This consent management module is designed to support the California Consumer Privacy Act (CCPA). The IAB has generalized these guidelines to cover future regulations, referring to the feature as “US Privacy.”
This module works with an IAB-compatible US Privacy API (USP-API) to fetch an encoded string representing the user’s notice and opt-out choices and make it available for adapters to consume and process. In Prebid 7+; the module defaults to working with an IAB-compatible US Privacy API; in prior versions, the module had to be configured to be in effect. This module is no longer recommended, as the signal is no longer supported by a contractual framework as of January 31, 2024.
See also the Prebid Consent Management - TCF Module for supporting the IABTL Transparency and Consent Framework.
Here’s a summary of the interaction process:
The IAB USP-API will respond immediately if it is available. The module timeout settings are not related to user selection, but only to API availability.
If the timeout period expires or an error from the USP-API is thrown, the auction proceeds without a US Privacy string attached.
The string has four characters:
| String Component | Values |
|---|---|
| 1) Specification Version | 1 |
| 2) Explicit Notice/Opportunity to Opt Out | (N = No,Y = Yes,– = Not Applicable) |
| 3) Has user opted-out of the sale of his or her personal information? | (N = No,Y = Yes,– = Not Applicable) |
| 4) Publisher is a signatory to the IAB Limited Service Provider Agreement | (N = No,Y = Yes,– = Not Applicable) |
As of January 1st 2023, CCPA will require that requests to “delete my personal information” (right to delete) must be propagated to all 3rd parties user data is being shared with. US Privacy Consent Management Module will support this feature in 7.23.0 and above.
Prebid Modules that receive user data (bid adapters, analytics adapters), or set user data (UserId, RTD) may define a new method called onDataDeletionRequest. The US Privacy Consent Management Module will attach a registerDeletion event handler with the CMP, when triggered it will:
The USP module attaches a ‘registerDeletion’ event handler with the CMP; when triggered, it will:
3rd parties can define the method like this:
To utilize this module, software that provides the USP-API must to be implemented on the site to interact with the user and obtain their notice and opt-out status.
Though implementation details for the USP-API are not covered by Prebid.org, we do recommend to that you place the code before the Prebid.js code in the head of the page in order to ensure the framework is loaded before the Prebid code executes. Many publishers who ensure the prior availability of the __uspapi set the timeout parameter to zero.
Once the USP-API is implemented, simply include this module into your build and add a consentManagement object in the setConfig() call. Without configuration, Prebid will throw a warning that the module is unconfigured, and will proceed with the default configuration parameter cmpApi as ‘iab’. Adapters that support this feature will then be able to retrieve the notice and opt-out status information and incorporate it in their requests.
Here are the parameters supported in the consentManagement object:
| Param | Type | Description | Example |
|---|---|---|---|
| usp | Object |
||
| usp.cmpApi | string |
The USP-API interface that is in use. Supported values are ‘iab’ or ‘static’. Static allows integrations where IAB-formatted strings are provided in a non-standard way. Default is 'iab'. |
'iab' |
| usp.timeout | integer |
Length of time (in milliseconds) to allow the USP-API to obtain the CCPA string. Default is 50. |
50 |
| usp.consentData | Object |
An object representing the CCPA notice and opt-out status data being passed directly; only used when cmpApi is ‘static’. Default is undefined. |
Note that the term ‘CMP’ (Consent Management Platform) was chosen in Prebid to keep the interface similar to the GDPR implementation, though US-Privacy doesn’t specifically use that term.
Example 1: Support both US Privacy and GDPR
var pbjs = pbjs || {};
pbjs.que = pbjs.que || [];
pbjs.que.push(function() {
pbjs.setConfig({
consentManagement: {
gdpr: {
cmpApi: 'iab',
allowAuctionWithoutConsent: false, // suppress auctions if there's no GDPR consent string
timeout: 3000 // GDPR timeout 3000ms
},
usp: {
timeout: 100 // US Privacy timeout 100ms
}
}
});
});
Example 2: Support US Privacy; timeout the api availability at zero because it is always available if it applies
var pbjs = pbjs || {};
pbjs.que = pbjs.que || [];
pbjs.que.push(function() {
pbjs.setConfig({
consentManagement: {
usp: {
cmpApi: 'iab',
timeout: 0 // US Privacy timeout 100ms
}
}
});
});
Example 3: Static CMP using custom data passing. Placing this config call in the command queue before loading Prebid is important to ensure the string is available before Prebid begins making external calls.
var pbjs = pbjs || {};
pbjs.que = pbjs.que || [];
pbjs.que.push(function() {
pbjs.setConfig({
consentManagement: {
usp: {
cmpApi: 'static',
consentData: {
getUSPData: {
uspString: '1YYY'
}
}
}
}
});
});
Example 4: Static CMP with USP string set to does not apply for all fields, which may be useful to prevent excessive interaction with the __uspapi outside of the geographic scope. Placing this config call in the command queue before loading Prebid is important to ensure it is available early.
var pbjs = pbjs || {};
pbjs.que = pbjs.que || [];
pbjs.que.push(function() {
pbjs.setConfig({
consentManagement: {
usp: {
cmpApi: 'static',
consentData: {
getUSPData: {
uspString: '1---'
}
}
}
}
});
});
Follow the basic build instructions in the GitHub Prebid.js repo’s main README. To include the consent management module, an additional option must be added to the the gulp build command:
gulp build --modules=consentManagementUsp,bidAdapter1,bidAdapter2
If you are submitting changes to an adapter to support this approach, please also submit a PR to the docs repo to add the usp_supported: true variable to your respective page in the bidders directory. This will ensure that your adapter’s name will automatically appear on the list of adapters supporting US Privacy.
To find the US Privacy/CCPA notice and opt-out status information to pass along to your system, adapters should look for the bidderRequest.uspConsent field in their buildRequests() method.
Below is a sample of how the data is structured in the bidderRequest object:
{
"bidderCode": "bidderA",
"auctionId": "e3a336ad-2222-4a1c-bbbb-ecc7c5554a34",
...
"uspConsent": "1YYY",
...
}
The usPrivacy object is also available when registering userSync pixels.
The object can be accessed by including it as an argument in the getUserSyncs function:
getUserSyncs: function(syncOptions, responses, gdprConsent, usPrivacy) {
...
}
Depending on your needs, you could include the US-Privacy information in a query of your pixel and/or, given the notice and opt-out status choices, determine if you should drop the pixels at all.