This consent management module is designed to support the California Consumer Privacy Act (CCPA). The IAB has generalized these guidelines to cover future regulations, referring to the feature as “US Privacy.”
This module works with an IAB-compatible US Privacy API (USP-API) to fetch an encoded string representing the user’s notice and opt-out choices and make it available for adapters to consume and process.
See also the Prebid Consent Management - GDPR Module for supporting the EU General Data Protection Regulation (GDPR)
Here’s a summary of the interaction process:
In the the case of a new user, the USP-API will generally respond only after there is notice and opt-out status information available (i.e., the user has made their choices). Making these selections can take some time for the average user, so the module provides timeout settings.
If the timeout period expires or an error from the USP-API is thrown, the auction proceeds without the user’s notice and opt-out status information.
To utilize this module, software that provides the USP-API must to be implemented on the site to interact with the user and obtain their notice and opt-out status.
Though implementation details for the USP-API are not covered by Prebid.org, we do recommend to that you place the code before the Prebid.js code in the head of the page in order to ensure the framework is loaded before the Prebid code executes.
Once the USP-API is implemented, simply include this module into your build and add a consentManagement object in the setConfig() call. Adapters that support this feature will then be able to retrieve the notice and opt-out status information and incorporate it in their requests.
Here are the parameters supported in the consentManagement object:
| Param | Type | Description | Example |
|---|---|---|---|
| usp | Object |
||
| usp.cmpApi | string |
The USP-API interface that is in use. Supported values are ‘iab’ or ‘static’. Static allows integrations where IAB-formatted strings are provided in a non-standard way. Default is 'iab'. |
'iab' |
| usp.timeout | integer |
Length of time (in milliseconds) to allow the USP-API to obtain the CCPA string. Default is 10000. |
10000 |
| usp.consentData | Object |
An object representing the CCPA notice and opt-out status data being passed directly; only used when cmpApi is ‘static’. Default is undefined. |
Note that the term ‘CMP’ (Consent Management Platform) was chosen in Prebid to keep the interface similar to the GDPR implementation, though US-Privacy doesn’t specifically use that term.
Example 1: Support both US Privacy and GDPR
var pbjs = pbjs || {};
pbjs.que = pbjs.que || [];
pbjs.que.push(function() {
pbjs.setConfig({
consentManagement: {
gdpr: {
cmpApi: 'iab',
allowAuctionWithoutConsent: false, // suppress auctions if there's no GDPR consent string
timeout: 3000 // GDPR timeout 3000ms
},
usp: {
timeout: 100 // US Privacy timeout 100ms
}
}
});
});Example 2: Support US Privacy
var pbjs = pbjs || {};
pbjs.que = pbjs.que || [];
pbjs.que.push(function() {
pbjs.setConfig({
consentManagement: {
usp: {
cmpApi: 'iab',
timeout: 100 // US Privacy timeout 100ms
}
}
});
});Example 3: Static CMP using custom data passing.
var pbjs = pbjs || {};
pbjs.que = pbjs.que || [];
pbjs.que.push(function() {
pbjs.setConfig({
consentManagement: {
usp: {
cmpApi: 'static',
consentData: {
getUSPData: {
uspString: '1YYY'
}
}
}
}
});
});Follow the basic build instructions in the GitHub Prebid.js repo’s main README. To include the consent management module, an additional option must be added to the the gulp build command:
gulp build --modules=consentManagementUsp,bidAdapter1,bidAdapter2If you are submitting changes to an adapter to support this approach, please also submit a PR to the docs repo to add the usp_supported: true variable to your respective page in the bidders directory. This will ensure that your adapter’s name will automatically appear on the list of adapters supporting US Privacy.
To find the US Privacy/CCPA notice and opt-out status information to pass along to your system, adapters should look for the bidderRequest.uspConsent field in their buildRequests() method.
Below is a sample of how the data is structured in the bidderRequest object:
{
"bidderCode": "bidderA",
"auctionId": "e3a336ad-2222-4a1c-bbbb-ecc7c5554a34",
...
"uspConsent": "1YYY",
...
}The usPrivacy object is also available when registering userSync pixels.
The object can be accessed by including it as an argument in the getUserSyncs function:
getUserSyncs: function(syncOptions, responses, gdprConsent, usPrivacy) {
...
}Depending on your needs, you could include the US-Privacy information in a query of your pixel and/or, given the notice and opt-out status choices, determine if you should drop the pixels at all.