GPP Consent — MSPA Activity Control has invalid logic denying features when consent is granted #12482
Comments
|
This is by design:
However, it looks like it might in fact be a possibility - we may need to reconsider. Which CMP is this coming from? |
|
OneTrust |
|
if I understand it correctly?? if the site pops a consent modal with the correct notices and the user grants consent, then PersonalDataConsents should equal 2 signaling consent was granted from the prebid logic I linked to, the value "2" doesn't seem to be considered in combination with any other signals when determined invalid, it's the second thing checked, all by itself.
it also disregards if a 'no consent' signal was passed "1", but not sure how an explicit 'consent granted' signal was decided to mean 'consent denied' though, maybe just lost in the mess of all these confusing rules. I'm definitely not an expert on GPP, but seems more like that line should be changed to reject only if |
|
@andyblackwell Prebid legal has advised prebid that consent to reasons other than the purpose the consent was originally gathered for are invalid and illegal and the entire string is hence invalid. It is against California law to use personal information in this way despite "consent" to use the data for reasons you don't have consent for Leaving this open in case |
github-project-automation
bot
moved this from Triage
to Done
in Prebid.js Tactical Issues table
github-project-automation
bot
moved this from Done
to Open
in Prebid.js Tactical Issues table
|
actually, looks like there is a discrepancy in the documents for this value, maybe that's the malfunction? this one says this throughout: 1=yes consent, 2=no consent but the docs in here all say the opposite: 1=no consent, 2=yes consent |
|
The "malfunction" is not technical or related to a confusion, you've identified a policy decision Prebid has made in consultation with counsel to consider consent to PersonalDataConsents invalid. If you gathered consent to share someone's social security number or read their email contents, we do the same thing. No Consent to PersonalDataConsents or N/a to PersonalDataConsents doesn't bother us, as we don't think people could consent to this. |
|
Ha sorry you're getting tripped up on my words, not asking you to change anything after you mentioned legal decision, but am highlighting the IAB docs have labeled the values backwards in one of those places, which likely led to my confusion on the value that was set in a consent response. It likely meant 2(no consent), but I read the (prob incorrect) docs that said 2=consent. I'll go file an issue over there pointing that out. |
|
any chance you could flag at https://github.com/InteractiveAdvertisingBureau/Global-Privacy-Platform as an issue? |
|
womp lol, when you google "mspa PersonalDataConsents" the first result is a link to an outdated legal doc on the iab website with the flipped values (thanks google), looks like the final legal doc does match the github tech docs. am pretty sure at this point either OneTrust is doing something wrong, or the publisher has badly misconfigured their cmp settings. Either way, closing this ticket. |
github-project-automation
bot
moved this from Open
to Done
in Prebid.js Tactical Issues table
|
ok, yeah it's OneTrust just casually putting a dropdown for this alongside other things that at the surface seem like you should enable, so will just have to be extra cautious with pubs using OneTrust. |
|
@andyblackwell Onetrust product is aware of this thread, but hasnt sent me any more messages beyond acknowledging that. Hopefully they will fix their product to make it clear to publishers that this type of consent is at best unusual and at worst invalid. |
Type of issue
MSPA Activity Control for GPP has invalid logic denying features when consent is granted
Description
line in question: https://github.com/prebid/Prebid.js/blob/fe4a2cc660eae9bb30b596ca964baf2bc3b8cd33/libraries/mspa/activityControls.js#L24C5-L24C34
from the specs looks like this should be
cd.PersonalDataConsents === 1, so it would only return true fromisBasicConsentDenied()if "No Consent"Global-Privacy-Platform/Sections/US-National tech specs
Expected results
user syncs and user ids should not be restricted when consent granted
Actual results
user syncs and user ids are restricted when consent granted
The text was updated successfully, but these errors were encountered: