-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
USP Privacy Module: listen for deletion event #9081
Comments
Thanks for sharing, so gpp-core needs an pub defined array of vendor endpoints where each endpoint is called when Data Deletion Request is received. I'm operating off this spec which considers a GPP core module with various sub adapters representing various regs. I see this issue references the existing USP Privacy Module, do we want to continue development on that module? If so, we could do the same, add an array of vendor endpoints that get invoked when the deletion request comes in. Functionally, I doubt annnnny vendor has an endpoint for this though. |
Yeah; suppose you are a fingerprint vendor. The user opts out two min into the page view. The user id module fingerprint vendor never knows, and never processes the deletion request. |
Ok, so summarizing the Identity PMC consensus.
|
This is fairly limited in scope which is quite positive, marking ready for dev. So Prebid will simply fire an internal event that anyone vendor module in Prebid can fire an xhr from when it hears a deletion request from the uspapi. It seems we should also wipe the shared id from local storage or cookie on that event? |
yes "shared id from local storage or cookie on that event". To be clear though, we expect the sub adapters to be listening for that event and do the necessary removal, or are you saying in sharedids case the usp module will do that for it? |
the sharedid module should listen for the event from the usp module |
Here's my proposal:
* we could also do an event, but I think a method will make it easier to discover for both adapter maintainers and their users. |
Here's an issue: if we get the data deletion request and delete all data, on the next page refresh Prebid will have forgotten about it and fetch/store all data again (since we do not have any enforcement for USP). Do we need to implement enforcement first? |
yes. Data deletion requests should persist. |
I do not generally consider data deletion requests to be analogous to right to be forgotten events. Traditionally we do not consider deletion requests to be persistent. A user who wants to end data collection in my understanding would delete data with a request and then opt out. |
(I would love to see a Prebid plugin that actually turns off systems in response to an opt out signal that helps with this, but I think that is a different signal) |
Type of issue
Feature request
Description
https://github.com/InteractiveAdvertisingBureau/USPrivacy/blob/master/CCPA/Data%20Deletion%20Request%20Handling.md describes an event we should potentially listen for and react to from the USP module. I am told ( by @AramZS ) that Prebid will need to fire endpoints with deletion requests upon 'hearing' this event under CPRA. Looking for confirmatory documentation.
The text was updated successfully, but these errors were encountered: