Prebid US Compliance Support
Important: This resource should not be construed as legal advice and Prebid.org makes no guarantees about compliance with any law or regulation.
Please note that because every company and its collection, use, and storage of personal data is different, you should seek independent legal advice
relating to obligations under your regional regulations, including the GDPR, the ePrivacy Directive and individual country/province/state laws. Only a
lawyer can provide you with legal advice specifically tailored to your situation. Nothing in this guide is intended to provide you with, or should be
used as a substitute for, legal advice tailored to your business.
Overview
Starting July 1st 2023, several US states started enforcing new privacy regulations.
As a result, the IAB released the “Multi-State Privacy Agreement” (MSPA), the Global Privacy Protocol (GPP), and several “sections” of the GPP dedicated to these US states. References:
Prebid refers to GPP Sections 7-12 as “US Compliance”, which is distinct from the original US Privacy approach which has been deprecated.
Glossary
- Global Privacy Platform (GPP) - A technical IAB framework that defines a container format for communicating multiple privacy protocols. e.g. GPP can contain existing Transparency and Consent Framework (TCF) strings, various US privacy string formats, and other future implementations.
- GPP Section ID (SID) - the GPP container may contain multiple encoded privacy protocol strings. Each protocol gets its own SID in the overall GPP container. e.g. TCF-EU is assigned SID 2.
- Multi-State Privacy Agreement (MSPA) - the IAB’s contractual framework for publishers to manage various US state privacy laws. Note that there are high profile companies in the industry that have not signed the MSPA, but are still able to process the IAB’s technical protocol to consider user preferences.
- MSPA Covered Transaction - Whether a given ad auction falls legally under the MSPA’s privacy requirements. For MSPA-covered ‘transactions’ (ad auctions), publishers must declare themselves in one of two modes: “Service Provider Mode” or “Opt-Out Mode”.
- MSPA Service Provider Mode - “Service Provider Mode is for First Parties who do not Sell or Share Personal Information, and do not Process Personal Information for Targeted Advertising”. This means that personal information is never sent to downstream entities.
- MSPA Opt-Out Mode - For First Parties that may engage in targeted advertising activities or disclose personal information for such purposes. This means that user consent is gathered before privacy-sensitive data is sent to downstream entities.
- US National Privacy Technical Specification (USNat) - the IAB’s technical framework for encoding MSPA publisher policies and user consents. Stored in the GPP container as SID 7.
- US State Privacy Technical Specifications - the IAB has defined technical frameworks for 5 states based on their interpretation of state privacy laws. These protocols are similar to the US National protocol and are stored in the GPP container as SIDs 8 through 12.
- US Compliance - the term Prebid uses to encompass both US National Privacy Technical Specification and the US State Privacy Technical Specifications.
- Global Privacy Control (GPC) - a browser-level control for end users. Some US states have referred to a global control so that users don’t have to state their preferences on each website they visit. The USNat protocol strings also contain the GPC flag.
- US Privacy - this is the IAB’s original, now deprecated, version of a US privacy protocol, meant to address older California laws.
- Prebid Activity Controls - Prebid.js and Prebid Server have identified a set of behaviors for activities that may be in scope for privacy concerns such as transmitting user IDs. These activities may be allowed or suppressed with flexible conditions and exceptions as defined by the publisher.
Assumptions
Prebid.org cannot advise publishers on how to conform to privacy laws that affect their business. Instead, publishers should be aware of what privacy-related features Prebid supports so that their legal, product, and engineering teams can define a privacy implementation.
Prebid’s assumptions about the MSPA and the US National Privacy specification:
- Most Publishers will initially declare ad units in their CMP as “Not covered by MSPA.” (MspaCoveredTransaction=2) This is because many major SSPs, DSPs, and Ad Servers have not signed the MSPA and some of these parties are dropping MSPA-covered transactions.
- At some point in the future when more major players have signed the MSPA, the Prebid community and legal counsel will re-evaluate the state of the industry.
- For requests that are in-scope for SIDs 7 through 12 that are not “covered” by MSPA, Prebid treats them as being in “Opt-Out Mode”. This implies that CMPs have prompted users for consent and encoded the results in the relevant section of the GPP container.
- Prebid never changes the GPP string. This means that all downstream vendors will see whatever the CMP set.
- Prebid has implemented a default way to interpret the US National string (SID 7) in the context of each Prebid Activity.
- US state privacy rules do not mandate the cancellation of contextual advertising, but rather are focused on protecting user privacy. Therefore, Prebid’s US compliance modules may anonymize different aspects of a header bidding auction, but will never outright cancel an auction.
- There are differences in the US state-level protocols and the US National protocol as defined by the IAB. (e.g. child consent for targeted advertising is somewhat different across SIDs 7 through 12.)
- Rather than implementing several very similar modules and forcing publishers to include separate modules for each US state, Prebid handles state differences through a normalization process. The differences for each state are mapped onto the US National (SID 7) string, and that string is interpreted for which activities are allowed or suppressed. As with the rest of Prebid’s approach, this is a default intended to ease publishers’ ability to comply with the state laws, but publishers should make their own determinations about state law obligations and consult legal counsel to ensure that they feel comfortable that this approach allows them to meet their legal obligations.
- Publishers that do not agree with Prebid’s default behavior may override the behavior. This includes the interpretation of the USNat string as well as the normalization of state protocols.
- The Global Privacy Control (GPC) flag is interpreted as a strong user signal that ad requests should be anonymized.
- There’s no need to support a data-deletion activity for MSPA.
- Prebid doesn’t need to explicitly support mapping GPP SID 6 (legacy US Privacy) for anonymization activities. This is covered by a feature on Prebid Server where SID 6 is pulled out into regs.us_privacy and is covered by documentation in Prebid.js.
US Compliance Support in Prebid Products
Prebid.js
Here’s a summary of the privacy features in Prebid.js that publishers may use to align with the guidance of their legal counsel:
Prebid.js Version |
US Compliance-Related Features |
Notes |
before 7.30 |
None |
If you operate in the US, you should consider upgrading. |
7.30-7.51 |
Consent Mgmt GPP module |
The GPP module reads the GPP string from a compliant CMP and passes to compliant bid adapters. Not many bid adapters supported GPP in earlier versions. |
7.52-8.1 |
Consent Mgmt GPP module Activity Controls |
Activity Controls provide the ability for publishers to allow or restrict certain privacy-sensitive activities for particular bidders and modules. See examples in that document for supporting CCPA directly. |
8.2-8.9 |
Consent Mgmt GPP module Activity Controls GPP USNat module |
The GPP USNat module processes SID 7. |
8.10+ |
Consent Mgmt GPP module Activity Controls USNat module GPP US State module |
The GPP US State module processes SIDs 8 through 12 after normalizing protocol differences. |
8.10+ |
Consent Mgmt GPP module |
The GPP module now understands GPP 1.1 which makes it incompatible with GPP 1.0. Publishers MUST upgrade for continued GPP support. |
Prebid Server
Here’s a summary of the privacy features in Prebid Server that publishers may use to align with the guidance of their legal counsel:
Prebid Server Version |
USNat-Related Features |
Notes |
PBS-Go before 0.236 PBS-Java before 1.110 |
None |
If you operate in the US, you should consider upgrading. |
PBS-Go 0.236 PBS-Java 1.110 |
GPP passthrough |
PBS reads the GPP string from the ORTB request and passes to compliant bid adapters. Not many bid adapters supported GPP in earlier versions. |
PBS‑Go 0.248 and later PBS‑Java 1.113 and later |
GPP passthrough GPP US Privacy |
PBS will read SID 6 out of the GPP string and process it as if regs.us_privacy were present on the request. |
PBS-Go 2.2 PBS-Java 1.118 |
GPP passthrough GPP US Privacy Activity Controls |
Activity Controls grant the ability for publishers to allow or restrict certain privacy-sensitive activities for particular bidders and modules. |
PBS-Go TBD PBS-Java 1.122 |
GPP passthrough GPP US Privacy Enhanced Activity Controls |
Activity controls support additional conditions for defining USNat-related rules: gppSid, geo, and gpc. |
PBS-Go TBD PBS-Java 1.126 |
GPP passthrough GPP US Privacy Enhanced Activity Controls USGen Module |
The USGen module processes SIDs 7 through 12 after normalizing protocol differences. |
PBS-Go TBD PBS-Java 1.130 |
GPP passthrough GPP US Privacy Enhanced Activity Controls USNat Module US Custom Logic module |
Allows publishers to provide alternate interpretations of the USNat string as it applies to Activity Controls. |
Prebid SDK
SDK v2.0.8 (both iOS and Android) supports reading mobile app GPP data and passing it to Prebid Server.
Interpreting USNat Strings
This section details the default for how Prebid code interprets GPP SIDs 7 through 12. It applies to both Prebid.js and Prebid Server.
Requirements
When normalizing state-specific strings to the US National string, Prebid adds an additional “NULL” value which means that value was not present in the original string.
To make sense of the specific values below, please refer to the IAB’s USNat technical specifications.
- The US National privacy module should be able to translate state-level differences into the US National (SID 7) sense of the flags using this mapping:
- KnownChild normalizations follow these rules:
- SID 7 has two ‘KnownChild’ values: ages 13-16 and under 13. The goal is to map SIDs 8-12 behavior to SID 7’s structure.
- Prebid does not distinguish between “selling”, “sharing”, or “processing” data.
- If the state-level KnownChild values are all 0 (N/A), then the normalized output values are also 0. The assumption is that a KnownChild value of 0 means the user is not a child as defined by the various laws.
- If the state-specific values do not distinguish between ages 13-16 and under 13, Prebid will set the normalized values to be the same and will never report consent because we will not recognize consent from under 13. We’ve mapped information in the state-specific protocols in a conservative way.
- Normalization for California (CA) (SID 8)
- CA sensitive data 1 maps to US national sensitive data 9
- CA sensitive data 2 maps to US national sensitive data 10
- CA sensitive data 3 maps to US national sensitive data 8
- CA sensitive data 4 maps to US national sensitive data 1 and 2
- CA sensitive data 5 maps to US national sensitive data 12
- CA sensitive data 6 and 7 maps straight through to US national sensitive data 6 and 7
- CA sensitive data 8 maps to US national sensitive data 3
- CA sensitive data 9 maps to US national sensitive data 4
- Set these fields to NULL: SharingNotice, TargetedAdvertisingOptOutNotice, TargetedAdvertisingOptOut, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[5 and 11]
- KnownChild - SID 8 does not distinguish between consent for ages 13-16 and under 13, so Prebid will never normalize a positive KnownChild consent.
- If CA string KnownChildSensitiveDataConsents[1]=0 and state string KnownChildSensitiveDataConsents[2]=0, then no change – these can be treated as the normalized KnownChildSensitiveDataConsents[1]=KnownChildSensitiveDataConsents[2]=0 (i.e. not a ‘known child’)
- Otherwise, the SID 8 protocol does not allow Prebid to know if the user is aged 13-16 or under 13, so simply set KnownChildSensitiveDataConsents[1] or [2] both to 1 (no consent)
- All other fields pass through.
- Normalization for Virginia (SID 9)
- Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[9-12], PersonalDataConsents, GPC.
- KnownChild: - SID 9 does not distinguish between consent for ages 13-16 and under 13, and the VA state laws define a child as being under 13, so Prebid will never normalize a positive KnownChild consent.
- If the SID 9 KnownChildSensitiveDataConsents value is 1 or 2, normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=1 (no consent)
- If the SID 9 KnownChildSensitiveDataConsents value is 0, assume the user is not a child and normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=0 (N/A)
- All other fields pass through.
- Normalization for Colorado (SID 10)
- Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[8-12], PersonalDataConsents
-
KnownChild - SID 10 does not distinguish between consent for ages 13-16 and under 13, so Prebid will never normalize a positive KnownChild consent.
- If the SID 10 KnownChildSensitiveDataConsents value is 1 or 2, normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=1 (no consent)
- If the SID 10 KnownChildSensitiveDataConsents value is 0, assume the user is not a child and normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=0 (N/A)
- All other fields pass through.
- Normalization for Utah (UT) (SID 11)
- UT sensitive data 1,2 maps straight through to US National 1,2
- UT sensitive data 3 maps to US National 4
- UT sensitive data 4 maps to US National 5
- UT sensitive data 5 maps to US National 3
- UT sensitive data 6,7,8 maps straight through to US National 6,7,8
- Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessing[9-12], PersonalDataConsents, GPC
- KnownChild - SID 11 does not distinguish between consent for ages 13-16 and under 13, so Prebid will never normalize a positive KnownChild consent.
- If the SID11 KnownChildSensitiveDataConsents value is 1 or 2, normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=1 (no consent)
- If the SID11 KnownChildSensitiveDataConsents value is 0, assume the user is not a child and normalize to SID 7 KnownChildSensitiveDataConsents[1 and 2]=0 (N/A)
- All other fields pass through.
- Normalization for Connecticut (SID 12)
- Set these fields to NULL: SharingOptOutNotice, SharingOptOut, SensitiveDataLimitUseNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataProcessing[9-12], PersonalDataConsents
- KnownChild - SID 12 does distinguish ages aligned with SID 7
- If SID 12 string KnownChildSensitiveDataConsents[1, 2, and 3] are all 0 then assume the user is not a child and set the normalized SID 7 KnownChildSensitiveDataConsents[1 and 2]=0 (N/A)
- SID 12 age ranges align with SID 7, so let ages 13-16 state their consent. If SID 12 string KnownChildSensitiveDataConsents[2]=2 and SID 12 string KnownChildSensitiveDataConsents[3]=2, then set the normalized KnownChildSensitiveDataConsents[1]=2 (Ages 13-16 consented) and the normalized KnownChildSensitiveDataConsents[2]=1 (under 13 not consented)
- Otherwise, set the normalized SID 7 KnownChildSensitiveDataConsents[1 and 2] to 1 (no consent)
- All other fields pass through.
- If the CMP provides a non-zero value for any of the following sensitive data categories, the module should suppress the activity. In other words, if there’s any hint that data from these categories is associated with advertising, Prebid should anonymize first-party data.
- Genetic (6)
- Biometric (7)
- Personal Info (9)
- Login/Credit Card (10)
- Email content (12)
- The publisher should be able to override the default activity restriction logic with fine-grained control over all of the flags, including the ability to refine the conditions separately for ServiceProvider and OptOut modes, and for the MspaCoveredTransaction flag.
- The overrides should support the ability for the platform to understand whether it should be looking at the native SID state flags or the ‘normalized’ flags mapped from the process above.
- It should be possible for a publisher to override the USNat logic differently for different states.
- Prebid’s default restrictions should be tight. Restrict the potential for syncing and/or ad targeting when
- in ServiceProvider mode
- the GPC flag is set
- in OptOut mode and any of the following are true
- notice was not provided
- opt-out was chosen
- consent for sensitive or ‘known child’ was not provided
- invalid data was provided by the CMP
USNat Activity Restrictions
This table documents the default blocks of boolean logic that indicate whether a given privacy activity is allowed or suppressed.
Activity |
USNat Disallow Logic |
Notes |
deviceAccess |
n/a |
Default to ‘allow’. Publisher Activity Control config may cause it to ‘restrict’. |
fetchBid |
n/a |
Header bidding auctions are always allowed, but aspects of them may be anonymized. |
reportAnalytics |
n/a |
Analytics always allowed, but may be anonymized. |
syncUser |
MspaServiceProviderMode=1 OR GPC=1 OR SaleOptOut=1 OR SaleOptOutNotice=2 OR (SaleOptOutNotice=0 AND SaleOptOut=2) OR SharingNotice=2 OR SharingOptOutNotice=2 OR (SharingOptOutNotice=0 AND SharingOptOut=2) OR (SharingNotice=0 AND SharingOptOut=2) OR SharingOptOut=1 OR TargetedAdvertisingOptOutNotice=2 OR TargetedAdvertisingOptOut=1 OR (TargetedAdvertisingOptOutNotice=0 AND TargetedAdvertisingOptOut=2) OR KnownChildSensitiveDataConsents[2]==1 OR KnownChildSensitiveDataConsents[2]==2 OR KnownChildSensitiveDataConsents[1]=1 OR PersonalDataConsents=2 |
Suppress usersyncs when activity is not allowed: - Service Provider Mode - GPC flag - Lack of notice - Any opt-out - Allow kids 13-16 to consent, but always anonymize under age 13. - Notice was considered unnecessary yet permission to engage in targeted advertising is somehow considered valid. - Do not trust a CMP that claims to have ‘personal data consent’ for something that’s logically impossible. |
enrichEids |
(same as syncUser) |
Suppress the addition of EIDs when activity is not allowed. |
enrichUfpd |
(same as syncUser) |
Suppress the addition of User First Party Data when activity is not allowed. |
transmitEids |
(same as syncUser) |
Suppress the transmission of user.eids when activity is not allowed. |
transmitUfpd |
MspaServiceProviderMode=1 OR GPC=1 OR SaleOptOut=1 OR SaleOptOutNotice=2 OR SharingNotice=2 OR (SaleOptOutNotice=0 AND SaleOptOut=2) OR SharingOptOutNotice=2 OR SharingOptOut=1 OR (SharingOptOutNotice=0 AND SharingOptOut=2) OR (SharingNotice=0 AND SharingOptOut=2) OR TargetedAdvertisingOptOutNotice=2 OR TargetedAdvertisingOptOut=1 OR (TargetedAdvertisingOptOutNotice=0 AND TargetedAdvertisingOptOut=2) OR SensitiveDataProcessingOptOutNotice=2 OR SensitiveDataLimitUseNotice=2 OR ((SensitiveDataProcessingOptOutNotice=0 OR SensitiveDataLimitUseNotice=0) AND SensitiveDataProcessing[1-7,9-12]=2) SensitiveDataProcessing[1-5,11]=1 OR SensitiveDataProcessing[6,7,9,10,12]=1 OR SensitiveDataProcessing[6,7,9,10,12]=2 OR KnownChildSensitiveDataConsents[2]==1 OR KnownChildSensitiveDataConsents[2]==2 OR KnownChildSensitiveDataConsents[1]=1 OR PersonalDataConsents=2 |
Suppress the transmission or user.ext.data., user.data., and device IDs when the activity is not allowed.
The difference in this logic compared to syncUser is that it includes ‘sensitive data’ flags. See the requirements above and the commentary below. |
transmitPreciseGeo |
MspaServiceProviderMode=1 OR GPC=1 OR SensitiveDataProcessingOptOutNotice=2 OR SensitiveDataLimitUseNotice=2 OR ((SensitiveDataProcessingOptOutNotice=0 OR SensitiveDataLimitUseNotice=0) AND SensitiveDataProcessing[8]=2) SensitiveDataProcessing[8]=1 OR KnownChildSensitiveDataConsents[2]==1 OR KnownChildSensitiveDataConsents[2]==2 OR KnownChildSensitiveDataConsents[1]=1 OR PersonalDataConsents=2 |
Round IP address and lat/long in both device.geo and user.geo when the activity is not allowed.
The difference in this logic is that it includes “sensitive data 8” (geo) and does not include the UFPD- and ID-related fields. |
transmitTid |
n/a |
Sending transaction IDs is not an aspect of USNat. |
NOTE – Here’s what the numbers in the logic above indicate in the IAB GPP USNat specification:
MspaServiceProviderMode:
- 0 - Not Applicable
- 1 - Yes
- 2 - No
SaleOptOut, SharingOptOut, TargetedAdvertisingOptOut:
- 0 - Not Applicable
- 1 - Opted-Out
- 2 - Did not Opt-Out
SaleOptOutNotice, SharingNotice, TargetedAdvertisingOptOutNotice, SensitiveDataProcessingOptOutNotice, SensitiveDataLimitUseNotice:
- 0 - Not Applicable
- 1 - Notice was provided
- 2 - Notice was not provided
KnownChildSensitiveDataConsents, PersonalDataConsents, SensitiveDataProcessing:
- 1 - No Consent
- 2 - Consent
Prebid arrived at this logic through community discussions and in conjunction with legal counsel. First, we established the requirements and then translated them into boolean logic. Here’s a commentary on the default logic for the transmitUfpd
activity:
// In ServiceProvider mode, a publisher has declared they don't use personal data,
// so Prebid can anonymize all aspects of the request
MspaServiceProviderMode=1 OR
// The Global Privacy Control flag means to anonymize everything
GPC=1 OR
// Notice was not given to the user about opting out of the sale of their data
SaleOptOutNotice=2 OR
// The user opted out of the sale of their data
SaleOptOut=1 OR
// Notice was not given to the user about the sharing of their data
SharingNotice=2 OR
// The CMP claims that notice was not needed, but at the same time claims consent was given
(SaleOptOutNotice=0 AND SaleOptOut=2) OR
// Notice was not given to the user about opting out of the sharing of their data
SharingOptOutNotice=2 OR
// The user opted out of the sharing of their data
SharingOptOut=1 OR
// The CMP claims that notice was not needed, but at the same time claims consent was given
(SharingOptOutNotice=0 AND SharingOptOut=2) OR
// The CMP claims that notice was not needed, but at the same time claims consent was given
(SharingNotice=0 AND SharingOptOut=2) OR
// Notice was not given to the user about opting out of ad targeting
TargetedAdvertisingOptOutNotice=2 OR
// The user opted out of ad targeting
TargetedAdvertisingOptOut=1 OR
// The CMP claims that notice was not needed, but at the same time claims consent was given
(TargetedAdvertisingOptOutNotice=0 AND TargetedAdvertisingOptOut=2) OR
// Notice was not given to the user about opting out of processing sensitive data
SensitiveDataProcessingOptOutNotice=2 OR
// Notice was not given to the user about limiting the use of their sensitive data
SensitiveDataLimitUseNotice=2 OR
// The CMP claims that notice was not needed, but at the same time claims consent was given
// Note that SensitiveDataProcessing[8] is the geographic location and covered in the `transmitPreciseGeo` activity
((SensitiveDataProcessingOptOutNotice=0 OR SensitiveDataLimitUseNotice=0) AND SensitiveDataProcessing[1-7,9-12]=2)
// The user has not consented to share data of categories 1-5 and 11
SensitiveDataProcessing[1-5,11]=1 OR
// Data of the following categories should never be present in ad calls.
// So whether consented or not consented, anonymize UFPD if the CMP says they're present
SensitiveDataProcessing[6,7,9,10,12]=1 OR
SensitiveDataProcessing[6,7,9,10,12]=2 OR
// If a child 13-16 has not granted consent
KnownChildSensitiveDataConsents[1]=1 OR
// Do not accept consent from a child younger than 13
KnownChildSensitiveDataConsents[2]==1 OR
KnownChildSensitiveDataConsents[2]==2 OR
// The CMP claims to have consent for an 'unrelated' activity.
// Prebid views this as a logical impossibility and an invalid CMP response
PersonalDataConsents=2
If a publisher’s legal team disagrees with any of these interpretations, both Prebid.js and Prebid Server
support overriding this default logic.
The transmitPreciseGeo
activity has a couple of clauses not already mentioned:
// Consent was not given for the use of "precise geographic" information
SensitiveDataProcessing[8]=1 OR
// The CMP claims that notice was not needed, but at the same time claims consent was given
((SensitiveDataProcessingOptOutNotice=0 OR SensitiveDataLimitUseNotice=0) AND SensitiveDataProcessing[8]=2)