Can Prebid block requests by CMP settings of vendors?

[renebaudisch]

Type of issue

Not an issue but a question

Description

I was wondering if prebid should remove bidders if the user disabled consent for it in the cmp and how to setup if.

Steps to reproduce

Consider a CMP where the user disapproved consent for vendorID "91" (Criteo).
Now the website wants to make a bid using bidder criteoBidAdapter,
is prebid able to block this request because the vendor 91 is set to false inside the consent data?

[dgirardi]

What you describe is Prebid's default behavior as long as you set up consentManagement and gdprEnforcement.

[renebaudisch]

Right now, I do not have an accessable demo page, but in my development it seems not to work.
There I'm using v7.31.0 but as I understood, this should be default sind 4.0.

Modules are installed:

I did this config:

config.consentManagement = {
  cmpApi: 'iab',
  timeout: 500,
  defaultGdprScope: true,
  rules: [{        // these are the default values
      purpose: "storage",
      enforcePurpose: true,
      enforceVendor: true
  },{
      purpose: "basicAds",
      enforcePurpose: true,
      enforceVendor: true
  },{
      purpose: "measurement",
      enforcePurpose: true,
      enforceVendor: true
  }]
  };

Then I revoked consent for criteo but it still does bid requests:

This is just after pbjs.setConfig but before pbjs.requestBids call:

[dgirardi]

rules should go under gdpr, for example:

setConfig({
  cmpApi: 'iab',
  timeout: 500,
  defaultGdprScope: true,
  gdpr: {
    rules: [{
        purpose: "storage",
        enforcePurpose: true,
        enforceVendor: true
    },{
        purpose: "basicAds",
        enforcePurpose: true,
        enforceVendor: true
    },{
        purpose: "measurement",
        enforcePurpose: true,
        enforceVendor: true
    }]
  }
});

However that shouldn't matter - the gdprEnforcement should still be working with the default settings, which block bidders without consent.

I suspect they are allowed because the CMP reports "legitimate interest" for purpose 2 and criteo / 91. You can verify that with __tcfapi('getTCData', null, function(tc) {console.log(tc.vendor.legitimateInterests[91])}). (If that does not say true, the problem is something else, and we need more details).

For purpose 2, which Prebid uses to decide which bidders should be let into auctions, we have a special case where either consent or legitimate interest is enough to allow - the rationale is explained here.

I don't know if CMPs let you configure whether vendors can set the LI flag. Otherwise it's possible to override it using activity controls, but it's not very convenient because they (currently) require you to do all the work, including keeping track of GVL IDs. For example, this would prevent criteo when the CMP reports no consent, regardless of legitimate interest:

const GVLIDS = {
    'criteo': 91
};
setConfig({
   allowActivities: {
        fetchBids: {
              rules: [{
                     condition({componentName}) {
                          let hasConsent = true;
                          const gvlid = GVLIDS[componentName];
                          if (gvlid != null) {
                            __tcfapi('getTCData', null, function(tc) { 
                                    hasConsent = tc.vendor.consents[gvlid];
                            })
                          }
                          return !hasConsent // if there's no consent, use this rule (and disallow), otherwise use default behavior
                     },
                     allow: false
              }]
        }
   }
})

[renebaudisch]

Sadly, it returns false.

I will do a testpage and come back here

[dgirardi]

Correction - up until 8.11 it was enough to have LI on purpose 2, we were not checking for vendor (#10367). The flag is in purpose.legitimateInterests[2].

[renebaudisch]

ok, this returns true.

So, P2 true overrides the vendor consent up to pbjs.version 8.11? This would clarify, I will test with the latest build.

[renebaudisch]

Perfect, thanks, using 8.16.0 works