From 87e605efc2d7be1b51154b446ec5b3cbe33ffdfe Mon Sep 17 00:00:00 2001 From: Heinz Baumann Date: Wed, 29 Nov 2023 10:38:31 -0800 Subject: [PATCH] specified frequency to update cached device storage JSON and guidance using previous stored JSON --- TCFv2/IAB Tech Lab - CMP API v2.md | 2 +- ...or Device Storage & Operational Disclosures.md | 15 +++++++++------ 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/TCFv2/IAB Tech Lab - CMP API v2.md b/TCFv2/IAB Tech Lab - CMP API v2.md index 3eee1234..acb4f444 100644 --- a/TCFv2/IAB Tech Lab - CMP API v2.md +++ b/TCFv2/IAB Tech Lab - CMP API v2.md @@ -825,7 +825,7 @@ If the argument is an integer higher than `1`, the CMP shall invoke the callback ### What does the gdprApplies value mean? -`gdprApplies` is a `boolean` value that may be `undefined`. A CMP shall determine whether or not GDPR applies in its current context and set the `gdprApplies` value. A publisher may determine that GDPR applies to all traffic on their site and signal their CMP to always return `true` for `gdprApplies`, a CMP may invoke a geo-tagging service call to make a determination on a specific user or may have some other proprietary solution for determining whether or not GDPR applies in accordance with [TCF Policy](https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/). In any case, vendors shall respect the value of `gdprApplies` put forth by the CMP. If `gdprApplies` value is `undefined` but exists in the schema outlined in the response object in this document, then calling scripts shall assume that the CMP is still pending a determination on whether or not GDPR applies in this context. +`gdprApplies` is a `boolean` value that may be `undefined`. A CMP shall determine whether or not GDPR applies in its current context and set the `gdprApplies` value. A publisher may determine that GDPR applies to all traffic on their site and signal their CMP to always return `true` for `gdprApplies`, a CMP may invoke a geo-tagging service call to make a determination on a specific user or may have some other proprietary solution for determining whether or not GDPR applies in accordance with [TCF Policy](https://iabeurope.eu/iab-europe-transparency-consent-framework-policies/). In any case, vendors shall respect the value of `gdprApplies` put forth by the CMP. If `gdprApplies` value is `undefined` but exists in the schema outlined in the response object in this document, then calling scripts shall assume that the CMP is still pending a determination on whether or not GDPR applies in this context. Note: For mobile all booleans are written as `Number` (integer). ### Details for vendors diff --git a/TCFv2/Vendor Device Storage & Operational Disclosures.md b/TCFv2/Vendor Device Storage & Operational Disclosures.md index fbf48803..134057f3 100644 --- a/TCFv2/Vendor Device Storage & Operational Disclosures.md +++ b/TCFv2/Vendor Device Storage & Operational Disclosures.md @@ -191,17 +191,20 @@ There is no mechanism for requesting alternate translations. For widest readabil ### Around the JSON file -The vendor publishes the information and provides the URL (the specification makes no assumptions or requirements about the URL) to the TCF during the registration process. This file : +The vendor publishes the information and provides the URL (the specification makes no assumptions or requirements about the URL) to the TCF during the registration process. This file: - is in JSON format, -- is created, named and published by the vendor, +- is created, named, and published by the vendor, - is publicly accessible, - contains cookies and/or other storage mechanisms (Localstorage etc...) and domains used for collecting and processing personal data in the context of TCF. +The URL need not be served by the Vendor’s company domain. It could be served from a CDN. + ### The role of the CMP -In order to allow CMPs to request and load the JSON on the client side, the vendor must enable [Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) at the location servicing the URL. -However, regardless of whether the CMP requests the JSON file from the vendor's server or CMP's server, [Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials) must be set to false in order to not include any cookie in the request. Vendors must respond with the appropriate `content-type` header (`application/json`) and [Cache-control directives](https://www.keycdn.com/support/cache-control) so that CMPs are accessing the latest content when fetching from users’ browsers. The URL need not be served by the Vendor’s company domain. It could be served from a CDN. - -Usually, CMP requests the file only when/if a user clicks to review additional information (it's unusual for the information to be disclosed directly on the secondary layer). +Usually, the CMP requests the file only when/if a user clicks to review additional information (it's unusual for the information to be disclosed directly on the secondary layer). In order to allow CMPs to request and load the JSON file on the client side, the vendor must enable [Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) at the location servicing the URL. However, regardless of whether the CMP requests the JSON file from the vendor's server or CMP's server, [Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials) must be set to false in order to not include any cookie in the request. Vendors must respond with the appropriate `content-type` header (`application/json`) and [Cache-Control Directives](https://www.keycdn.com/support/cache-control) so that CMPs are accessing and using the latest content when fetching from users’ browsers or when caching the file on their servers. A vendor should not use a cache-control directive of less than 24 hours. + +CMPs must observe vendors’ cache-control directives when caching vendors’ JSON files. When the vendor has not configured any cache-control directives or the cache-control directive is invalid (less than 24 hours), CMPs must refresh the cached vendor’s JSON file at least daily. + +In cases of unavailability of the vendor’s JSON file or non-conformance with the content and structure specified in the specifications, CMPs may rely, if available, on a previous version of the vendor’s JSON file temporarily and until the issue is resolved. (To expedite resolution, unavailability and non-conformance of a vendor’s JSON file can be reported using the non-compliance form [here](https://iabeurope.eu/tcf-non-compliance-submission-form/).) ### Access method