Prebid Multi-State Privacy Agreement Support

Overview
- Glossary
- Assumptions
USNat Support in Prebid Products
Interpreting USNat Strings
Related Topics

Important: This resource should not be construed as legal advice and Prebid.org makes no guarantees about compliance with any law or regulation. Please note that because every company and its collection, use, and storage of personal data is different, you should seek independent legal advice relating to obligations under your regional regulations, including the GDPR, the ePrivacy Directive and individual country/province/state laws. Only a lawyer can provide you with legal advice specifically tailored to your situation. Nothing in this guide is intended to provide you with, or should be used as a substitute for, legal advice tailored to your business.

Overview

Starting July 1st 2023, several US states started enforcing new privacy regulations.

The IAB released the “Multi-State Privacy Agreement” (MSPA) as its proposal for how the advertising ecosystem can support these and future US State regulations. References:

Glossary

Global Privacy Platform (GPP) - A technical IAB framework that defines a container format for communicating multiple privacy protocols. e.g. GPP can contain existing Transparency and Consent Framework (TCF) strings, various US privacy string formats, and other future implementations.
GPP Section ID (SID) - the GPP container may contain multiple encoded privacy protocol strings. Each protocol gets its own SID in the overall GPP container. e.g. TCF-EU is assigned SID 2.
Multi-State Privacy Agreement (MSPA) - the IAB’s contractual framework for publishers to manage various US state privacy laws.
MSPA Covered Transaction - Whether a given ad auction falls legally under the MSPA’s privacy requirements. For MSPA-covered ‘transactions’ (ad auctions), publishers must declare themselves in one of two modes: “Service Provider Mode” or “Opt-Out Mode”.
MSPA Service Provider Mode - “Service Provider Mode is for First Parties who do not Sell or Share Personal Information, and do not Process Personal Information for Targeted Advertising”. This means that personal information is never sent to downstream entities.
MSPA Opt-Out Mode - For First Parties that may engage in targeted advertising activities or disclose personal information for such purposes. This means that user consent is gathered before privacy-sensitive data is sent to downstream entities.
US National Privacy Technical Specification (USNat) - the IAB’s technical framework for encoding MSPA publisher policies and user consents. Stored in the GPP container as SID 7.
US State Privacy Technical Specifications - the IAB has defined technical frameworks for 5 states based on their interpretation of state privacy laws. These protocols are similar to the US National protocol and are stored in the GPP container as SIDs 8 through 12.
Global Privacy Control (GPC) - a browser-level control for end users. Some US states have referred to a global control so that users don’t have to state their preferences on each website they visit. The USNat protocol strings also contain the GPC flag.
US Privacy - this is the IAB’s original version of a US privacy protocol, meant to address CCPA only. It’s active during a transition period until September 30, 2023.
Prebid Activity Controls - Prebid.js and Prebid Server have identified a set of behaviors for activities that may be in scope for privacy concerns such as transmitting user IDs. These activities may be allowed or suppressed with flexible conditions and exceptions as defined by the publisher.
- Prebid.js Activity Controls were released with PBJS 7.52
- Prebid Server Activity Controls were released with PBS-Java 1.118

Assumptions

Prebid.org cannot advise publishers on how to conform to privacy laws that affect their business. Instead, publishers should be aware of what privacy-related features Prebid supports so that their legal, product, and engineering teams can define a privacy implementation.

Prebid’s assumptions about the MSPA and the US National Privacy specification:

Most Publishers will initially declare ad units in their CMP as “Not covered by MSPA.” (MspaCoveredTransaction=2) This is because many major SSPs, DSPs, and Ad Servers have not signed the MSPA and some of these parties are dropping MSPA-covered transactions.
- At some point in the future when more major players have signed the MSPA, the Prebid community and legal counsel will re-evaluate the state of the industry.
For requests that are in-scope for SIDs 7 through 12 that are not “covered” by MSPA, Prebid treats them as being in “Opt-Out Mode”. This implies that CMPs have prompted users for consent and encoded the results in the relevant section of the GPP container.
Prebid never changes the GPP string. This means that all downstream vendors will see whatever the CMP set.
Prebid has implemented a default way to interpret the US National string (SID 7) in the context of each Prebid Activity.
US state privacy rules do not mandate the cancellation of contextual advertising, but rather are focused on protecting user privacy. Therefore, Prebid’s MSPA module may anonymize different aspects of a header bidding auction, but will never outright cancel an auction.
There are differences in the US state-level protocols and the US National protocol as defined by the IAB. (e.g. child consent for targeted advertising is somewhat different across SIDs 7 through 12.)
Rather than implementing several very similar modules and forcing publishers to include separate modules for each US state, Prebid handles state differences through a normalization process. The differences for each state are mapped onto the US National (SID 7) string, and that string is interpreted for which activities are allowed or suppressed. As with the rest of Prebid’s approach, this is a default intended to ease publishers’ ability to comply with the state laws, but publishers should make their own determinations about state law obligations and consult legal counsel to ensure that they feel comfortable that this approach allows them to meet their legal obligations.
Publishers that do not agree with Prebid’s default behavior may override the behavior. This includes the interpretation of the USNat string as well as the normalization of state protocols.
The Global Privacy Control (GPC) flag is interpreted as a strong user signal that ad requests should be anonymized.
There’s no need to support a data-deletion activity for MSPA.
Prebid doesn’t need to explicitly support mapping US National Privacy SID 6 (legacy US Privacy) for anonymization activities. This is covered by a feature on Prebid Server where SID 6 is pulled out into regs.us_privacy and is covered by documentation in Prebid.js.

USNat Support in Prebid Products

Prebid.js

Here’s a summary of the privacy features in Prebid.js that publishers may use to align with the guidance of their legal counsel:

Prebid.js Version	USNat-Related Features	Notes
before 7.30	None	If you operate in the US, you should consider upgrading.
7.30-7.51	GPP module	The GPP module reads the GPP string from a compliant CMP and passes to compliant bid adapters. Not many bid adapters supported GPP in earlier versions.
7.52-8.1	GPP module Activity Controls	Activity Controls provide the ability for publishers to allow or restrict certain privacy-sensitive activities for particular bidders and modules. See examples in that document for supporting CCPA directly.
8.2-8.x	GPP module Activity Controls USNat module	The USNat module processes SID 7.
After 8.x	GPP module Activity Controls USNat module US State module	The US State module processes SIDs 8 through 12 after normalizing protocol differences.
After 8.10	GPP Module	The GPP module now understands GPP 1.1 which makes it incompatible with GPP 1.0. Publishers MUST upgrade for continued GPP support.

Prebid Server

Here’s a summary of the privacy features in Prebid Server that publishers may use to align with the guidance of their legal counsel:

Prebid Server Version	USNat-Related Features	Notes
PBS-Go before 0.236 PBS-Java before 1.110	None	If you operate in the US, you should consider upgrading.
PBS-Go 0.236 PBS-Java 1.110	GPP passthrough	PBS reads the GPP string from the ORTB request and passes to compliant bid adapters. Not many bid adapters supported GPP in earlier versions.
PBS‑Go 0.248 and later PBS‑Java 1.113 and later	GPP passthrough GPP US Privacy	PBS will read SID 6 out of the GPP string and process it as if regs.us_privacy were present on the request.
PBS-Go 2.2 PBS-Java 1.118	GPP passthrough GPP US Privacy Activity Controls	Activity Controls grant the ability for publishers to allow or restrict certain privacy-sensitive activities for particular bidders and modules.
PBS-Go TBD PBS-Java 1.122	GPP passthrough GPP US Privacy Enhanced Activity Controls	Activity controls support additional conditions for defining USNat-related rules: gppSid, geo, and gpc.
PBS-Go TBD PBS-Java 1.126	GPP passthrough GPP US Privacy Enhanced Activity Controls USGen Module	The USGen module processes SIDs 7 through 12 after normalizing protocol differences.
PBS-Go TBD PBS-Java 1.130	GPP passthrough GPP US Privacy Enhanced Activity Controls USNat Module US Custom Logic module	Allows publishers to provide alternate interpretations of the USNat string as it applies to Activity Controls.

Prebid SDK

SDK v2.0.8 (both iOS and Android) supports reading mobile app GPP data and passing it to Prebid Server.

Interpreting USNat Strings

This section details the default for how Prebid code interprets GPP SIDs 7 through 12. It applies to both Prebid.js and Prebid Server.

Requirements

When normalizing state-specific strings to the US National string, Prebid adds an additional “NULL” value which means that value was not present in the original string.

To make sense of the specific values below, please refer to the IAB’s USNat technical specifications.

The US National privacy module should be able to translate state-level differences into the US National (SID 7) sense of the flags using this mapping:
1. KnownChild normalizations follow these rules:
  1. SID 7 has two ‘KnownChild’ values: ages 13-16 and under 13. The goal is to map SIDs 8-12 behavior to SID 7’s structure.
  2. Prebid does not distinguish between “selling”, “sharing”, or “processing” data.
  3. If the state-level KnownChild values are all 0 (N/A), then the normalized output values are also 0. The assumption is that a KnownChild value of 0 means the user is not a child as defined by the various laws.
  4. If the state-specific values do not distinguish between ages 13-16 and under 13, Prebid will set the normalized values to be the same and will never report consent because we will not recognize consent from under 13. We’ve mapped information in the state-specific protocols in a conservative way.
2. Normalization for California (CA) (SID 8)
  1. CA sensitive data 1 maps to US national sensitive data 9
  2. CA sensitive data 2 maps to US national sensitive data 10
  3. CA sensitive data 3 maps to US national sensitive data 8
  4. CA sensitive data 4 maps to US national sensitive data 1 and 2
  5. CA sensitive data 5 maps to US national sensitive data 12
  6. CA sensitive data 6 and 7 maps straight through to US national sensitive data 6 and 7
  7. CA sensitive data 8 maps to US national sensitive data 3
  8. CA sensitive data 9 maps to US national sensitive data 4
  9. Set these fields to NULL: SharingNotice, TargetedAdvertisingOptOutNotice, TargetedAdvertisingOptOut, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[5 and 11]
  10. KnownChild - SID 8 does not distinguish between consent for ages 13-16 and under 13, so Prebid will never normalize a positive KnownChild consent.
    1. If CA string KnownChildSensitiveDataConsents[1]=0 and state string KnownChildSensitiveDataConsents[2]=0, then no change – these can be treated as the normalized KnownChildSensitiveDataConsents[1]=KnownChildSensitiveDataConsents[2]=0 (i.e. not a ‘known child’)
    2. Otherwise, the SID 8 protocol does not allow Prebid to know if the user is aged 13-16 or under 13, so simply set KnownChildSensitiveDataConsents[1] or [2] both to 1 (no consent)
  11. All other fields pass through.
3. Normalization for Virginia (SID 9)
  1. Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[9-12], PersonalDataConsents, GPC.
  2. KnownChild: - SID 9 does not distinguish between consent for ages 13-16 and under 13, and the VA state laws define a child as being under 13, so Prebid will never normalize a positive KnownChild consent.
    1. If the SID 9 KnownChildSensitiveDataConsents value is 1 or 2, normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=1 (no consent)
    2. If the SID 9 KnownChildSensitiveDataConsents value is 0, assume the user is not a child and normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=0 (N/A)
  3. All other fields pass through.
4. Normalization for Colorado (SID 10)
  1. Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[8-12], PersonalDataConsents
  2. KnownChild - SID 10 does not distinguish between consent for ages 13-16 and under 13, so Prebid will never normalize a positive KnownChild consent.
  3. If the SID 10 KnownChildSensitiveDataConsents value is 1 or 2, normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=1 (no consent)
  4. If the SID 10 KnownChildSensitiveDataConsents value is 0, assume the user is not a child and normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=0 (N/A)
  5. All other fields pass through.
5. Normalization for Utah (UT) (SID 11)
  1. UT sensitive data 1,2 maps straight through to US National 1,2
  2. UT sensitive data 3 maps to US National 4
  3. UT sensitive data 4 maps to US National 5
  4. UT sensitive data 5 maps to US National 3
  5. UT sensitive data 6,7,8 maps straight through to US National 6,7,8
  6. Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessing[9-12], PersonalDataConsents, GPC
  7. KnownChild - SID 11 does not distinguish between consent for ages 13-16 and under 13, so Prebid will never normalize a positive KnownChild consent.
    1. If the SID11 KnownChildSensitiveDataConsents value is 1 or 2, normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=1 (no consent)
    2. If the SID11 KnownChildSensitiveDataConsents value is 0, assume the user is not a child and normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=0 (N/A)
  8. All other fields pass through.
6. Normalization for Connecticut (SID 12)
  1. Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[9-12], PersonalDataConsents
  2. KnownChild - SID 12 does distinguish ages aligned with SID 7
    1. If SID 12 string KnownChildSensitiveDataConsents[1, 2, and 3] are all 0 then assume the user is not a child and set the normalized SID 7 KnownChildSensitiveDataConsents[1 and 2]=0 (N/A)
    2. SID 12 age ranges align with SID 7, so let ages 13-16 state their consent. If SID 12 string KnownChildSensitiveDataConsents[2]=2 and SID 12 string KnownChildSensitiveDataConsents[3]=2, then set the normalized KnownChildSensitiveDataConsents[1]=2 (Ages 13-16 consented) and the normalized KnownChildSensitiveDataConsents[2]=1 (under 13 not consented)
    3. Otherwise, set the normalized SID 7 KnownChildSensitiveDataConsents[1 and 2] to 1 (no consent)
  3. All other fields pass through.
7. If the CMP provides a non-zero value for any of the following sensitive data categories, the module should suppress the activity. In other words, if there’s any hint that data from these categories is associated with advertising, Prebid should anonymize first-party data.
  1. Genetic (6)
  2. Biometric (7)
  3. Personal Info (9)
  4. Login/Credit Card (10)
  5. Email content (12)
8. The publisher should be able to override the default activity restriction logic with fine-grained control over all of the flags, including the ability to refine the conditions separately for ServiceProvider and OptOut modes, and for the MspaCoveredTransaction flag.
  1. The overrides should support the ability for the platform to understand whether it should be looking at the native SID state flags or the ‘normalized’ flags mapped from the process above.
9. It should be possible for a publisher to override the USNat logic differently for different states.
10. Prebid’s default restrictions should be tight. Restrict the potential for syncing and/or ad targeting when
  1. in ServiceProvider mode
  2. the GPC flag is set
  3. in OptOut mode and any of the following are true
    1. notice was not provided
    2. opt-out was chosen
    3. consent for sensitive or ‘known child’ was not provided
    4. invalid data was provided by the CMP

USNat Activity Restrictions

This table documents the default blocks of boolean logic that indicate whether a given privacy activity is allowed or suppressed.

Activity	USNat Disallow Logic	Notes
deviceAccess	n/a	Default to ‘allow’. Publisher Activity Control config may cause it to ‘restrict’.
fetchBid	n/a	Header bidding auctions are always allowed, but aspects of them may be anonymized.
reportAnalytics	n/a	Analytics always allowed, but may be anonymized.
syncUser	MspaServiceProviderMode=1 OR GPC=1 OR SaleOptOut=1 OR SaleOptOutNotice=2 OR (SaleOptOutNotice=0 AND SaleOptOut=2) OR SharingNotice=2 OR SharingOptOutNotice=2 OR (SharingOptOutNotice=0 AND SharingOptOut=2) OR (SharingNotice=0 AND SharingOptOut=2) OR SharingOptOut=1 OR TargetedAdvertisingOptOutNotice=2 OR TargetedAdvertisingOptOut=1 OR (TargetedAdvertisingOptOutNotice=0 AND TargetedAdvertisingOptOut=2) OR KnownChildSensitiveDataConsents[2]==1 OR KnownChildSensitiveDataConsents[2]==2 OR KnownChildSensitiveDataConsents[1]=1 OR PersonalDataConsents=2	Suppress usersyncs when activity is not allowed: - Service Provider Mode - GPC flag - Lack of notice - Any opt-out - Allow kids 13-16 to consent, but always anonymize under age 13. - Notice was considered unnecessary yet permission to engage in targeted advertising is somehow considered valid. - Do not trust a CMP that claims to have ‘personal data consent’ for something that’s logically impossible.
enrichEids	(same as syncUser)	Suppress the addition of EIDs when activity is not allowed.
enrichUfpd	(same as syncUser)	Suppress the addition of User First Party Data when activity is not allowed.
transmitEids	(same as syncUser)	Suppress the transmission of user.eids when activity is not allowed.
transmitUfpd	MspaServiceProviderMode=1 OR GPC=1 OR SaleOptOut=1 OR SaleOptOutNotice=2 OR SharingNotice=2 OR (SaleOptOutNotice=0 AND SaleOptOut=2) OR SharingOptOutNotice=2 OR SharingOptOut=1 OR (SharingOptOutNotice=0 AND SharingOptOut=2) OR (SharingNotice=0 AND SharingOptOut=2) OR TargetedAdvertisingOptOutNotice=2 OR TargetedAdvertisingOptOut=1 OR (TargetedAdvertisingOptOutNotice=0 AND TargetedAdvertisingOptOut=2) OR SensitiveDataProcessingOptOutNotice=2 OR SensitiveDataLimitUseNotice=2 OR ((SensitiveDataProcessingOptOutNotice=0 OR SensitiveDataLimitUseNotice=0) AND SensitiveDataProcessing[1-7,9-12]=2) SensitiveDataProcessing[1-5,11]=1 OR SensitiveDataProcessing[6,7,9,10,12]=1 OR SensitiveDataProcessing[6,7,9,10,12]=2 OR KnownChildSensitiveDataConsents[2]==1 OR KnownChildSensitiveDataConsents[2]==2 OR KnownChildSensitiveDataConsents[1]=1 OR PersonalDataConsents=2	Suppress the transmission or user.ext.data., user.data., and device IDs when the activity is not allowed. The difference in this logic compared to syncUser is that it includes ‘sensitive data’ flags. See the requirements above and the commentary below.
transmitPreciseGeo	MspaServiceProviderMode=1 OR GPC=1 OR SensitiveDataProcessingOptOutNotice=2 OR SensitiveDataLimitUseNotice=2 OR ((SensitiveDataProcessingOptOutNotice=0 OR SensitiveDataLimitUseNotice=0) AND SensitiveDataProcessing[8]=2) SensitiveDataProcessing[8]=1 OR KnownChildSensitiveDataConsents[2]==1 OR KnownChildSensitiveDataConsents[2]==2 OR KnownChildSensitiveDataConsents[1]=1 OR PersonalDataConsents=2	Round IP address and lat/long in both device.geo and user.geo when the activity is not allowed. The difference in this logic is that it includes “sensitive data 8” (geo) and does not include the UFPD- and ID-related fields.
transmitTid	n/a	Sending transaction IDs is not an aspect of USNat.

NOTE – Here’s what the numbers in the logic above indicate in the IAB GPP USNat specification:

MspaServiceProviderMode:

0 - Not Applicable
1 - Yes
2 - No

SaleOptOut, SharingOptOut, TargetedAdvertisingOptOut:

0 - Not Applicable
1 - Opted-Out
2 - Did not Opt-Out

SaleOptOutNotice, SharingNotice, TargetedAdvertisingOptOutNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataLimitUseNotice:

0 - Not Applicable
1 - Notice was provided
2 - Notice was not provided

KnownChildSensitiveDataConsents, PersonalDataConsents, SensitiveDataProcessing:

1 - No Consent
2 - Consent

Commentary

Prebid arrived at this logic through community discussions and in conjunction with legal counsel. First, we established the requirements and then translated them into boolean logic. Here’s a commentary on the default logic for the transmitUfpd activity:

// In ServiceProvider mode, a publisher has declared they don't use personal data,
// so Prebid can anonymize all aspects of the request
MspaServiceProviderMode=1 OR

// The Global Privacy Control flag means to anonymize everything
GPC=1 OR

// Notice was not given to the user about opting out of the sale of their data
SaleOptOutNotice=2 OR

// The user opted out of the sale of their data
SaleOptOut=1 OR

// Notice was not given to the user about the sharing of their data
SharingNotice=2 OR

// The CMP claims that notice was not needed, but at the same time claims consent was given
(SaleOptOutNotice=0 AND SaleOptOut=2) OR

// Notice was not given to the user about opting out of the sharing of their data
SharingOptOutNotice=2 OR

// The user opted out of the sharing of their data
SharingOptOut=1 OR

// The CMP claims that notice was not needed, but at the same time claims consent was given
(SharingOptOutNotice=0 AND SharingOptOut=2) OR

// The CMP claims that notice was not needed, but at the same time claims consent was given
(SharingNotice=0 AND SharingOptOut=2) OR

// Notice was not given to the user about opting out of ad targeting
TargetedAdvertisingOptOutNotice=2 OR

// The user opted out of ad targeting
TargetedAdvertisingOptOut=1 OR

// The CMP claims that notice was not needed, but at the same time claims consent was given
(TargetedAdvertisingOptOutNotice=0 AND TargetedAdvertisingOptOut=2) OR

// Notice was not given to the user about opting out of processing sensitive data
SensitiveDataProcessingOptOutNotice=2 OR

// Notice was not given to the user about limiting the use of their sensitive data
SensitiveDataLimitUseNotice=2 OR

// The CMP claims that notice was not needed, but at the same time claims consent was given
// Note that SensitiveDataProcessing[8] is the geographic location and covered in the `transmitPreciseGeo` activity
((SensitiveDataProcessingOptOutNotice=0 OR SensitiveDataLimitUseNotice=0) AND SensitiveDataProcessing[1-7,9-12]=2)

// The user has not consented to share data of categories 1-5 and 11
SensitiveDataProcessing[1-5,11]=1 OR

// Data of the following categories should never be present in ad calls.
// So whether consented or not consented, anonymize UFPD if the CMP says they're present
SensitiveDataProcessing[6,7,9,10,12]=1 OR
SensitiveDataProcessing[6,7,9,10,12]=2 OR

// If a child 13-16 has not granted consent
KnownChildSensitiveDataConsents[1]=1 OR

// Do not accept consent from a child younger than 13
KnownChildSensitiveDataConsents[2]==1 OR
KnownChildSensitiveDataConsents[2]==2 OR

// The CMP claims to have consent for an 'unrelated' activity.
// Prebid views this as a logical impossibility and an invalid CMP response
PersonalDataConsents=2

If a publisher’s legal team disagrees with any of these interpretations, both Prebid.js and Prebid Server support overriding this default logic.

The transmitPreciseGeo activity has a couple of clauses not already mentioned:

// Consent was not given for the use of "precise geographic" information
SensitiveDataProcessing[8]=1 OR

// The CMP claims that notice was not needed, but at the same time claims consent was given
((SensitiveDataProcessingOptOutNotice=0 OR SensitiveDataLimitUseNotice=0) AND SensitiveDataProcessing[8]=2)

Prebid.js: Activity Controls, GPP module, GPP USNat module
Prebid Server: Activity Controls