Prebid Server | Features | Privacy

Mobile ‘Limit Ad Tracking’ flag

If PBS receives ‘device.lmt’ flag in the OpenRTB request, it does the following anonymization:

  • Mask take off the last byte of the IPv4 address and the last 2 bytes of IPv6 addresses
  • Removes user.id and user.buyeruid
  • Removes the request.device.ifa attribute
  • Rounds the request.device.geo. {lat,lon} to two decimal places

GDPR

Prebid Server host companies and publishers have the ability to control the enforcement activities that take place.

The enforcement strategy changed significantly between TCF 1.1 and TCF 2.0. TCF2 is a more nuanced and stricter policy.

If a Prebid Server host company wants to support GDPR, they must currently register for the IAB Global Vendor List. The user must provide legal basis for the host company to read/write cookies or /cookie_sync will return an empty response with no syncs and /setuid will fail.

TCF 1.1

If Prebid Server determines that the user is in GDPR scope and doesn’t consent to all of the vendor’s ‘purposes’ as declared in the Global Vendor List, it ‘anonymizes’ the request to the adapters:

  • Mask take off the last byte of the IPv4 address and the last 2 bytes of IPv6 addresses
  • Removes user.id and user.buyeruid
  • Removes the request.device.ifa attribute
  • Rounds the request.device.geo. {lat,lon} to two decimal places

Full details are available here.

TCF 2.0

If Prebid server determines the user is in GDPR scope, then consent is independently tested for each ‘Purpose’ with different consequences for each:

Activity Legal Basis Required
Responding to /cookie-sync requests Purpose 1 (Device Access)
Setting a cookie on /setuid requests Purpose 1 (Device Access)
Conducting auctions Purpose 2 (Basic Ads)
Passing User IDs into an auction Any Purpose 2-10. User IDs are important for more than personalizing ads - they can be used in frequency capping, building profiles, counting unique users, etc. So Prebid Server should pass User IDs through the auction if any of Purposes 2-10 pass the legal basis test.
Invoke an analytics adapter Purpose 7
Pass the user’s precise geographic information into auctions Special Feature 1

More details are available in the Prebid Support for TCF2 reference and in the Prebid Server GDPR Reference.

GDPR Configuration

There are a number of configuration settings that PBS Host Companies need to consider:

  • Host company GVL ID. Currently PBS requires the host company to have a GVL-ID or the setting of the uids cookie in GDPR scope will fail.
  • The default expiration time of the uids cookie set in the host company domain should be defined to match what’s in the TCF 2.1 maxCookieAgeSeconds GVL field.
  • GDPR enforcement flags for each Purpose and Vendor

The specific details vary slightly between PBS-Go and PBS-Java, so check the version-specific documentation for more information.

COPPA

The Children’s Online Privacy Protection Act (COPPA) is a law in the US which imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. If regs.coppa is set to ‘1’ on the OpenRTB request, the following anonymization actions take place before going to the adapters:

  • Removes all ID fields: device.ifa, device.macsha1, device.macmd5, device.dpidsha1, device.dpidmd5, device.didsha1, device.didmd5
  • Truncate ip field - remove lowest 8 bits.
  • Truncate ipv6 field - remove lowest 32 bits.
  • Remove geo.lat, geo.lon. geo.metro, geo.city, and geo.zip
  • Remove user.id, user.buyeruid, user.yob, and user.gender

CCPA / US-Privacy

The California Consumer Privacy Act (CCPA) is a law in the US. which covers consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The IAB has generalized this state-specific rule into a US Privacy compliance framework. If regs.ext.us_privacy is parsed to find that the user has opted-out of a “sale”, the following anonymization steps are taken:

  • Mask the last byte of the IPv4 address and the last 2 bytes of IPv6 addresses
  • Removes user.id and user.buyeruid
  • Removes the request.device.ifa attribute
  • Rounds the request.device.geo. {lat,lon} to two decimal places

DNT

Prebid Server does not recognize the Do-Not-Track header. The committee determined that it’s obsolete in general and not supported on Safari specifically. We prefer not to implement, test, and document unsupported privacy flags. Prebid Server is not going to make a dent in the overall problems with DNT.

We may reconsider this position if community members provide evidence that the flag is meaningful to their customers or lawyers.