Issue 402

[HeinzBaumann]

addresses issue 402

[jdelhommeau]

I am a bit confused with this sentence: "The vendor encoded in this macro is then required to obtain the TC string and replace the gdpr_consent with the actual TC string"
by "vendor encoded in this macro" do we mean vendor XXX from macro ${GDPR_CONSENT_XXX} ? If so, he is not the one to obtain and replace the TC string. The vendor that will be initiating this call (the DSP / Adserver making redirect creative to that endpoint) will be the one replacing the macro by the TCS, and ensuring that vendor XXX has a legal base established if he intends to send him PD.

[HeinzBaumann]

I revised this and the other paragraphs in a new change list. Please review and if needed we can make more revisions to it.

[jdelhommeau]

I am still a bit confused about this section. I don't really understand the two cases you mention.
I think another way to think of this is, that when a vendor XXX (receiving vendor) expects another vendor (initiating vendor) to call him and not have js access to fetch the TCS from the CMP directly (which can be either because he has a html only tag, or he is being called server side), the vendor XXX should include its ${GDPR_CONSENT_XXX} macro in his url, where he expects the initiating vendor to pass him the TCS. the XXX allow the initiating vendor to easily know who is the receiving vendor and what to look for in TCS before forwarding any PD.
In case of a vendor 123 (initiating) calling vendor 456 (intermediary receiving and then becoming initiating) calling himself another vendor 789 (receving only), then it should looks something like this:
vendor 789 expects vendor 456 to call him. Therefore, he sends him the url to call him on, which includes its GDPR macro ${GDPR_CONSENT_789}. That way, when calling him, vendor 456 knows where to put the TCS and know what checks to perform before including any PD in the call to vendor 789 (example of url: vendor789.domain.com/tag?gdpr_consent=${GDPR_CONSENT_789}&pd=PD_TO_BE_INCLUDED_IF_CONSENT)
Vendor 456 also sends vendor 123 the url to call him on, including where to include the TCS with its macro ${GDPR_CONSENT_456}, allowing vendor 123 to easily know where to put the TCS and know what checks to perform before including any PD in the call to vendor 789. ((example of url: vendor456.domain.com/tag?gdpr_consent=${GDPR_CONSENT_456}&pd=PD_TO_BE_INCLUDED_IF_CONSENT)
At time of the delivery, vendor 123 will receive the TCS, either from fetching it from the CMP API, or from receiving it in an openrtb bid request. He will checks for vendor 456 legal base, and based on check results, will include PD. He will also replace the GDPR_CONSENT_456 macro by the actual TCS and make the call to vendor456.domain.com/tag?gdpr_consent=ACTUAL_TCS&pd=123. Vendor 456 receiving the call will perform his data processing, then execute the vendor 789 piggyback pixel. He will check the legal base of vendor 789 in the TCS, then replace the GDPR_CONSENT_789 macro by the TCS and making call to the url vendor789.domain.com/tag?gdpr_consent=ACTUAL_TCS&pd=432.

From the above example, I don't understand why we need to have differentiated scenario for piggyback pixel. The receiving vendor is the one responsible to indicate to calling vendor if he needs him to forward him the TCS. In case the GDPR_CONSENT_XXX macro is missing, it means the receiving vendor expects to be able to determine consent on its own (through fetching the TCS from the CMP API for example), in which case the initiating vendor doesn't need to include the TCS. The initiating vendors may still try to identify the receiving vendor by different means (since he doesn't have the vendor id in the macro) to perform checks on its own

[HeinzBaumann]

Thanks again for the guidance here. I be frank, I never had to use these macros and never fully understood how this should be used in some of these use cases. Again thanks for your patience in explaining this to me. Created a new revision of these paragraphs using some of your explainations.

[HeinzBaumann]

@lamrowena Can you please review this as well. Thanks!