Prebid Server and CCPA - phase 1

[bretg]

The proposal for Prebid.js support for CCPA has been posted at prebid/Prebid.js#4425

The interface to Prebid Server is straightforward: a single value is placed on regs.exp.us_privacy

{  
    "regs": {
        "ext": {
            "us_privacy": "1YN"
        }
    }
}

We propose this two-phase support plan for Prebid Server:

• Phase 1 - Simple pass-through: Prebid Server just passes regs.exp.us_privacy through to each bidder adapter, each of which is responsible for passing the signal through to their endpoints. The value may also be passed through cookie-sync/setuid calls. No validation is done on the value. This phase will be done in time for the early January deadline. It's assumed that each SSP/DSP will be implementing CCPA enforcement according to their interpretation of the guidelines.
• Phase 2 - Enforcement support: similar to the way that Prebid Server allows host companies to turn on GDPR enforcement, we will design and build CCPA/US-Privacy enforcement capability. This phase would not be done until the end of 1Q2020.

Phase 1 Changes

1. Passing regs.exp.us_privacy through the system untouched likely requires no work other than testing.

2. AMP requests can pass a us_privacy parameter through the GET URI, which is added to the OpenRTB as regs.ext.us_privacy

3. The /cookie_sync endpoint will accept an additional us_privacy parameter

{
    "bidders": ["appnexus", "rubicon"],
    "gdpr": 1,
    "gdpr_consent": "BONV8oqONXwgmADACHENAO7pqzAAppY",
    "us_privacy": "1YN",
    "limit": 2
}

4. Every bidder's sync URL will be modified to pass the URL-encoded privacy value through to the sync endpoints. e.g.

usersync:
   url: https://pixel.rubiconproject.com/exchange/sync.php?p=prebid&gdpr={{gdpr}}&gdpr_consent={{gdpr_consent}}&us_privacy={{us_privacy}}

usersync:
      url: //ib.adnxs.com/getuid?
      redirect-url: /setuid?bidder=adnxs&gdpr={{gdpr}}&gdpr_consent={{gdpr_consent}}&us_privacy={{us_privacy}}&uid=$UID

5. The {{us_privacy}} macro will get resolved to the value passed through /cookie_sync or empty.

Phase 2 Design

A separate issue will be opened to propose and discuss the more difficult enforcement feature.

[hhhjort]

Should we even usersync if we get the privacy signal?

[bretg]

doing any kind of enforcement (e.g. suppressing usersync) is what I'm thinking of as the second phase.

stepping back, CCPA is about "selling data". Prebid Server itself is a kind of a smart proxy that can be run in a mode where the host company isn't selling data. So as an open source project, we need to consult with Prebid's lawyers and build in the right controls so different host companies can determine (with their own lawyers) how they want to configure the system to enforce various facets.

[bretg]

Discussed in the Prebid Server meeting today.

• Hans noted that some adapters translate OpenRTB to a GET. We will reach out to those adapters.
• Bryan confirmed that SDK support is in progress.
• @hhhjort will post a proposal for support within the long form video endpoint.
• AMP support will depend on the AMP project. We'll define AMP param us_privacy and if it exists, then PBS will create the necessary OpenRTB regs.ext.us_privacy. (added to description above)

[SyntaxNode]

Do we have an idea of which bidders support accepting the us privacy signal through their sync endpoint? I see you enabled a few in: prebid/prebid-server-java@f6c4bc9

For PBS-Go, we would prefer to avoid appending the value to the redirect url until we figure out if it's needed for enforcement.

[bretg]

We're passing us_privacy through all of the sync endpoints indiscriminately. Our assumption is that extra unused params shouldnt break anything

[bretg]

Closing out CCPA Phase 1.