GDPR Mechanics

Within the framework of GDPR, Prebid Server behaves like a data processor. Cookie syncs save the user ID for each Bidder in the cookie, and each Bidder’s ID is sent back to that Bidder during the auction. Prebid Server does not use this ID for any other reason.

IDs during Auction

The /openrtb2/auction endpoint accepts user.regs.gdpr and user.ext.consent fields, as recommended by the IAB.

The POST /cookie_sync endpoint accepts gdpr and gdpr_consent properties in the request body.

If the Prebid Server host company does not have consent to read/write cookies, /cookie_sync will return an empty response with no syncs. Otherwise, it will return a response limited to syncs for Bidders that have consent to read/write cookies. This limitation is in place for performance reasons; it results in fewer syncs called on the page, and their sync endpoints will almost certainly read from the cookie anyway.

The /setuid endpoint accepts gdpr and gdpr_consent query params. This endpoint will no-op if the Prebid Server host company does not have consent to read/write cookies.

Handling the params

For all endpoints, gdpr should be 1 if GDPR is in effect, 0 if not, and omitted if the caller isn’t sure. gdpr_consent should be an unpadded base64-URL encoded Vendor Consent String.

gdpr_consent is required if gdpr is 1 and ignored if gdpr is 0. If gdpr is omitted, the Prebid Server host company can decide whether it behaves like a 1 or 0 through the app configuration. Callers are encouraged to send the gdpr_consent param if gdpr is omitted.

All demos, instructions, documentation and code included on the Prebid.org website are released
under the Apache License. | Credits