Within the framework of GDPR, Prebid Server behaves like a data processor. Cookie syncs save the user ID for each Bidder in the cookie, and each Bidder’s ID is sent back to that Bidder during the auction. Prebid Server does not use this ID for any other reason.
IDs during Auction
IDs during Cookie Syncs
POST /cookie_sync endpoint accepts
gdpr_consent properties in the request body.
If the Prebid Server host company does not have consent to read/write cookies,
/cookie_sync will return an empty response with no syncs.
Otherwise, it will return a response limited to syncs for Bidders that have consent to read/write cookies.
This limitation is in place for performance reasons; it results in fewer syncs called on the page, and their
sync endpoints will almost certainly read from the cookie anyway.
/setuid endpoint accepts
gdpr_consent query params. This endpoint
will no-op if the Prebid Server host company does not have consent to read/write cookies.
Handling the params
gdpr_consent is required if
1 and ignored if
gdpr is omitted, the Prebid Server
host company can decide whether it behaves like a
0 through the app configuration.
Callers are encouraged to send the
gdpr_consent param if
gdpr is omitted.