Prebid.js: CMP timeout scenario: auction without consent not running despite GDPR Enforcement Module rules

Type of issue

Bug or documentation issue

Description

We need the auction to run even when the CMP banner stays open, relying on the “basic ads” legitimate interest. In Prebid 3 this was working with the allowAuctionWithoutConsent. In Prebid 4 and 5 I can’t find a way to enable the same behavior. I’ve read that it should be possible by using the GDPR Enforcement module, so I have included it’s configuration:

            defaultGdprScope: true,
            rules: [{
              purpose: 'storage',
              enforcePurpose: false,
              enforceVendor: false
            }, {
              purpose: 'basicAds',
              enforcePurpose: false,
              enforceVendor: false
            }]

It made no difference, with CMP banner open the Prebid triggers cmpFailed and stops the auction. The enforcement module code wasn’t even touched, from my debugging.

Relevant logs:

Prebid INFO: Received a response from CMP t {cmpId: 7, cmpVersion: 1, gdprApplies: true, tcfPolicyVersion: 2, eventStatus: “cmpuishown”, … …long delay
Prebid ERROR: CMP workflow exceeded timeout threshold. Canceling auction as per consentManagement config. undefined

CMP returns event from TCF API, it gets processed with this function:

  function v2CmpResponseCallback(tcfData, success) {
    utils.logInfo('Received a response from CMP', tcfData);
    if (success) {
      if (tcfData.gdprApplies === false || tcfData.eventStatus === 'tcloaded' || tcfData.eventStatus === 'useractioncomplete') {
        cmpSuccess(tcfData, hookConfig);
      }
 ...

the second condition leaves it hanging, since eventStatus is cmpuishown. It doesn’t look for the enforcement settings. Is this by design, or am I missing something?

Steps to reproduce

Load the page with no TCFv2 consent in cookies/localStorage.
Prebid should wait for CMP timeout but still start auction, when purpose: 'basicAds', enforcePurpose: false, is in config.

Test page

https://playground.cpex.cz/headerbidding

Expected results

Auction to run

Actual results

Auction not running

Platform details

Prebid.js v5.2.0 (v4 behaves the same) MacOS, Chrome

Other information

None

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 34 (14 by maintainers)

Commits related to this issue

Consent management module: allow auction to continue when CMP does not respond This reproduces the behavior of `allowAuctionWithoutConsent` when a TCFv2 CMP times out. https://github.com/prebid/Prebi... — committed to dgirardi/Prebid.js by dgirardi 3 years ago
Consent management module: allow auction to continue when CMP does not respond (#7769) This reproduces the behavior of `allowAuctionWithoutConsent` when a TCFv2 CMP times out. https://github.com/pre... — committed to prebid/Prebid.js by dgirardi 3 years ago
Fix prebid issue #7156 — committed to onetag-dev/Prebid.js by forazini 3 years ago
Fix prebid issue #7156 (#7876) Co-authored-by: francesco <f.orazini@onetag.com> — committed to prebid/Prebid.js by onetag-dev 3 years ago
Consent management module: allow auction to continue when CMP does not respond (#7769) This reproduces the behavior of `allowAuctionWithoutConsent` when a TCFv2 CMP times out. https://github.com/pre... — committed to sovrn/Prebid.js by dgirardi 3 years ago
Fix prebid issue #7156 (#7876) Co-authored-by: francesco <f.orazini@onetag.com> — committed to sovrn/Prebid.js by onetag-dev 3 years ago
Consent management module: allow auction to continue when CMP does not respond (#7769) This reproduces the behavior of `allowAuctionWithoutConsent` when a TCFv2 CMP times out. https://github.com/pre... — committed to onlsol/os-prebidjs-adapters by dgirardi 3 years ago
Fix prebid issue #7156 (#7876) Co-authored-by: francesco <f.orazini@onetag.com> — committed to onlsol/os-prebidjs-adapters by onetag-dev 3 years ago
feat: [LSSP-625] update develop to v6 (#43) * LuponMedia Bid Adapter: add adapter back to prebid master (#7602) * LuponMedia BidAdapter 5.X * manually try to kick off circleci tests * kick o... — committed to Insticator/Prebid.js by EugeneVigonny 2 years ago

Most upvoted comments

I stand corrected then, and I agree Prebid should attempt to retrieve consent data on timeout. Although it appears that not all CMPs work that way:

NoTCString

dgirardi on May 23, 2022

Since now auctions don’t start until consent data is resolved through the CMP, modules never saw the case where consentData.gdprApplies is true but consentData.consentString is not defined. This would change if we allow the auction to continue without consent data, and there are several modules that in my estimation would not work correctly.

This is an attempt at an exhaustive list, but I can’t guarantee I haven’t missed some.

These modules ignore gdprApplies completely:

https://github.com/prebid/Prebid.js/blob/e41bbedc28c7cd16da0d0166d900b1dab19191d0/modules/addefendBidAdapter.js#L17-L26 https://github.com/prebid/Prebid.js/blob/e41bbedc28c7cd16da0d0166d900b1dab19191d0/modules/apstreamBidAdapter.js#L288-L293 https://github.com/prebid/Prebid.js/blob/e41bbedc28c7cd16da0d0166d900b1dab19191d0/modules/glimpseBidAdapter.js#L138-L153 https://github.com/prebid/Prebid.js/blob/e41bbedc28c7cd16da0d0166d900b1dab19191d0/modules/improvedigitalBidAdapter.js#L47-L50

These talk to endpoints that appear to treat a missing consent string as equivalent to “gdpr does not apply”:

https://github.com/prebid/Prebid.js/blob/e41bbedc28c7cd16da0d0166d900b1dab19191d0/modules/adnuntiusBidAdapter.js#L68 https://github.com/prebid/Prebid.js/blob/e41bbedc28c7cd16da0d0166d900b1dab19191d0/modules/beopBidAdapter.js#L43-L54 https://github.com/prebid/Prebid.js/blob/e41bbedc28c7cd16da0d0166d900b1dab19191d0/modules/criteoIdSystem.js#L136-L143

These only consider gdprApplies if a consent string is available:

https://github.com/prebid/Prebid.js/blob/e41bbedc28c7cd16da0d0166d900b1dab19191d0/modules/cleanmedianetBidAdapter.js#L90-L104 https://github.com/prebid/Prebid.js/blob/e41bbedc28c7cd16da0d0166d900b1dab19191d0/modules/engageyaBidAdapter.js#L131-L133 https://github.com/prebid/Prebid.js/blob/e41bbedc28c7cd16da0d0166d900b1dab19191d0/modules/gamoshiBidAdapter.js#L104-L109 https://github.com/prebid/Prebid.js/blob/e41bbedc28c7cd16da0d0166d900b1dab19191d0/modules/stroeerCoreBidAdapter.js#L141-L145

These don’t appear to consider gdprApplies for user syncs if no consent string is avialable:

dgirardi on Nov 24, 2021

@EskelCz just discussed this offline and yes, we agreed it should be fixed - it’s just going to involve a bit more work than we anticipated. This issue is still at the top of my list.

dgirardi on Nov 23, 2021

@EskelCz I’m picking this up right now, a PR should come somewhat soon.

dgirardi on Nov 19, 2021

The action to take with this ticket is to update the CMP timeout scenario in modules/consentManagement.js to run the auction rather than immediately invoking the bidsBackHandler.

Depending on the consentManagement config, this may cancel the auction anyhow.

I’d argue this is a bug and not a breaking change so it doesn’t need to wait for a major release and doesn’t need config to ‘turn it on’. Publishers have set up their preferred ConsentManagement approach and the auction should respect that rather than being canceled automatically.

bretg on Nov 16, 2021