This resource should not be construed as legal advice and Prebid.org makes no guarantees about compliance with any law or regulation. Please note that because every company and its collection, use, and storage of personal data is different, you should seek independent legal advice relating to obligations under European and/or US regulations, including the GDPR, the ePrivacy Directive, CCPA, other state privacy laws, etc, and how you implement the tools outlined in this document. Only your lawyer can provide you with legal advice specifically tailored to your situation. Nothing in this guide is intended to provide you with, or should be used as a substitute for, legal advice tailored to your business.
Starting July 1st 2023, several US states started enforcing new privacy regulations.
The IAB released the “Multi-State Privacy Agreement” (MSPA) as its proposal for how the advertising ecosystem can support these and future US State regulations. References:
Prebid.org cannot advise publishers on how to conform to privacy laws that affect their business. Instead, publishers should be aware of what privacy-related features Prebid supports so that their legal, product, and engineering teams can define a privacy implementation.
Prebid’s assumptions about the MSPA and the US National Privacy specification:
Here’s a summary of the privacy features in Prebid.js that publishers may use to align with the guidance of their legal counsel:
Prebid.js Version | USNat-Related Features | Notes |
---|---|---|
before 7.30 | None | If you operate in the US, you should consider upgrading. |
7.30-7.51 | GPP module | The GPP module reads the GPP string from a compliant CMP and passes to compliant bid adapters. Not many bid adapters supported GPP in earlier versions. |
7.52-8.1 | GPP module Activity Controls |
Activity Controls provide the ability for publishers to allow or restrict certain privacy-sensitive activities for particular bidders and modules. See examples in that document for supporting CCPA directly. |
8.2-8.x | GPP module Activity Controls USNat module |
The USNat module processes SID 7. |
After 8.x | GPP module Activity Controls USNat module US State module |
The US State module processes SIDs 8 through 12 after normalizing protocol differences. |
After 8.10 | GPP Module | The GPP module now understands GPP 1.1 which makes it incompatible with GPP 1.0. Publishers MUST upgrade for continued GPP support. |
Here’s a summary of the privacy features in Prebid Server that publishers may use to align with the guidance of their legal counsel:
Prebid Server Version | USNat-Related Features | Notes |
---|---|---|
PBS-Go before 0.236 PBS-Java before 1.110 |
None | If you operate in the US, you should consider upgrading. |
PBS-Go 0.236 PBS-Java 1.110 |
GPP passthrough | PBS reads the GPP string from the ORTB request and passes to compliant bid adapters. Not many bid adapters supported GPP in earlier versions. |
PBS‑Go 0.248 and later PBS‑Java 1.113 and later |
GPP passthrough GPP US Privacy |
PBS will read SID 6 out of the GPP string and process it as if regs.us_privacy were present on the request. |
PBS-Go TBD PBS-Java 1.118 |
GPP passthrough GPP US Privacy Activity Controls |
Activity Controls grant the ability for publishers to allow or restrict certain privacy-sensitive activities for particular bidders and modules. |
PBS-Go TBD PBS-Java 1.122 |
GPP passthrough GPP US Privacy Enhanced Activity Controls |
Activity controls support additional conditions for defining USNat-related rules: gppSid, geo, and gpc. |
PBS-Go TBD PBS-Java 1.126 |
GPP passthrough GPP US Privacy Enhanced Activity Controls USGen Module |
The USGen module processes SIDs 7 through 12 after normalizing protocol differences. |
TBD | GPP passthrough GPP US Privacy Enhanced Activity Controls USNat Module US Custom Logic module |
Allows publishers to provide alternate interpretations of the USNat string as it applies to Activity Controls. |
SDK v2.0.8 (both iOS and Android) supports reading mobile app GPP data and passing it to Prebid Server.
This section details the default for how Prebid code interprets GPP SIDs 7 through 12. It applies to both Prebid.js and Prebid Server.
When normalizing state-specific strings to the US National string, Prebid adds an additional “NULL” value which means that value was not present in the original string.
To make sense of the specific values below, please refer to the IAB’s USNat technical specifications.
KnownChild - SID 10 does not distinguish between consent for ages 13-16 and under 13, so Prebid will never normalize a positive KnownChild consent.
This table documents the default blocks of boolean logic that indicate whether a given privacy activity is allowed or suppressed.
Activity | USNat Disallow Logic | Notes |
---|---|---|
deviceAccess | n/a | Default to ‘allow’. Publisher Activity Control config may cause it to ‘restrict’. |
fetchBid | n/a | Header bidding auctions are always allowed, but aspects of them may be anonymized. |
reportAnalytics | n/a | Analytics always allowed, but may be anonymized. |
syncUser | MspaServiceProviderMode=1 OR GPC=1 OR SaleOptOut=1 OR SaleOptOutNotice=2 OR (SaleOptOutNotice=0 AND SaleOptOut=2) OR SharingNotice=2 OR SharingOptOutNotice=2 OR (SharingOptOutNotice=0 AND SharingOptOut=2) OR (SharingNotice=0 AND SharingOptOut=2) OR SharingOptOut=1 OR TargetedAdvertisingOptOutNotice=2 OR TargetedAdvertisingOptOut=1 OR (TargetedAdvertisingOptOutNotice=0 AND TargetedAdvertisingOptOut=2) OR KnownChildSensitiveDataConsents[2]==1 OR KnownChildSensitiveDataConsents[2]==2 OR KnownChildSensitiveDataConsents[1]=1 OR PersonalDataConsents=2 |
Suppress usersyncs when activity is not allowed: - Service Provider Mode - GPC flag - Lack of notice - Any opt-out - Allow kids 13-16 to consent, but always anonymize under age 13. - Notice was considered unnecessary yet permission to engage in targeted advertising is somehow considered valid. - Do not trust a CMP that claims to have ‘personal data consent’ for something that’s logically impossible. |
enrichEids | (same as syncUser) | Suppress the addition of EIDs when activity is not allowed. |
enrichUfpd | (same as syncUser) | Suppress the addition of User First Party Data when activity is not allowed. |
transmitEids | (same as syncUser) | Suppress the transmission of user.eids when activity is not allowed. |
transmitUfpd | MspaServiceProviderMode=1 OR GPC=1 OR SaleOptOut=1 OR SaleOptOutNotice=2 OR SharingNotice=2 OR (SaleOptOutNotice=0 AND SaleOptOut=2) OR SharingOptOutNotice=2 OR SharingOptOut=1 OR (SharingOptOutNotice=0 AND SharingOptOut=2) OR (SharingNotice=0 AND SharingOptOut=2) OR TargetedAdvertisingOptOutNotice=2 OR TargetedAdvertisingOptOut=1 OR (TargetedAdvertisingOptOutNotice=0 AND TargetedAdvertisingOptOut=2) OR SensitiveDataProcessingOptOutNotice=2 OR SensitiveDataLimitUseNotice=2 OR ((SensitiveDataProcessingOptOutNotice=0 OR SensitiveDataLimitUseNotice=0) AND SensitiveDataProcessing[1-7,9-12]=2) SensitiveDataProcessing[1-5,11]=1 OR SensitiveDataProcessing[6,7,9,10,12]=1 OR SensitiveDataProcessing[6,7,9,10,12]=2 OR KnownChildSensitiveDataConsents[2]==1 OR KnownChildSensitiveDataConsents[2]==2 OR KnownChildSensitiveDataConsents[1]=1 OR PersonalDataConsents=2 |
Suppress the transmission or user.ext.data., user.data., and device IDs when the activity is not allowed. The difference in this logic compared to syncUser is that it includes ‘sensitive data’ flags. See the requirements above and the commentary below. |
transmitPreciseGeo | MspaServiceProviderMode=1 OR GPC=1 OR SensitiveDataProcessingOptOutNotice=2 OR SensitiveDataLimitUseNotice=2 OR ((SensitiveDataProcessingOptOutNotice=0 OR SensitiveDataLimitUseNotice=0) AND SensitiveDataProcessing[8]=2) SensitiveDataProcessing[8]=1 OR KnownChildSensitiveDataConsents[2]==1 OR KnownChildSensitiveDataConsents[2]==2 OR KnownChildSensitiveDataConsents[1]=1 OR PersonalDataConsents=2 |
Round IP address and lat/long in both device.geo and user.geo when the activity is not allowed. The difference in this logic is that it includes “sensitive data 8” (geo) and does not include the UFPD- and ID-related fields. |
NOTE – Here’s what the numbers in the logic above indicate in the IAB GPP USNat specification:
MspaServiceProviderMode:
SaleOptOut, SharingOptOut, TargetedAdvertisingOptOut:
SaleOptOutNotice, SharingNotice, TargetedAdvertisingOptOutNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataLimitUseNotice:
KnownChildSensitiveDataConsents, PersonalDataConsents, SensitiveDataProcessing:
Prebid arrived at this logic through community discussions and in conjunction with legal counsel. First, we established the requirements and then translated them into boolean logic. Here’s a commentary on the default logic for the transmitUfpd
activity:
// In ServiceProvider mode, a publisher has declared they don't use personal data,
// so Prebid can anonymize all aspects of the request
MspaServiceProviderMode=1 OR
// The Global Privacy Control flag means to anonymize everything
GPC=1 OR
// Notice was not given to the user about opting out of the sale of their data
SaleOptOutNotice=2 OR
// The user opted out of the sale of their data
SaleOptOut=1 OR
// Notice was not given to the user about the sharing of their data
SharingNotice=2 OR
// The CMP claims that notice was not needed, but at the same time claims consent was given
(SaleOptOutNotice=0 AND SaleOptOut=2) OR
// Notice was not given to the user about opting out of the sharing of their data
SharingOptOutNotice=2 OR
// The user opted out of the sharing of their data
SharingOptOut=1 OR
// The CMP claims that notice was not needed, but at the same time claims consent was given
(SharingOptOutNotice=0 AND SharingOptOut=2) OR
// The CMP claims that notice was not needed, but at the same time claims consent was given
(SharingNotice=0 AND SharingOptOut=2) OR
// Notice was not given to the user about opting out of ad targeting
TargetedAdvertisingOptOutNotice=2 OR
// The user opted out of ad targeting
TargetedAdvertisingOptOut=1 OR
// The CMP claims that notice was not needed, but at the same time claims consent was given
(TargetedAdvertisingOptOutNotice=0 AND TargetedAdvertisingOptOut=2) OR
// Notice was not given to the user about opting out of processing sensitive data
SensitiveDataProcessingOptOutNotice=2 OR
// Notice was not given to the user about limiting the use of their sensitive data
SensitiveDataLimitUseNotice=2 OR
// The CMP claims that notice was not needed, but at the same time claims consent was given
// Note that SensitiveDataProcessing[8] is the geographic location and covered in the `transmitPreciseGeo` activity
((SensitiveDataProcessingOptOutNotice=0 OR SensitiveDataLimitUseNotice=0) AND SensitiveDataProcessing[1-7,9-12]=2)
// The user has not consented to share data of categories 1-5 and 11
SensitiveDataProcessing[1-5,11]=1 OR
// Data of the following categories should never be present in ad calls.
// So whether consented or not consented, anonymize UFPD if the CMP says they're present
SensitiveDataProcessing[6,7,9,10,12]=1 OR
SensitiveDataProcessing[6,7,9,10,12]=2 OR
// If a child 13-16 has not granted consent
KnownChildSensitiveDataConsents[1]=1 OR
// Do not accept consent from a child younger than 13
KnownChildSensitiveDataConsents[2]==1 OR
KnownChildSensitiveDataConsents[2]==2 OR
// The CMP claims to have consent for an 'unrelated' activity.
// Prebid views this as a logical impossibility and an invalid CMP response
PersonalDataConsents=2
If a publisher’s legal team disagrees with any of these interpretations, both Prebid.js and Prebid Server support overriding this default logic.
The transmitPreciseGeo
activity has a couple of clauses not already mentioned:
// Consent was not given for the use of "precise geographic" information
SensitiveDataProcessing[8]=1 OR
// The CMP claims that notice was not needed, but at the same time claims consent was given
((SensitiveDataProcessingOptOutNotice=0 OR SensitiveDataLimitUseNotice=0) AND SensitiveDataProcessing[8]=2)