adding deviceAccess flag and TCF2 (#1857)

* adding deviceAccess flag and TCF2

* moved tcf2 blog post to separate PR

* edits

* removing defaultGdprScope from this PR

* clarifying

Confirming which bidders need to update and how to get a bidder on the TCF 1.1 and TCF 2.0 lists.

Co-authored-by: Jean Stemp <[email protected]>

Author: bretg

_includes/partners.html

@@ -17,7 +17,7 @@
 	</script>
 	<div id="memberTableLeader"></div>
 	<script>
-	  writeDynamicTable({div:"memberTableLeader", data:"memberDataLeader", sort:"rowFirst", maxcols:4, striped: false});
+	  writeDynamicTable({div:"memberTableLeader", data:"memberDataLeader", sort:"rowFirst", maxcols:4, striped: false, fixedHeight: true});
 	</script>
 
 	<div class="tableTitle"><h3>Prebid.org Technology Partner Members</h3></div>
@@ -35,7 +35,7 @@
 	</script>
 	<div id="memberTableTech"></div>
 	<script>
-	  writeDynamicTable({div:"memberTableTech", data:"memberDataTech", sort:"rowFirst", striped: false});
+	  writeDynamicTable({div:"memberTableTech", data:"memberDataTech", sort:"rowFirst", maxcols: 4, striped: false, fixedHeight: true});
 	</script>
 
 	<div class="tableTitle"><h3>Prebid.org Publisher Members</h3></div>
@@ -53,7 +53,7 @@
 	</script>
 	<div id="memberTablePub"></div>
 	<script>
-	  writeDynamicTable({div: "memberTablePub", data: "memberDataPub", sort:"rowFirst", maxcols: 4, striped: false});
+	  writeDynamicTable({div: "memberTablePub", data: "memberDataPub", sort:"rowFirst", maxcols: 4, striped: false, fixedHeight: true});
 	</script>
 
 	<div class="tableTitle"><h3>Prebid.org Community Members</h3></div>
@@ -73,7 +73,7 @@
 
 	<div id="memberTableComm"></div>
 	<script>
-	  writeDynamicTable({div: "memberTableComm", data: "memberDataComm", sort:"rowFirst", striped: false});
+	  writeDynamicTable({div: "memberTableComm", data: "memberDataComm", sort:"rowFirst", maxcols: 4, striped: false, fixedHeight: true});
 	</script>
 
 

assets/js/dynamicTable.js

@@ -10,7 +10,8 @@
 //   data is the name of variable containing the data
 //   sort can be "colFirst" (the default) or "rowFirst"
 //   maxcols can set a max number of columns
-//   striped is boolean defining whether to set the table-striped class. defaults to yes.
+//   striped is boolean defining whether to set the table-striped class. defaults to true.
+//   fixedHeight is boolean defining whether to set the fixed height class. defaults to false
 //
 //   Structure of the data-array:
 //   dynamicTableContents[{{x}}]={};
@@ -58,24 +59,36 @@ function writeDynamicTable(args) {
 
   var tbl = document.createElement('table');
   tbl.style.width = '100%';
-  var striped;
-  if (typeof args.striped === 'undefined') {
-    striped=true;
+  var striped=true;
+  if (typeof args.striped === 'boolean') {
+    striped=args.striped;
   }
   if (striped) {
     tbl.setAttribute('class', 'table-bordered table-striped centered');
   } else {
     tbl.setAttribute('class', 'table-bordered centered');
   }
+  var fixedHeight=false;
+  if (typeof args.fixedHeight === 'boolean') {
+    fixedHeight=args.fixedHeight;
+  }
   var tbdy = document.createElement('tbody');
   tbdy.setAttribute('class','centered');
   var idx=0;
   for (var r = 0; r < numRows; r++) {
     var tr = document.createElement('tr');
-    tr.setAttribute('class','centeredFixedHeight');
+    if (fixedHeight) {
+      tr.setAttribute('class','centeredFixedHeight');
+    } else {
+      tr.setAttribute('class','centered');
+    }
     for (var c = 0; c < numCols; c++) {
         var td = document.createElement('td');
-	td.setAttribute('class','centeredFixedHeight');
+	if (fixedHeight) {
+	  td.setAttribute('class','centeredFixedHeight');
+	} else {
+	  td.setAttribute('class','centered');
+	}
 	if (sortType == "colFirst") {
 		idx=(r + (c*numRows));
 	} else {

dev-docs/modules/consentManagement.md

@@ -15,6 +15,9 @@ sidebarType : 1
 * TOC
 {: toc }
 
+{: .alert.alert-warning :}
+Prebid.org is working on updates that will enable support for reading and parsing TCF 2.0 consent strings. See the [blog post](/blog/tcf2) for timelines.
+
 ## Overview
 
 This consent management module is designed to support the EU General Data Protection Regulation ([GDPR](https://www.iab.com/topics/consumer-privacy/gdpr/))
@@ -44,13 +47,13 @@ If the timeout period expires or an error from the CMP is thrown, one of these a
 
 ## Page Integration
 
-To utilize this module, a CMP compatible with the [IAB 1.1 TCF spec](https://iabeurope.eu/tcf-v1/) needs to be implemented on the site to interact with the user and obtain their consent choices.  
+To utilize this module, a Consent Management Platform (CMP) compatible with the [IAB TCF v1.1 spec](https://iabeurope.eu/tcf-v1/) or [IAB TCF v2.0 spec](https://iabeurope.eu/tcf-2-0/) needs to be implemented on the site to interact with the user and obtain their consent choices.  
 
 Though implementation details for the CMP are not covered by Prebid.org, we do recommend to that you place the CMP code before the Prebid.js code in the head of the page in order to ensure the CMP's framework is loaded before the Prebid code executes.
 
 Once the CMP is implemented, simply include this module into your build and add a `consentManagement` object in the `setConfig()` call.  Adapters that support this feature will then be able to retrieve the consent information and incorporate it in their requests.
 
-Here are the parameters supported in the `consentManagement` object:
+Here are the parameters supported in the `consentManagement.gdpr` object:
 
 {: .alert.alert-warning :}
 Note that versions of Prebid.js before 2.43.0 had a different GDPR configuration. The module is backwards-compatible,
@@ -62,15 +65,70 @@ but we recommend migrating to the new config structure as soon as possible.
 | gdpr | `Object` | | |
 | gdpr.cmpApi | `string` | The CMP interface that is in use. Supported values are **'iab'** or **'static'**. Static allows integrations where IAB-formatted consent strings are provided in a non-standard way. Default is `'iab'`. | `'iab'` |
 | gdpr.timeout | `integer` | Length of time (in milliseconds) to allow the CMP to obtain the GDPR consent string. Default is `10000`. | `10000` |
-| gdpr.allowAuctionWithoutConsent | `boolean` | Determines what will happen if obtaining consent information from the CMP fails; either allow the auction to proceed (`true`) or cancel the auction (`false`). Default is `true` | `true` |
-| gdpr.consentData | `Object` | An object representing the GDPR consent data being passed directly; only used when cmpApi is 'static'. Default is `undefined`. Not currently supported for US Privacy. | |
+| gdpr.allowAuctionWithoutConsent | `boolean` | (TCF v1.1 only) Determines what will happen if obtaining consent information from the CMP fails; either allow the auction to proceed (`true`) or cancel the auction (`false`). Default is `true` | `true` |
+| gdpr.consentData | `Object` | An object representing the GDPR consent data being passed directly; only used when cmpApi is 'static'. Default is `undefined`. | |
+| gdpr.consentData.getTCData.tcString | `string` | (TCF v2.0 only) Base64url-encoded TCF v2.0 string with segments. | |
+| gdpr.consentData.getTCData.gdprApplies | `boolean` | (TCF v2.0 only) Defines whether or not this pageview is in GDPR scope. | |
+| gdpr.consentData.getConsentData.gdprApplies | `boolean` | (TCF v1.1 only) Defines whether or not this pageview is in GDPR scope. | |
+| gdpr.consentData.getConsentData.hasGlobalScope | `boolean` | (TCF v1.1 only) True if consent data is global, false if it's publisher specific. | |
+| gdpr.consentData.getConsentData.consentData | `string` | (TCF v1.1 only) Encoded TCF v1.1 string. | |
+| gdpr.consentData.getVendorConsents.metadata | `string` | (TCF v1.1 only) Encoded TCF v1.1 string. | |
 
 {: .alert.alert-info :}
-NOTE: The `allowAuctionWithoutConsent` parameter refers to the entire consent string, not to any individual consent option. Prebid.js does not parse the GDPR consent string, so it doesn't know if the user has consented to any particular action.
+NOTE: The `allowAuctionWithoutConsent` parameter supported for TCF v1.1 refers to the entire consent string, not to any individual consent option. Prebid.js does not parse the GDPR consent string, so it doesn't know if the user has consented to any particular action.
 
-### Examples
+A related parameter is `deviceAccess`, which is at the global level of Prebid.js configuration because it can be used GDPR, CCPA, or custom privacy implementations:
 
-Example 1: GDPR IAB CMP using custom timeout and cancel-auction options.
+{: .table .table-bordered .table-striped }
+| Param | Type | Description | Example |
+| --- | --- | --- | --- |
+| deviceAccess | `boolean` | If false, Prebid.js will prevent adapters and modules from reading and setting cookies and HTML local storage. Defaults to `true`. | `false` |
+
+
+### TCF v2.0 Examples
+
+Example 1: IAB CMP using custom timeout
+
+{% highlight js %}
+     var pbjs = pbjs || {};
+     pbjs.que = pbjs.que || [];
+     pbjs.que.push(function() {
+        pbjs.setConfig({
+          consentManagement: {
+            gdpr: {
+              cmpApi: 'iab',
+              timeout: 8000
+            }
+          }
+        });
+     });
+{% endhighlight %}
+
+Example 2: Static CMP using custom data passing.
+
+{% highlight js %}
+     var pbjs = pbjs || {};
+     pbjs.que = pbjs.que || [];
+     pbjs.que.push(function() {
+        pbjs.setConfig({
+          consentManagement: {
+            gdpr: {
+              cmpApi: 'static',
+              consentData: {
+		getTCData: {
+		  tcString: 'COwK6gaOwK6gaFmAAAENAPCAAAAAAAAAAAAAAAAAAAAA.IFoEUQQgAIQwgIwQABAEAAAAOIAACAIAAAAQAIAgEAACEAAAAAgAQBAAAAAAAGBAAgAAAAAAAFAAECAAAgAAQARAEQAAAAAJAAIAAgAAAYQEAAAQmAgBC3ZAYzUw',
+		  gdprApplies: true
+		}
+              }
+            }
+          }
+        });
+     });
+{% endhighlight %}
+
+### TCF v1.1 Examples
+
+Example 1: IAB CMP using custom timeout and cancel-auction options.
 
 {% highlight js %}
      var pbjs = pbjs || {};
@@ -85,7 +143,6 @@ Example 1: GDPR IAB CMP using custom timeout and cancel-auction options.
             }
           }
         });
-        pbjs.addAdUnits(adUnits);
      });
 {% endhighlight %}
 
@@ -114,7 +171,6 @@ Example 2: Static CMP using custom data passing.
             }
           }
         });
-        pbjs.addAdUnits(adUnits);
      });
 {% endhighlight %}
 
@@ -128,6 +184,9 @@ gulp build --modules=consentManagement,bidAdapter1,bidAdapter2
 
 ## Adapter Integration
 
+{: .alert.alert-info :}
+Prebid.js adapters don't need to change to support TCF v2.0 if they already support TCF 1.1 -- the consent string is passed through the same bidrequest location. The bidder's endpoint, however, will need to change to support TCF v2.0. Once the endpoint supports TCF2, you can update the documentation.md file as described below above the table showing the list of TCF2-compliant bidders. 
+
 If you are submitting changes to an adapter to support this approach, please also submit a PR to the [docs repo](https://github.com/prebid/prebid.github.io) to add the `gdpr_supported: true` variable to your respective page in the [bidders directory](https://github.com/prebid/prebid.github.io/tree/master/dev-docs/bidders).  **This will ensure that your adapter's name will automatically appear on the list of adapters supporting GDPR.**
 
 ### Bidder Adapter GDPR Integration
@@ -204,7 +263,23 @@ getUserSyncs: function(syncOptions, responses, gdprConsent, usPrivacy) {
 
 Depending on your needs, you could include the consent information in a query of your pixel and/or, given the consent choices, determine if you should drop the pixels at all.
 
-## Publishers not using an IAB-Compliant CMP
+## Publisher Scenarios
+
+### Page Control of Consented Activities
+
+Page JavaScript can prevent Prebid.js from performing various activities that come under the scope of GDPR controls. Since header bidding isn't the only service that falls under GDPR scope, the page may already have parsed the TCF string and stored it.
+
+Here are some things that publishers can do to control various activities:
+
+1. If the user hasn't consented to Purpose 1:
+  - Set [deviceAccess](/dev-docs/publisher-api-reference.html#setConfig-deviceAccess): false
+  - Don't enable [userSync](/dev-docs/publisher-api-reference.html#setConfig-Configure-User-Syncing)
+  - Don't enable [userId](/dev-docs/modules/userId.html) modules
+
+2. If you're working with bidders that don't support GDPR, consider dynamically populating adunits as needed. See the list below for bidders supporting GDPR.
+
+
+### Publishers Not Using an IAB-Compliant CMP
 
 Prebid.js and much of the ad industry rely on the IAB CMP standard for GDPR support, but there might be some publishers who have implemented a different approach to meeting the privacy rules. Those publishers can utilize Prebid.js and the whole header bidding ecosystem by building a translation layer between their consent method and the IAB method.
 
@@ -279,7 +354,7 @@ var cmpLoaded;       // true if iabConsentData was loaded and processed
 })(window, document);
 {% endhighlight %}
 
-### Explanation of Parameters
+#### Explanation of Parameters
 
 **_iabConsentData_**  
 For instructions on how to generate the IAB consent string see the [IAB CMP 1.1 Spec](https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework) and [IAB Consent String SDK](https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/tree/master/Consent%20String%20SDK).
@@ -299,26 +374,52 @@ This should be false if there was some error in the consent data; otherwise set
 **_cmpLoaded_**  
 This should be be set to true once the parameters listed above are processed.
 
-## Adapters Supporting GDPR
+## Adapters Supporting TCF v1.1:
+
+Bidders on this list have self-declared their TCF 1.1 support in their https://github.com/prebid/prebid.github.io/tree/master/dev-docs/bidders md file by adding `gdpr_supported: true`. 
 
 <script src="/assets/js/dynamicTable.js" type="text/javascript"></script>
 
 <script type="text/javascript">
-var adaptersSupportingGdpr=[];
+var adaptersSupportingGdpr1=[];
 var idx_gdpr=0;
 {% assign bidder_pages = site.pages | where: "layout", "bidder" %}
 {% for item in bidder_pages %}
     {% if item.gdpr_supported == true %}
-	adaptersSupportingGdpr[idx_gdpr]={};
-	adaptersSupportingGdpr[idx_gdpr].href="/dev-docs/bidders.html#{{item.biddercode}}";
-	adaptersSupportingGdpr[idx_gdpr].text="{{item.title}}";
+	adaptersSupportingGdpr1[idx_gdpr]={};
+	adaptersSupportingGdpr1[idx_gdpr].href="/dev-docs/bidders.html#{{item.biddercode}}";
+	adaptersSupportingGdpr1[idx_gdpr].text="{{item.title}}";
+	idx_gdpr++;
+    {% endif %}
+{% endfor %}
+</script>
+
+<div id="adaptersTableGdpr1">
+        <script>
+           writeDynamicTable({div: "adaptersTableGdpr1", data: "adaptersSupportingGdpr1", sort: "rowFirst", striped: false} );
+        </script>
+</div>
+
+## Adapters Supporting TCF v2.0:
+
+Bidders on this list have self-declared their TCF 2.0 support in their https://github.com/prebid/prebid.github.io/tree/master/dev-docs/bidders md file by adding `tcf2_supported: true`. 
+
+<script type="text/javascript">
+var adaptersSupportingGdpr2=[];
+var idx_gdpr=0;
+{% assign bidder_pages = site.pages | where: "layout", "bidder" %}
+{% for item in bidder_pages %}
+    {% if item.tcf2_supported == true %}
+	adaptersSupportingGdpr2[idx_gdpr]={};
+	adaptersSupportingGdpr2[idx_gdpr].href="/dev-docs/bidders.html#{{item.biddercode}}";
+	adaptersSupportingGdpr2[idx_gdpr].text="{{item.title}}";
 	idx_gdpr++;
     {% endif %}
 {% endfor %}
 </script>
 
-<div id="adaptersTableGdpr">
+<div id="adaptersTableGdpr2">
         <script>
-           writeDynamicTable({div: "adaptersTableGdpr", data: "adaptersSupportingGdpr", sort: "rowFirst", striped: false} );
+           writeDynamicTable({div: "adaptersTableGdpr2", data: "adaptersSupportingGdpr2", sort: "rowFirst", striped: false} );
         </script>
 </div>

dev-docs/publisher-api-reference.md

@@ -42,6 +42,7 @@ This page has documentation for the public API methods of Prebid.js.
   * [.markWinningBidAsUsed(markBidRequest)](#module_pbjs.markWinningBidAsUsed)
   * [.setConfig(options)](#module_pbjs.setConfig)
     * [debugging](#setConfig-Debugging)
+    * [deviceAccess](#setConfig-deviceAcess)
     * [bidderTimeout](#setConfig-Bidder-Timeouts)
     * [maxRequestsPerOrigin](#setConfig-Max-Requests-Per-Origin)
     * [disableAjaxTimeout](#setConfig-Disable-Ajax-Timeout)
@@ -1260,6 +1261,7 @@ See below for usage examples.
 Core config:
 
 + [Debugging](#setConfig-Debugging)
++ [Device Access](#setConfig-deviceAccess)
 + [Bidder Timeouts](#setConfig-Bidder-Timeouts)
 + [Max Requests Per Origin](#setConfig-Max-Requests-Per-Origin)
 + [Disable Ajax Timeout](#setConfig-Disable-Ajax-Timeout)
@@ -1307,6 +1309,18 @@ pbjs.setConfig({ debug: true });
 {: .alert.alert-warning :}
 Note that turning on debugging for Prebid Server causes most server-side adapters to consider it a test request, meaning that they won't count on reports.
 
+<a name="setConfig-deviceAccess" />
+
+#### Device Access
+
+You can prevent Prebid.js from reading or writing cookies or HTML localstorage by setting this flag:
+
+{% highlight js %}
+pbjs.setConfig({ deviceAccess: false });
+{% endhighlight %}
+
+This can be useful in GDPR, CCPA, COPPA or other privacy scenarios where a publisher has determined that header bidding should not read from or write the user's device.
+
 <a name="setConfig-Bidder-Timeouts" />
 
 #### Bidder Timeouts