Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usefulness of gdprApplies to vendors within the EU? #307

Open
viblo opened this issue Dec 3, 2021 · 2 comments
Open

Usefulness of gdprApplies to vendors within the EU? #307

viblo opened this issue Dec 3, 2021 · 2 comments

Comments

@viblo
Copy link

viblo commented Dec 3, 2021

Im trying to understand when to look at gdprApplies, from the point of view of a vendor inside the EU. It is my understanding that the publisher / CMP sets this value, e.g. by geolocation of the user or other methods as described here: https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20CMP%20API%20v2.md#what-does-the-gdprapplies-value-mean

However, as a vendor within the EU the GDPR always applies to my processing regardless of where the user is located or where the publisher is located. Therefor it seems to me that neither the publisher nor the CMP can make decisions if GDPR should apply or not for the vendor, meaning that as a vendor within the EU receiving gdprApplies=false is the same as no TC String at all.
@dmdabbs
Copy link
Collaborator

dmdabbs commented Mar 15, 2022

See also Issue 249.

@anderagakura anderagakura mentioned this issue Mar 17, 2022
Closed
@anderagakura
Copy link
Collaborator

Comment from #249 by @MarkusWollny

I have now come across two occasions where a vendor implementation of the getTCData-callback, after checking for presence of the TCF-API, then calling getTCData, checking the success-boolean, would go straight on to checking the vendor.consents-property without checking the gdprApplies property first.

When such code is called and gdprApplies is false, the vendors property is not defined, so the implementation throws an error. This is very likely going to be missed by developers from within the EU, as they'd only see the problem when testing their implementation via VPN or with a non-EU-VM. I contacted the vendor in question and alerted them to the issue - in this case, the problem is affecting a service provider who provides the industry standard for digital audience measurement in Germany.

There is just this one mention of that behaviour in a paragraph below the section "What required API commands must a CMP support?": "If GDPR does not apply to this user in this context (gdprApplies=false) then this user will have no Transparency and Consent values and a TCData object with no Transparency and Consent values for any Vendors will be passed to the callback function."

There's no explicit mention of vendor/vendor.consents missing at all anywhere in the documentation as far as I am aware. There is specifically no mention at all in the section "What does the gdprApplies value mean?". There is no mention which parts of the TCData object can be relied upon to be always set and which may be optional under specific circumstances.

The documentation should be made much clearer in that regard. In the current version, there's just too much room for error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dmdabbs @viblo @anderagakura