userID: GDPR enforcement should be active only when GDPR enforcement has been configured

[dgirardi]

Type of issue

Improvement

Description

The userID module, when initializing, checks that either:

1. the gdprEnforcement module was installed, or
2. we have purpose 1 consent (if GDPR is in scope).

Relevant logic:

Prebid.js/modules/userId/index.js

Lines 860 to 866 in 8c8a2d7

	// another consent check, this time each module is checked for consent with its own gvlid
	let { userIdModules, hasValidated } = validateGdprEnforcement(submodules, consentData);
	if (!hasValidated && !hasPurpose1Consent(consentData)) {
	logWarn(`${MODULE_NAME} - gdpr permission not valid for local storage or cookies, exit module`);
	return [];
	}

This is in contrast to all other GDPR enforcement checks, which only happen if the GDPR module is installed; and does not work well with upcoming activity controls, because they will replace the single gdprEnforcement module with any number of control mechanisms.

The userId module should be updated to not do GDPR enforcement.