This consent management module is designed to support the EU General Data Protection Regulation (GDPR)
This module works with supported Consent Management Platforms (CMPs) to fetch an encoded string representing the user’s consent choices and make it available for adapters to consume and process.
See also the Prebid Consent Management - US Privacy Module for supporting the California Consumer Protection Act (CCPA)
Prebid functionality created to address regulatory requirements does not replace each party’s responsibility to determine its own legal obligations and comply with all applicable laws. We recommend consulting with your legal counsel before determining how to utilize these features in support of your overall privacy approach.
Here’s a summary of the interaction process:
In the case of a new user, CMPs will generally respond only after there is consent information available (i.e., the user has made their consent choices). Making these selections can take some time for the average user, so the module provides timeout settings.
If the timeout period expires or an error from the CMP is thrown, one of these actions occurs:
To utilize this module, a CMP compatible with the IAB 1.1 TCF spec needs to be implemented on the site to interact with the user and obtain their consent choices.
Though implementation details for the CMP are not covered by Prebid.org, we do recommend to that you place the CMP code before the Prebid.js code in the head of the page in order to ensure the CMP’s framework is loaded before the Prebid code executes.
Once the CMP is implemented, simply include this module into your build and add a
consentManagement object in the
setConfig() call. Adapters that support this feature will then be able to retrieve the consent information and incorporate it in their requests.
Here are the parameters supported in the
Note that versions of Prebid.js before 2.43.0 had a different GDPR configuration. The module is backwards-compatible, but we recommend migrating to the new config structure as soon as possible.
||The CMP interface that is in use. Supported values are ‘iab’ or ‘static’. Static allows integrations where IAB-formatted consent strings are provided in a non-standard way. Default is
||Length of time (in milliseconds) to allow the CMP to obtain the GDPR consent string. Default is
||Determines what will happen if obtaining consent information from the CMP fails; either allow the auction to proceed (
||An object representing the GDPR consent data being passed directly; only used when cmpApi is ‘static’. Default is
allowAuctionWithoutConsent parameter refers to the entire consent string, not to any individual consent option. Prebid.js does not parse the GDPR consent string, so it doesn’t know if the user has consented to any particular action.
Example 1: GDPR IAB CMP using custom timeout and cancel-auction options.
Example 2: Static CMP using custom data passing.
Follow the basic build instructions in the GitHub Prebid.js repo’s main README. To include the consent management module, an additional option must be added to the gulp build command:
If you are submitting changes to an adapter to support this approach, please also submit a PR to the docs repo to add the
gdpr_supported: true variable to your respective page in the bidders directory. This will ensure that your adapter’s name will automatically appear on the list of adapters supporting GDPR.
To find the GDPR consent information to pass along to your system, adapters should look for the
bidderRequest.gdprConsent field in their
Here is a sample of how the data is structured in the
gdprConsent Data Fields
This field contains the user’s choices on consent, represented as an encoded string value. In certain scenarios, this field might come to you with an
undefined value; normally this happens when there was an error during the CMP interaction and the publisher had the config option
allowAuctionWithoutConsent set to
true. If you don’t want to pass
undefined to your system, you can check for this value and replace it with a valid consent string. See the consent_required code in the example below (under “gdprApplies”) for a possible approach to checking and replacing values.
This field contains the raw vendor data in relation to the user’s choices on consent. This object will hold a map of all available vendors for any potential adapters that want to read the data directly. One use-case for reading from this field would be when an adapter wants to be omitted from a request where they were not given consent. Adapters are able to read through the object to find their appropriate information.
This boolean field represents whether the user in question is in an area where GDPR applies. This field comes from the CMP itself; it’s included in the response when a request is made to the CMP API. On the rare occasion where this value isn’t defined by the CMP, each adapter has the opportunity to set their own value for this field.
One of two general approaches can be taken by the adapter to populate this field:
The folowing is an example of how the integration could look for the former option:
The implementation of the latter option is up to the adapter, but the general premise is the same. You would check to see if the
bidderRequest.gdprConsent.gdprApplies field is undefined and if so, set the derived value from your independent system.
If neither option are taken, then there is the remote chance this field’s value will be undefined. As long as that’s acceptable for the given system, this could be a potential third option.
gdprConsent object is also available when registering
The object can be accessed by including it as an argument in the
Depending on your needs, you could include the consent information in a query of your pixel and/or, given the consent choices, determine if you should drop the pixels at all.
Prebid.js and much of the ad industry rely on the IAB CMP standard for GDPR support, but there might be some publishers who have implemented a different approach to meeting the privacy rules. Those publishers can utilize Prebid.js and the whole header bidding ecosystem by building a translation layer between their consent method and the IAB method.
At a high level, this could be done as follows:
window.__cmp()function, which will be seen by Prebid.
Below is sample code for implementing the stub functions. Sample code for formatting the consent string can be obtained here.
Use the following values in the gdprApplies field:
This should be set to true if consent data was retrieved from global “euconsent” cookie, or it was publisher-specific. For general purpose, set this to false.
This should be false if there was some error in the consent data; otherwise set to true. False is the same as calling the callback with no parameters.
This should be be set to true once the parameters listed above are processed.