Description

As uncovered in #7156 , there are are several bid adapters that may not be properly handling the gdprApplies flag.

Background: the Consent Management Platform (CMP) is responsible for knowing whether the current user is "in-scope" for GDPR, i.e. they reside in the European Economic Area (EEA). It signals this information to Prebid along with the consent string. Bid adapters must be able to handle all of these scenarios:

1. CMP provides gdprApplies:true and a valid consent string - normal GDPR processing
2. CMP provides gdprApplies:false and a valid consent string - bidder endpoints may choose to verify the user's GDPR scope or to trust the CMP.
3. CMP provides gdprApplies:true but no consent string - processing depends on vendor's Legitimate Interest claims and legal advice from the bidder's lawyers.
4. CMP provides gdprApplies:false and no consent string - bidder endpoints may choose to verify the user's GDPR scope or to trust the CMP.
5. CMP provides only a valid consent string - if the CMP declines to define the GDPR scope, bidder processing depends on whether the endpoint can detect the user's location and legal advice from their lawyers.
6. CMP provides neither value - if the CMP doesn't define the scope or the consent, bidder processing depends on whether the endpoint can detect the user's location and legal advice from their lawyers.

Bid adapters that need to be reviewed

These bidders don't look for gdprApplies. Please confirm your implementation with your legal team. Prebid recommends passing the gdprApplies flag along with the consent string.

• addefend - @addefend
• apstream - @frstua
• glimpse - @samueldobbie , @tim-hm
• improveDigital - @jbartek25 , @agregorio-improve "there's no plan to add support for gdprApplies param in the current adapter generation as our server does IP lookups. The next generation adapter launching in Q1 will include gdprApplies"

These bidders currently only consider gdprApplies if a consent string is available. Please confirm your implementation with your legal team. Prebid recommends using the gdprApplies flag even if it's available even if there's no consent string.

• cleanmedianet - @sa1omon
• engageya - @mikomgk
• gamoshi - @sa1omon
• stroeer - @PavlaKanova , @lukashavrlant
• bliink - @kola-kola
• logan - @WlsLogan
• mathildeads - @mathilde-ads
• mediasquare - @matthieularere-msq
• onetag - @onetag-dev
• richaudience - @richaudience
• rubicon - @robertrmartinez
• smilewanted - @MaxSmileWanted
• triplelift - @nllerandi - "We fallback to the determination of applicability based on geo IP resolution if our params are not present."
• videoreach - @VideoReach

These modules don't send gdprApplies to their endpoints. There's a possible problem in these scenarios where gdprApplies:true and there's no consent string. If endpoints are doing IP-address lookups, then they may be ok, but if not, the adapter should be passing gdprApplies so the endpoint has all the info it needs to process correctly.

• adnuntius - @mikael-lundin
• beop - @bloodyowl , @sebrobert
• criteoIdSystem - @allanjun