US Privacy Consent Management Module

Overview

This consent management module is designed to support the California Consumer Privacy Act (CCPA). The IAB has generalized these guidelines to cover future regulations, referring to the feature as “US Privacy.”

This module works with an IAB-compatible US Privacy API (USP-API) to fetch an encoded string representing the user’s notice and opt-out choices and make it available for adapters to consume and process.

See also the Prebid Consent Management - GDPR Module for supporting the EU General Data Protection Regulation (GDPR)

Here’s a summary of the interaction process:

  1. Fetch the user’s US Privacy (CCPA) notice and opt out status from the USP-API.
  2. Incorporate this data into the auction objects for adapters to collect.
  3. Proceed with the auction.

The IAB USP-API will respond immediately if it is available. The module timeout settings are not related to user selection, but only to API availability.

If the timeout period expires or an error from the USP-API is thrown, the auction proceeds without a US Privacy string attached.

The string has four characters:

String Component Values
1) Specification Version 1
2) Explicit Notice/Opportunity to Opt Out (N = No,Y = Yes,– = Not Applicable)
3) Has user opted-out of the sale of his or her personal information? (N = No,Y = Yes,– = Not Applicable)
4) Publisher is a signatory to the IAB Limited Service Provider Agreement (N = No,Y = Yes,– = Not Applicable)

Page Integration

To utilize this module, software that provides the USP-API must to be implemented on the site to interact with the user and obtain their notice and opt-out status.

Though implementation details for the USP-API are not covered by Prebid.org, we do recommend to that you place the code before the Prebid.js code in the head of the page in order to ensure the framework is loaded before the Prebid code executes.

Once the USP-API is implemented, simply include this module into your build and add a consentManagement object in the setConfig() call. Adapters that support this feature will then be able to retrieve the notice and opt-out status information and incorporate it in their requests.

Here are the parameters supported in the consentManagement object:

Param Type Description Example
usp Object    
usp.cmpApi string The USP-API interface that is in use. Supported values are ‘iab’ or ‘static’. Static allows integrations where IAB-formatted strings are provided in a non-standard way. Default is 'iab'. 'iab'
usp.timeout integer Length of time (in milliseconds) to allow the USP-API to obtain the CCPA string. Default is 50. 50
usp.consentData Object An object representing the CCPA notice and opt-out status data being passed directly; only used when cmpApi is ‘static’. Default is undefined.  

Note that the term ‘CMP’ (Consent Management Platform) was chosen in Prebid to keep the interface similar to the GDPR implementation, though US-Privacy doesn’t specifically use that term.

Examples

Example 1: Support both US Privacy and GDPR

     var pbjs = pbjs || {};
     pbjs.que = pbjs.que || [];
     pbjs.que.push(function() {
       pbjs.setConfig({
         consentManagement: {
           gdpr: {
            cmpApi: 'iab',
            allowAuctionWithoutConsent: false, // suppress auctions if there's no GDPR consent string
            timeout: 3000  // GDPR timeout 3000ms
           },
           usp: {
            timeout: 100 // US Privacy timeout 100ms
           }
         }
       });
     });

Example 2: Support US Privacy

     var pbjs = pbjs || {};
     pbjs.que = pbjs.que || [];
     pbjs.que.push(function() {
       pbjs.setConfig({
         consentManagement: {
           usp: {
            cmpApi: 'iab',
            timeout: 100 // US Privacy timeout 100ms
           }
         }
       });
     });

Example 3: Static CMP using custom data passing.

     var pbjs = pbjs || {};
     pbjs.que = pbjs.que || [];
     pbjs.que.push(function() {
        pbjs.setConfig({
          consentManagement: {
            usp: {
              cmpApi: 'static',
              consentData: {
                getUSPData: {
                  uspString: '1YYY'
                }
              }
            }
          }
        });
     });

Build the Package

Follow the basic build instructions in the GitHub Prebid.js repo’s main README. To include the consent management module, an additional option must be added to the the gulp build command:

gulp build --modules=consentManagementUsp,bidAdapter1,bidAdapter2

Adapter Integration

If you are submitting changes to an adapter to support this approach, please also submit a PR to the docs repo to add the usp_supported: true variable to your respective page in the bidders directory. This will ensure that your adapter’s name will automatically appear on the list of adapters supporting US Privacy.

Bidder Adapter US Privacy Integration

To find the US Privacy/CCPA notice and opt-out status information to pass along to your system, adapters should look for the bidderRequest.uspConsent field in their buildRequests() method. Below is a sample of how the data is structured in the bidderRequest object:

{
  "bidderCode": "bidderA",
  "auctionId": "e3a336ad-2222-4a1c-bbbb-ecc7c5554a34",
  ...
  "uspConsent": "1YYY",
  ...
}

UserSync Integration

The usPrivacy object is also available when registering userSync pixels. The object can be accessed by including it as an argument in the getUserSyncs function:

getUserSyncs: function(syncOptions, responses, gdprConsent, usPrivacy) {
...
}

Depending on your needs, you could include the US-Privacy information in a query of your pixel and/or, given the notice and opt-out status choices, determine if you should drop the pixels at all.

Adapters Supporting US Privacy / CCPA