Core & multiple modules: strict purpose 1 consent option; do not require vendor consent for "core" storage / ID modules

[dgirardi]

Type of change

• Bugfix

Description of change

This change:

• makes it so that setConfig({deviceAccess: false}) always turns off all storage, including "core" storage (which currently ignores that flag, contrary to what the documentation says
• introduces "vendorless" GDPR enforcement for pubCommonId/sharedId (same intent as in Gdpr Enforcement module and sharedId/pubCommonId modules: vendor consent should not be enforced for first-party-id modules #8448, which was later reverted)
• introduces a new config option, setConfig({consentManagement: {strictStorageEnforcement: true}}), that - if set - forces all storage, including "core" storage, to respect consent; core storage would follow the same rule as "vendorless" modules (just generic P1 consent required), the rest would continue to respect both purpose and vendor as it does now
• refactors userSync.js and the userId module to access storage only once consent data is available, so that the above can work
• attempts to always enforce GDPR if the consentManagement module is installed (to try and catch gdpr-protected operations that happen before consent data is resolved).

As mentioned in #8651, there are a few other consumers of getCoreStorageManager - I only checked that fpdEnrichment would fail gracefully without storage. The rest (categoryTranslation and adpod.brandCategoryExclusion) may still be accessing storage before consent is resolved.

Other information

Closes #8651
Documentation: prebid/prebid.github.io#3889

[patmmccann]

https://github.com/prebid/Prebid.js/blob/master/modules/pubProvidedIdSystem.js also doesnt need consent but doesn't use device storage. Should it be on this list?

[dgirardi]

It does look like it should, but now I'm wondering, aren't all 3 doing the same thing? should we think about removing some at some point?

[patmmccann]

the second one is definitely redundant and removing it is in the 8.0 proposal. PPID module is different, it allows a publisher to set any arbitrary id and also say what it is. It isn't very popular, but it would allow a publisher to say pass hash(login) or some other identifier that was quite different than the one used by sharedid / pubcommonid

[dgirardi]

@patmmccann in drafting the docs for this, I noticed that what we say now:

You can prevent Prebid.js from reading or writing cookies or HTML localstorage by setting [deviceAccess: false]

Is not true; "core" storage, used as outlined above, still has access to the device regardless of that flag. Was this an oversight - should we fix it, or still require "true" disablers to also set alwaysEnforceDeviceAccess? (it could, conceivably, break users of category exclusion / translation, and change the domain set by fpdEnrichment).

[dgirardi]

After discussing with @patmmccann and @bretg , we agreed on the following:

1. a vendor (bid adapter, module) wants to read/store something. In GDPR scope, requires general P1 consent and vendor-specific consent. Requires deviceAccess flag. bid adapters also require bidderSettings.storageAllowed. (no changes)
2. a "vendorless" ID module wants to read/store something. In GDPR scope, require general P1 consent. Require deviceAccess flag. (no changes)
3. a "PBJS core" service or "vendorless module" wants to read/store something. Require deviceAccess flag (change! may break domain calculation) If consentManagement.strictStorageEnforcement is true, and in GDPR scope, requires general P1 consent (change, but safe because it's behind a new config flag)

the change for case 3 should be documented (coming soon!)

[osazos]

LGTM!