This module requires the EU GDPR consent management module (the base consent module), which reads consent values from the Consent Management Platform (CMP). The GDPR Enforcement Module will then enforce the results. See the base module page for general background, usage, and legal disclaimers.
The base consent module performs the following actions:
The GDPR Enforcement Module adds the following:
The following table details the Prebid.js activities that fall under the Transparency and Consent Framework (TCF) scope:
| In-Scope Activity | TCF Legal Basis Required | Enforcement Activity | Prebid.js Version |
|---|---|---|---|
| Invoke usersync pixels | Purpose 1 - Store and/or access information on a device | May prevent one or more vendor usersyncs. | 3.14+ |
| Invoke user ID modules | Purpose 1 - Store and/or access information on a device | May prevent one or more UserID modules from activating. | 3.14+ |
| Read and write data to device | Purpose 1 - Store and/or access information on a device | May prevent one or more adapters or modules from being able to read or write cookies or localstorage in the user’s browser. | 3.14+ |
| Perform header bidding auction | Purpose 2 - Basic ads | May prevent one or more bid adapters from participating in the auction. | 4.0+ |
| Invoke analytics adapters | Purpose 7 - Measurement | May prevent one or more analytics adapters from participating in the auction. | 4.x+ |
A page needs to define configuration rules about how Prebid.js should enforce each in-scope activity.
Important Legal Note: Prebid.org cannot provide legal advice about GDPR or any other governmental regulation. Our aim is to provide a toolkit of functionality that will let publishers configure header bidding as defined by their legal counsel. We will consider feature suggestions, and review any code offered by the community.
To turn on Prebid.js enforcement you must:
1) Include the gdprEnforcement module in the Prebid.js build
and 2) setConfig consentManagement.gdpr.cmp to either ‘iab’ or ‘static’
The following fields related to GDPR enforcement are supported in the consentManagement.gdpr object:
| Param | Type | Description | Example |
|---|---|---|---|
| gdpr.rules | Array of Objects |
Lets the publisher override the default behavior. | |
| gdpr.rules[].purpose | String |
Supported values: “storage” (Purpose 1), “basicAds” (Purpose 2), “measurement” (Purpose 7) | “storage” |
| gdpr.rules[].enforcePurpose | Boolean |
Determines whether to enforce the purpose consent. The default in Prebid.js 3.x is not to enforce purposes. Prebid.js 4.0 enforces legal basis for Purposes 1 and 2 by default. | true |
| gdpr.rules[].enforceVendor | Boolean |
Determines whether to enforce vendor signals for this purpose. The default in Prebid.js 3.x is not to enforce vendor signals. Prebid.js 4.0 enforces legal basis for Purposes 1 and 2 by default. | true |
| gdpr.rules[].vendorExceptions | Array of Strings |
Defines a list of biddercodes or module names that are exempt from the enforcement of this Purpose. | [“bidderA”, “userID-module-B”] |
Notes:
pbjs.setConfig({
gvlMapping: {
bidderA: 12345,
bidderB: 67890
}
});
The following examples cover a range of use cases and show how Prebid.js supports configuration of different business rules.
1) Enforce device access activity and basic ads. These are the default values (in Prebid.js 4.0) if the module is included in the build.
pbjs.setConfig({
consentManagement: {
gdpr: {
cmpApi: 'iab', // activates the enforcement module
defaultGdprScope: true,
rules: [{ // these are the default values
purpose: "storage",
enforcePurpose: true,
enforceVendor: true
},{
purpose: "basicAds",
enforcePurpose: true,
enforceVendor: true
},{
purpose: "measurement",
enforcePurpose: true,
enforceVendor: true
}]
}
}
});
2) Enforce that the user consents to DeviceAccess as an activity and consider their per-vendor selection. However, idSystemA is a special case - the publisher has confirmed that this system obtains a user ID every auction and does not write to the local device.
...
rules: [{
purpose: "storage",
enforcePurpose: true,
enforceVendor: true,
vendorExceptions: ["idSystemA"]
}]
3) Enforce legal basis for both storage and basicAds, with the exception of “firstPartyBidder”, which is always allowed to run an auction. Assumes the publisher has special legal basis for this entity.
...
rules: [{
purpose: "storage",
enforcePurpose: true,
enforceVendor: true
},{
purpose: "basicAds",
enforcePurpose: true,
enforceVendor: true,
vendorExceptions: ["firstPartyBidder"]
}]
4) Turn off enforcement of Purpose 1: don’t enforce either the user’s DeviceAccess consent or their per-vendor selection.
...
rules: [{
purpose: "storage",
enforcePurpose: false,
enforceVendor: false
}]
5) Allow the user to suppress analtyics provider A, but make an exception for analytics provider B.
...
rules: [{
purpose: "measurement",
enforcePurpose: true,
enforceVendor: true,
vendorExceptions: ["analyticsB"]
}]
Prebid.js does not have access to the Global Vendor List (GVL), so it implements a “basic” form of TCF ‘legal basis’ validation using the supplied consent string.
A goal of basic enforcement is to confirm that there’s enough evidence of consent to pass data on to vendors who do have access to the GVL and can fully parse and enforce.
Before allowing an activity tied to a TCF-protected Purpose for a given vendor, one of these scenarios must be true:
See the IAB TCF Consent String Format for details.
The GDPR Enforcement module requires the GVL ID for a module to be specified. If no GVL ID is found the module will be blocked by default unless it is specifically listed under vendorExceptions. The following modules have listed their GVL IDs.
| Module Type | Module |
|---|---|
| Bid Adapter | 33Across |
| Bid Adapter | Aardvark |
| Bid Adapter | Adagio |
| Bid Adapter | AdDefend |
| Bid Adapter | AdformOpenRTB |
| Bid Adapter | Adform |
| Bid Adapter | Adhese |
| Bid Adapter | AdKernel |
| Bid Adapter | AdKernelAdn |
| Bid Adapter | AdMixer |
| Bid Adapter | Adnuntius |
| Bid Adapter | Adot |
| Bid Adapter | Adpone |
| Bid Adapter | Adquery |
| Bid Adapter | Adrino |
| Bid Adapter | Adtelligent |
| Bid Adapter | AdUp Technology |
| Bid Adapter | AdView |
| Bid Adapter | Adyoulike |
| Bid Adapter | AMX RTB |
| Bid Adapter | ANIVIEW |
| Bid Adapter | AOL |
| Bid Adapter | AppNexus |
| Bid Adapter | AP Stream |
| Bid Adapter | Axonix |
| Bid Adapter | Beachfront |
| Bid Adapter | Beintoo |
| Bid Adapter | Between |
| Bid Adapter | Bidmachine |
| Bid Adapter | BigRichMedia |
| Bid Adapter | Compass |
| Bid Adapter | ConnectAd |
| Bid Adapter | Consumable |
| Bid Adapter | Converge-Digital |
| Bid Adapter | Conversant |
| Bid Adapter | Criteo |
| Bid Adapter | Deepintent |
| Bid Adapter | Delta Projects |
| Bid Adapter | Displayio |
| Bid Adapter | DistrictM |
| Bid Adapter | DistrictM DMX |
| Bid Adapter | Duration Media |
| Bid Adapter | E-volution tech |
| Bid Adapter | EMX Digital |
| Bid Adapter | E-Planning |
| Bid Adapter | Epom |
| Bid Adapter | Etarget |
| Bid Adapter | FeedAd |
| Bid Adapter | Fidelity Media |
| Bid Adapter | FutureAds |
| Bid Adapter | Gamoshi |
| Bid Adapter | Glimpse Protocol |
| Bid Adapter | GroupM |
| Bid Adapter | HuaweiAds |
| Bid Adapter | Impactify |
| Bid Adapter | Improve Digital |
| Bid Adapter | InMobi |
| Bid Adapter | Insticator |
| Bid Adapter | Index Exchange |
| Bid Adapter | Kargo |
| Bid Adapter | Kubient |
| Bid Adapter | Lifestreet |
| Bid Adapter | Livewrapped |
| Bid Adapter | Madvertise |
| Bid Adapter | Marsmedia |
| Bid Adapter | Mediakeys |
| Bid Adapter | Media.net |
| Bid Adapter | Mgid |
| Bid Adapter | MinuteMedia |
| Bid Adapter | Missena |
| Bid Adapter | Mobfox_PB |
| Bid Adapter | Nano Interactive |
| Bid Adapter | Nativo |
| Bid Adapter | Nobid |
| Bid Adapter | ogury |
| Bid Adapter | OneTag |
| Bid Adapter | OpenWeb |
| Bid Adapter | OpenX |
| Bid Adapter | OpenX Outstream |
| Bid Adapter | OperaAds |
| Bid Adapter | Opt Out Advertising |
| Bid Adapter | Outbrain |
| Bid Adapter | Outbrain - Old |
| Bid Adapter | Ozone Project |
| Bid Adapter | PubMatic |
| Bid Adapter | PulsePoint |
| Bid Adapter | PubWise |
| Bid Adapter | Rads |
| Bid Adapter | Readpeak |
| Bid Adapter | RevContent |
| Bid Adapter | RhythmOne |
| Bid Adapter | Rich Audience |
| Bid Adapter | Rise |
| Bid Adapter | Roundel |
| Bid Adapter | Rubicon Project |
| Bid Adapter | SA Lunamedia |
| Bid Adapter | seedtag |
| Bid Adapter | Slimcut |
| Bid Adapter | Smaato |
| Bid Adapter | Smile Wanted |
| Bid Adapter | Sortable |
| Bid Adapter | Sovrn |
| Bid Adapter | SpotX |
| Bid Adapter | sspBC |
| Bid Adapter | StroeerCore |
| Bid Adapter | Sublime |
| Bid Adapter | tappx |
| Bid Adapter | Teads |
| Bid Adapter | Telaria |
| Bid Adapter | TripleLift |
| Bid Adapter | TripleLift Native |
| Bid Adapter | The Trade Desk |
| Bid Adapter | ucfunnel |
| Bid Adapter | Unruly |
| Bid Adapter | VerizonMedia |
| Bid Adapter | Vibrant Media |
| Bid Adapter | Vidoomy |
| Bid Adapter | Viewdeos Server |
| Bid Adapter | ViewdeosDX Client |
| Bid Adapter | YOC VIS.X |
| Bid Adapter | VRTCAL Markets, Inc. |
| Bid Adapter | Yahoo SSP |
| Bid Adapter | Zeta Global |
| Bid Adapter | Zeta Global Ssp |
| Analytics Adapter | AppNexus |
| User ID | ID5 |
| User ID | Lotame Panorama Id |
| User ID | Parrable ID |
Follow the basic build instructions in the GitHub Prebid.js repo’s main README. Include the base consent management module and this enforcement module as additional options on the gulp build command:
gulp build --modules=consentManagement,gdprEnforcement,bidAdapter1,bidAdapter2You can also use the Prebid.js Download page.