Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vendors without any purposes #456

Open
jedlikk opened this issue Jul 24, 2024 · 9 comments
Open

Vendors without any purposes #456

jedlikk opened this issue Jul 24, 2024 · 9 comments
Labels
bug Something isn't working

Comments

@jedlikk
Copy link

jedlikk commented Jul 24, 2024

Version
1.5.13

Module (core, cmpapi, cli, stub, or testing)
Core

Describe with reproduction steps – What is the expected behavior?
Hello, wanted to ask about expected behaviour and potentially report a bug.
We have for example this vendor (ID: 279), that doesn't have any purposes, but do have special purposes and legitimate interest. LegInt works normally, but when trying to save normal consent for this vendor, it's not being included in TcString. I use function tcModel.vendorConsents.set(), pass this array as value:
[279], and get this tcstring: CQCQqgAQCQqgAF-feBENAXEgAAAAAAAAAB5YAAAAAAAA.YAAAAAAAAAAA, by using this function TCString.encode(tcModel);

image

I saw some people reporting that it's expected behaviour and vendors without purposes should be ignored, but here https://www.uniconsent.com/ and here https://iabtcf.com/#/encode they are being saved into TCstring. So i'm super confused.

So my question is:
How should we treat and handle vendors without purposes, but only with special purposes? Should we have toggle for users to opt-in/out? But if so, how could we implement it into TCstring if it's being ignored during encoding?

@jedlikk jedlikk added the bug Something isn't working label Jul 24, 2024
@sevriugin
Copy link
Collaborator

The IAB vendor 279 does not have any consent legal basis purposes, so it is not possible to enable or disable this vendor with consent legal basis. It has legitimate interest purposes and in this case the Vendor Legitimate Interest status will work for this vendor, and the vendor will appears in this vector in tcModel. The special purposes is LIs but "No right-to-object to processing under legitimate interests via the Framework." based on IAB TCF Policy and there is not any way to collect / save user choice for special purposes

@jedlikk
Copy link
Author

jedlikk commented Jul 25, 2024

The IAB vendor 279 does not have any consent legal basis purposes, so it is not possible to enable or disable this vendor with consent legal basis. It has legitimate interest purposes and in this case the Vendor Legitimate Interest status will work for this vendor, and the vendor will appears in this vector in tcModel. The special purposes is LIs but "No right-to-object to processing under legitimate interests via the Framework." based on IAB TCF Policy and there is not any way to collect / save user choice for special purposes

Thank you for your answer, so another question. How does encoder and this cmp (https://www.uniconsent.com/) managed to save it as both Legitimate Interest and normal consent?
CQCT9cAQCT9cABEADBPLA-FoAP_gAEPgAAwIH7NV_G__bXln-X716ftkeY1f9_h7rsQxBhfJs-4FyLvW_JwX32EzNE36pqYKmRIAu3bBIQNtHIjUTUChaogVrTDsak2MoTNKJ6BkiHMRe2dYCF5vmwlD-QKZ5vr_93d52R_t_dr-3dzyz5Vnv3a9_-b1WJidK58tH_v_bROb-IwP2ar-N-2vLP8v3r0_bI8xq_7_D3XYhiDC-TZ9wLkXet-TgvvsJmaJv1TUwVMiQBdu2CQgbaORGomoFC1RArWmHY1JsZQmaUT0DJEOYi9s6wELzfNhKH8gUzzfX_7u7zsj_b-7X9u7nlnyrPfu17_83qsTE6Vz5aP_f-2ic39-RgAA

@sevriugin
Copy link
Collaborator

Thank you for your answer, so another question. How does encoder and this cmp (https://www.uniconsent.com/) managed to save it as both Legitimate Interest and normal consent?
CQCT9cAQCT9cABEADBPLA-FoAP_gAEPgAAwIH7NV_G__bXln-X716ftkeY1f9_h7rsQxBhfJs-4FyLvW_JwX32EzNE36pqYKmRIAu3bBIQNtHIjUTUChaogVrTDsak2MoTNKJ6BkiHMRe2dYCF5vmwlD-QKZ5vr_93d52R_t_dr-3dzyz5Vnv3a9_-b1WJidK58tH_v_bROb-IwP2ar-N-2vLP8v3r0_bI8xq_7_D3XYhiDC-TZ9wLkXet-TgvvsJmaJv1TUwVMiQBdu2CQgbaORGomoFC1RArWmHY1JsZQmaUT0DJEOYi9s6wELzfNhKH8gUzzfX_7u7zsj_b-7X9u7nlnyrPfu17_83qsTE6Vz5aP_f-2ic39-RgAA
The format of the string is not correct, so it's difficult to say what is inside

Screenshot 2024-07-25 at 10 28 51

@jedlikk
Copy link
Author

jedlikk commented Jul 25, 2024

Thank you for your answer, so another question. How does encoder and this cmp (https://www.uniconsent.com/) managed to save it as both Legitimate Interest and normal consent?
CQCT9cAQCT9cABEADBPLA-FoAP_gAEPgAAwIH7NV_G__bXln-X716ftkeY1f9_h7rsQxBhfJs-4FyLvW_JwX32EzNE36pqYKmRIAu3bBIQNtHIjUTUChaogVrTDsak2MoTNKJ6BkiHMRe2dYCF5vmwlD-QKZ5vr_93d52R_t_dr-3dzyz5Vnv3a9_-b1WJidK58tH_v_bROb-IwP2ar-N-2vLP8v3r0_bI8xq_7_D3XYhiDC-TZ9wLkXet-TgvvsJmaJv1TUwVMiQBdu2CQgbaORGomoFC1RArWmHY1JsZQmaUT0DJEOYi9s6wELzfNhKH8gUzzfX_7u7zsj_b-7X9u7nlnyrPfu17_83qsTE6Vz5aP_f-2ic39-RgAA
The format of the string is not correct, so it's difficult to say what is inside

Screenshot 2024-07-25 at 10 28 51

Sorry, mistake in pasting:

CQCT9cAQCT9cABEADBPLA-FoAP_gAEPgAAwIH7NV_G__bXln-X716ftkeY1f9_h7rsQxBhfJs-4FyLvW_JwX32EzNE36pqYKmRIAu3bBIQNtHIjUTUChaogVrTDsak2MoTNKJ6BkiHMRe2dYCF5vmwlD-QKZ5vr_93d52R_t_dr-3dzyz5Vnv3a9_-b1WJidK58tH_v_bROb-_IwP2ar-N_-2vLP8v3r0_bI8xq_7_D3XYhiDC-TZ9wLkXet-TgvvsJmaJv1TUwVMiQBdu2CQgbaORGomoFC1RArWmHY1JsZQmaUT0DJEOYi9s6wELzfNhKH8gUzzfX_7u7zsj_b-7X9u7nlnyrPfu17_83qsTE6Vz5aP_f-2ic39-RgAA

@sevriugin
Copy link
Collaborator

sevriugin commented Jul 25, 2024

Sorry, mistake in pasting:

I think they use tcModel.vendorConsents.set(279); that did not check any constraints and as result the generated sting is not correct from regulation (policy) point of view.

@jedlikk
Copy link
Author

jedlikk commented Jul 25, 2024

Sorry, mistake in pasting:

I think they use tcModel.vendorConsents.set(279); that did not check any constraints and as result the generated sting is not correct from regulation (policy) point of view.

I tried it that way and still can't see,
image

but good to know that's not my mistake and that's just the way it's supposed to be. Thanks for your answers.

@HeinzBaumann
Copy link
Collaborator

We reviewed this in the TCF compliance team. It is possible for vendors do not declare any purposes but only special purposes. The behavior of the library is correct. The CMP that you list, if it allows to set purposes for vendors that are not exposing purposes, is not compliant with the TCF policy. This would need to be fixed by the CMP.

@morinel
Copy link

morinel commented Jan 14, 2025

How would you propose the UI should be shown for these vendors? A checkbox / toggle does not make sense as storing the enabled status for that vendor in the TCString is not supported and hence will show this vendor as always “not consented” even if “Consent all” has been chosen.

Would not showing a checkbox / toggle make it more transparent for a visitor that this vendor does not request consent?

Additionally, I think the library should not allow to set vendor consent for a vendor without purposes, nor should setAllVendorConsents set consent for vendors without purposes:

const tcModel = new TCModel(gvl);
tcModel.setAllVendorsAllowed();
tcModel.setAllPurposeConsents();
tcModel.setAllPurposeLegitimateInterests();
tcModel.setAllVendorConsents();
tcModel.setAllVendorLegitimateInterests();
tcModel.setAllSpecialFeatureOptins();
tcModel.cmpId = CMP_ID;
tcModel.cmpVersion = 1;
// Should be false, but currently is true
tcModel.vendorConsents.has(279);

Your insights and opinions are highly appreciated.

@HeinzBaumann
Copy link
Collaborator

Regarding the UI, I remember the some of the CMPs that I am familiar with don't show vendors w/o any purpose consent declared in their UI. Typically they differentiate in the UI between vendors using consent and vendor using LI. In the case of your example that vendor would not show under vendor using consent but will be listed under vendor using LI. The use can toggle the opt out for LI. That vendor's consent signal will always be 0.
Regarding the library I will need to double check this in the debugger. From looking in the code it does have a step to check of no consent and if so to reset the flag to 0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants