Prebid Server and CCPA - Phase 2

[SyntaxNode]

This is a followup to: #1107

We propose to enforce CCPA regulations in a conservative manner, such that when the CCPA opt-out signal is present Prebid Server will consider every bid a "sale" unless the publisher explicitly declares a relationship with a bidder as not constituting a "sale" or the server host includes a per-account or per-bidder whitelist override.

Specification

As specified by the IAB, the CCPA value is a four character string encoding of the following information (from left to right):

• Char 1: Specification version number.
• Char 2: Explicit Notice / Opportunity to Opt-Out
• Char 3: Opt-Out Sale
• Char 4: Limited Service Provider Agreement (LSPA)

Signal

We propose to use the Opt-Out Sale as the signal for enforcement when it's explicitly set to Y/Yes. Other valid values are N/No and -/Not Applicable.

Validation

Lowercase letters are not specified in the IAB spec and should not be interpreted as valid by Prebid Server. The draft versions of the IAB spec specify a the three character variant and should also not be interpreted as valid. An empty or null string should be interpreted as valid and does not represent an opt-out.

Phase 2 Changes

1. If a CCPA signal is not present in the OpenRTB request, process the bid request as normal.
2. If a CCPA signal is invalid, process the bid request as normal and send a warning back to the publisher in a bid response indicating the CCPA was invalid and ignored.
3. If a CCPA signal indicates an opt-out sale, enforce the same privacy protections we do today for GDPR (prevent cookie sync and remove Personally Identifiable Information, PII).
4. If the publisher has specified that a relationship with a bidder does not constitute a "sale", then process the bid request as normal.
5. If the server's CCPA per-account whitelist matches a request, then process the bid request as normal.
6. If the server's CCPA per-bidder whitelist matches a request, then process the bid request as normal.

Bidder Relationships

Defined in the bid request ext section. If an invalid bidder is provided an error should be sent back to the publisher.

request: {
    "ext": {
        "prebid": {
            "no-sale": ["appnexus", "rubicon"]
        }
    }
}

A star * may also be specified to represent all bidders:

request: {
    "ext": {
        "prebid": {
            "nosale": ["*"]
        }
    }
}

It is not a valid case for a star * to be mixed in with explicit bidders and should result in * as not being a recognized bidder.

Config

• CCPA Global Flag: Defaults to on.
• CCPA Per-Account Whitelist: If you're on this list then you are exempt from CCPA enforcement.
• CCPA Per-Bidder Whitelist: If you're on this list then you are exempt from CCPA enforcement.

Supporting Docs

• https://iabtechlab.com/wp-content/uploads/2019/11/OpenRTB-Extension-U.S.-Privacy-IAB-Tech-Lab.pdf
• https://docs.google.com/document/d/1xWFNIzxvN6X8uCueXEmjfhmBrvyQqDar4b0YZfS5zpo/edit?ts=5d8c8d05#heading=h.6x5pagpxc4kn

[SyntaxNode]

I would like to add support for a conservative enforcement approach to Prebid Server before the year end as an optional feature flag for those interested. The specifics for enforcement may change as the industry receives legal guidance, so the target for an official feature is still targeted for Q1 2020.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[bretg]

Similar to GDPR, we'd like to see several switches that can be controlled by the PBS host company:

1. A flag to turn off the CCPA enforcement globally. (it can default to enforcement being on)
2. A per-account flag to turn off CCPA enforcement for that account.
3. A per-bidder flag to turn off off CCPA enforcement for that adapter.

I'm tempted to go even further and ask for flags to turn off the behavior for both CCPA and GDPR based on site.domain and app.bundle, but open for discussion on this. I've received a question about that capability.

You didn't mention anything about geo-location in this proposal. GDPR enforcement integrates with a geo lookup service to see if the user is in the EEA.

Are you thinking that confirmation of California users is Phase 3?

[SyntaxNode]

We discussed this during the Prebid.org Server working group meeting. We agree on three bulleted configurations, similar to what we have today for GDPR and proved to be valuable.

I personally don't want to maintain a list of sites or apps on the server. @bretg suggested to allow a * in the no-sale array to indicate the publisher considers information going to all bidders as not constituting a sale and effectively turning off CCPA this way instead of through a white list. That approach was favored. This will work through the existing stored requests infrastructure.

I didn't mention geo-location simply because it is not a feature of this Prebid Server. That may change at some point, but I think it's best to leave that un-spec'd for now.

I'll update the issue to reflect.

[SyntaxNode]

I'm looking for feedback on:

• Name of the extension field.
• How to send back a warning to the publisher if the CCPA value is invalid.
• How to handle a mixed case of explicit bidders and a star.

[SyntaxNode]

I received a request to change the name from no-sale to nosale to better match OpenRTB naming conventions. Sound logic. Going with that for now.

[bretg]

Code PR #1138