Prebid 4.x made important changes in how the GDPR Consent Management module functions. Here's what these changes mean for publishers:
- Publishers upgrading from Prebid 3.x versions of OpenWrap to Prebid 4.x versions need to review their implementations to see if changes need to be made in order to function correctly with Prebid 4.x.
- Prebid has stopped making updates to Prebid 3.x, so in the near future only Prebid 4.x versions of OpenWrap will be available.
Starting in Prebid 4.x, the 'Allow Auction Without Consent' setting is deprecated, which means if the Consent Management module is included and no CMP (Consent Management Platform) is found on the page, all auctions will be aborted and no bids returned.
In the OpenWrap UI, the 'Auction on CMP Failure' flag sets the underlying Prebid 'Allow Auction Without Consent' flag. With Prebid 3.x, if the 'Auction on CMP Failure' was set and the CMP was not found, the auction would still proceed. But this behavior is no longer available with Prebid 4.x, so if GPDR Consent is enabled, it's extremely important to either ensure a CMP is present and fully loaded before requesting bids or to set a hard coded CMP response in instances where a CMP is not loaded because you as the publisher have independently determined the user is not subject to the GDPR.
If GDPR is enabled in your OpenWrap profile, the GDPR Consent Management module will be included in your OpenWrap bundle.
What To check when migrating to a Prebid 4.x-based version:
Case 1: A CMP is not used
If you are never loading a CMP for any users on your site, Consent Management needs to be disabled when moving to a Prebid 4.x based OpenWrap version. Even with Prebid 3.x based versions, there was no advantage to enabling the Consent Management module. With Prebid 3.x and "Allow Auction Without Consent" enable, the Consent Management module would look for a CMP loaded on the page and if not found proceed.
Case 2: CMP is loaded for users in the European Union only
If you are detecting the user's geographic location and only loading the CMP for users in the European Union, then with Prebid 4.x, you have three choices:
Use two OpenWrap profiles, one with Consent Management enabled and one without. Then decide which profile to load using the same logic as you do to determine whether to load the CMP.
Set a hard-coded CMP response when not loading the CMP.
Here's the code to execute ahead of any bid requests to OpenWrap when not using a CCPA module:
If you the CCPA module is enabled, this is code to execute ahead of any bid requests:
It's necessary to set the
usp parameters since they will get overwritten when calling
setConfig() with a consent management object.
Either code snippet can set via the Custom Code functionality in the OpenWrap profile. These code snippets must only be executed when you are not loading a CMP and have confirmed that the user is subject to GDPR.
Start loading your CMP for all users. This option is the most future-proof. As regulations continue to evolve, relying on a CMP to determine which users are subjected to which regulatory regimes will remove the need to keep updating on-page code every time regulations change.
Case 3: CMP is loaded for all users
No changes are needed, but you should verify that the CMP load order is correct.
CMP load order
If you're using a CMP with OpenWrap, the Prebid 4.x changes means it's important to ensure the CMP fully loads before requesting any bids from OpenWrap.
PWT.requestBids() until the CMP is loaded. If you're using OpenWrap's GPT integration, do not call
display() on GPT slots until the CMP has fully loaded.