This is a work in progress. This document is intented to be a repository for the Prebid.org community to collect best practices regarding the integration of Prebid.js and Consent Management Platforms.
Prebid cannot define a standard one-size-fits-all way of integrating with CMPs – there are too many special cases, custom implementations, and differently flavored CMPs for that.
Instead, here are some general guidelines:
The indicates the determination of whether GDPR applies in this context. The CMP, in most cases, is responsible for this. The publisher provides this value when supplying static consent data.
This indicates the behavior of Prebid when the CMP does not provide a value for
gdprApplies. Critically, the defaultGdprScope is applied if the user times-out in replying to the CMP’s questions. While this also can happen if the CMP doesn’t set the value in certain cases, or the CMP isn’t loaded, the timeout behavior critical to understand. Essentially, the value of this config variable takes the place of the CMP
gdprApplies value cannot be determined.
Prebid.js doesn’t have a concept of the geographic region where it’s running. It’s up to the CMP and/or publisher to configure Prebid.js correctly. Here are some options for discussing with with your lawyers, engineers, and CMP provider:
consentManagementconfig from the Prebid.js entirely when GDPR does not apply.
falsewill result in timeouts in the EEA being treated as GDPR not applying, when it should.
Here are some approaches where PBJS config can be the same across all geos:
__tcfapi()function and sets gdprApplies to false, then the page can rely on this function and set a global
In these approaches, the publisher has to be aware of the geo and tell Prebid.js what to do:
consentManagementconfig, but when not in the EEA, the page avoids setting the
consentManagementconfig, turning off GDPR enforcement.
consentManagementconfig with defaultGdprScope=false so that if the CMP is slow to respond then enforcement is off.
Community members are welcome to contribute more specific implementation approaches here. Please do not attempt to extoll the virtues of one CMP over another – just help others with interface idiosyncacies.
LiveRamp has verified that they create the tcfapi functions and set gdprApplies=false when their CMP is removed from a geo.