that support this feature will then be able to retrieve the consent information and incorporate it in their requests.
Here are the parameters supported in the consentManagement object:
| Param | Type | Description | Example |
|---|---|---|---|
| usp | Object |
||
| usp.cmpApi | string |
The CMP interface that is in use. Supported values are ‘iab’ or ‘static’. Static allows integrations where IAB-formatted consent strings are provided in a non-standard way. Default is 'iab'. |
'iab' |
| usp.timeout | integer |
Length of time (in milliseconds) to allow the CMP to obtain the CCPA consent string. Default is 10000. |
10000 |
| usp.consentData | Object |
An object representing the CCPA consent data being passed directly; only used when cmpApi is ‘static’. Default is undefined. |
Examples
Example 1: Support both US Privacy and GDPR
var pbjs = pbjs || {};
pbjs.que = pbjs.que || [];
pbjs.que.push(function() {
pbjs.setConfig({
consentManagement: {
gdpr: {
cmpApi: 'iab',
allowAuctionWithoutConsent: false, // suppress auctions if there's no GDPR consent string
timeout: 3000 // GDPR timeout 3000ms
},
usp: {
timeout: 100 // US Privacy timeout 100ms
}
}
});
});Example 2: Support US Privacy
var pbjs = pbjs || {};
pbjs.que = pbjs.que || [];
pbjs.que.push(function() {
pbjs.setConfig({
consentManagement: {
usp: {
cmpApi: 'iab',
timeout: 100 // US Privacy timeout 100ms
}
}
});
});Example 3: Static CMP using custom data passing.
var pbjs = pbjs || {};
pbjs.que = pbjs.que || [];
pbjs.que.push(function() {
pbjs.setConfig({
consentManagement: {
usp: {
cmpApi: 'static',
consentData: {
getUSPData: {
uspString: '1YYY'
}
}
}
}
});
});Build the Package
Follow the basic build instructions in the GitHub Prebid.js repo’s main README. To include the consent management module, an additional option must be added to the the gulp build command:
gulp build --modules=consentManagementUsp,bidAdapter1,bidAdapter2Adapter Integration
If you are submitting changes to an adapter to support this approach, please also submit a PR to the docs repo to add the usp_supported: true variable to your respective page in the bidders directory. This will ensure that your adapter’s name will automatically appear on the list of adapters supporting US Privacy.
Bidder Adapter US Privacy Integration
To find the US Privacy/CCPA consent information to pass along to your system, adapters should look for the bidderRequest.uspConsent field in their buildRequests() method.
Below is a sample of how the data is structured in the bidderRequest object:
{
"bidderCode": "bidderA",
"auctionId": "e3a336ad-2222-4a1c-bbbb-ecc7c5554a34",
...
"uspConsent": "1YYY",
...
}UserSync Integration
The usPrivacy object is also available when registering userSync pixels.
The object can be accessed by including it as an argument in the getUserSyncs function:
getUserSyncs: function(syncOptions, responses, gdprConsent, usPrivacy) {
...
}Depending on your needs, you could include the consent information in a query of your pixel and/or, given the consent choices, determine if you should drop the pixels at all.