In https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/CMP%20JS%20API%20v1.1%20Final.md#without-safeframes-using-postmessage-

cmpCallbacks[i.callId](i.returnValue, i.success);

The callback array is not protected against multiple re-call. This can cause a not a function assertion.
Would you be open to a PR ?

According to the CMP Validator User Guide:

The Validator has been published to the Chrome Web Store in private mode. This means it
does not appear in searches and is only available to authorised users.

Only CMPs registered with the Transparency & Consent Framework (TCF), or publishers
running an IAB TCF registered CMP, are authorised to use the tool.

I find this really problematic.

I have spent considerable time explaining to an (expensive, certified) CMP vendor how their implementation is broken and violates the specification. This is extremely frustrating and a huge waste of time - for me, and for the CMP vendor, who has to read through lengthy e-mails with screenshots and complex explanations, quotes from the specification, and so on.

If there's a tool that would simply test and report problems with any given CMP, that would be hugely helpful in situations like this.

Keeping this tool under lock is also hugely harmful to open-source adoption of the TCF - I know of at least one open-source CMP that breaks the spec, and the situation is pretty much the same here: long descriptions, screenshots, quoting the spec; huge waste of time.

It's also really problematic that certified CMP vendors, with thousands of deployments, get away with this - think of the number of clients who risk being legally and financially liable for any defects or shortcomings of a CMP under the GDRP and ePrivacy Regulations.

Presumably, you use this secret tool as part of your certification process? This is also problematic. Since there are certified CMP vendors currently shipping defective products, this tells me your cerfication is a one-time process? If so, a one-time certification, naturally, does not guarantee that a given CMP is still compliant and functional at any later time, as they continue to develop their product.

Do you monitor certified CMPs for ongoing compliance? If so, this points to an uncovered area.

If this were open source, we, the community, could help.

If the tool were at least available to the public, clients would at least be able to regularly verify their CMP vendor for compliance - something a corporate policy or legal departiment would very likely stipulate, since a defective CMP is potentially a legal and financial liability.

You don't specify why this tool is kept from the public, which leaves us to speculate - and I'm not going to state my own suspicions here, but lets just say, this isn't the sort of approach that inspires trust or confidence, in you, or in a CMP vendor.

Please reconsider.

It would be nice if the spec specified whether standard or web-safe Base64 encoding should be used. It appears that the JavaScript reference library uses web-safe. The Swift reference library also says it uses web-safe Base64, but the unit tests use standard Base64 so I'm uncertain.

The file https://vendorlist.consensu.org/v2/vendor-list.json is not publicly accessible. It throws an error:

Hello - apologies if I'm raising this in the wrong place and I've got the wrong people!

I've seen this kind of popup in a few places recently:

I noticed that the buttons - 'Update Privacy Settings', 'Sounds Good, Thanks' and 'Not Now' are not keyboard accessible (there is no way of tabbing to them). I think we're just missing a href attribute:

<a class="fp5lCfuR-1- _2psJxRh1-1- amwo9KVF-1-" automate_uuid="839647d1-16d6-4ccb-ba31-7fba5301a328"><span class="_1MrLfucw-1-">Update Privacy Settings</span></a>

Whilst we're here, looks like these buttons have nice :hover styles applied to them, can you apply the same thing to :focus so that it's clear what's in focus when the buttons are tabbed to via keyboard?

Finally, worth applying a tabindex="1" on the first button to make sure users can navigate to it right away.

If I have raised this in the wrong place, could you please point me in the right direction? I stumbled onto this repo via this IABEurope blog post, and IABEurope via this Global Vendors registration page, and consensu.org via the Network tab of the pages I've been on recently!

Thanks.

Per the documentation translations for purposes should be accessible through
https://vendorlist.consensu.org/v2/purposes-{language}.json
with list of supported languages
https://register.consensu.org/Translation

Once {language} is replaced with any of supported languages, it throws an error:

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>...</RequestId>
<HostId>...</HostId>
</Error>

BitField lacks description as to how it should be understood:

1. Which direction should it be read?
At least for this point for now I assume it to be interpreted the same manner as PurposesAllowed:

Purpose #1 maps to the first (most significant) bit, purpose #24 maps to the last (least significant) bit.

As in, the leftmost bit maps to vendor 1, ... rightmost bit maps to vendor MaxVendorId

2. How do the vendors get mapped to the bit index?
Which of the two following scenarios is the correct way to interpret the bit indices?

1. Bit index maps to vendor Id
   First bit maps to vendor with vendor id = 1, second bit to id = 2, etc.

2. Bit index maps to the index within the list of vendors
   https://vendorlist.consensu.org/vendorlist.json
   First (i.e. index 0 bit) refers to the index 0 vendor in the above vendorlist, in which case, "Emerge Sverige AB".

In the vendor list entry for "Mirando GmbH & Co KG" the privacy policy is: https://wwwmirando.de/datenschutz/

Should this be www.mirando.de instead of wwwmirando.de?

See pull request #66

(putting this as an issue as well, because it doesn't seem to have been seen)

What does it mean to fetch different versions of the consent string? As far as I can tell, there is one consent string stored at the "euconsent" key on the consensu.org cookie.

edit: Is it just saying to check the provided consentStringVersion against the version in the cookie and return either that consent string or null?

edit2: Also, regarding this sentence:

If consentStringVersion is provided, then fetch that version if available (else returns null).

Does that mean the argument passed to the callback should be null (I guess "returns" means "supplies to the callback" in this context)? Or does it mean just the consentData property of the provided callback should be null?

I would guess the latter but if the idea behind this document is to define predictable behavior for multiple people to independently implement, this sort of thing should be made explicit.

We are currently implementing a small SDK for Java to support TCF 2.0, especially for the TC String. When looking at https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20Consent%20string%20and%20vendor%20list%20formats%20v2.md#the-core-string it states "Example values are provided in the appendix." .

Am I overseeing the appendix? Or is it perhaps actually missing?

Best thanks in advance.

Hi,

I'm actually working on porting and using safeframe on React for GDPR purposes (react-safeframe) but it's completely unclear in my mind what the caller should do to be able to use cmp inside the safeframe.

For now, on my host side, I'm having something like

import React from "react";
import Safeframe from "react-safeframe";

const conf = {/* not important for now */};

window.__cmp = function(Command, Parameter, Callback) {
  console.log('Absolutely never passing on here');
  Callback();
};

const App = () => (
  <Safeframe conf={conf} frameUrl="http://localhost:3000/iframe.js" />
);

export default App;

And on my iframe side:

console.log("Vendor is available");

function sf_callback(msgName, data) {
  console.log(msgName);
}

$sf.ext.register(300, 250, sf_callback);
$sf.ext.cmp("getVendorConsents");

For now the Vendor is available is well displayed.

But first, sf.ext.cmp is never defined (why or how should I process ?), and then, nothing happens.

How can we manage to make this work ? Is this possible to create an example using safeframes ?

Thank you

On the page: https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20CMP%20API%20v2.md#getinapptcdata the example starts with:
__tcfapi('getInTCData', 2, (inAppTCData, success) => {
The name of the command to call seems incorrect; it should probably be:
__tcfapi('getInAppTCData', 2, (inAppTCData, success) => {

With the information presented in "Example Vendor Consent String", their Base64 encoded string should be BOEFEAyOEFEAyAHABDENAI4AAAB9vABAAJA not BOJObISOJObISAABAAENAA4AAAAAoAAA as given there.

Hi,
We need the implementation of the Consent on PHP language.
Are you planning to release it in the near future ?

Thanks

To whom it may concern,

in section Without safeFrames, using postMessage of the CMP JS API v1.1 Final you discuss how the __cmp
API can be called from within an iframe by sending a postMessage to the
__cmpLocator frame.

Would you please let us know whether you have considered calling the
parent's __cmp API directly without wrapping the call into a postMessage /
message event layer?

If so, why do you suggest the wrapping?

Using the CMP API provided by http://oil.axelspringer.com/ we located the parent window
containing the __cmp function in a way similar to locating the __cmpLocator.
Then we have called that function and received the response successfully.

We are looking forward to reading your answer.

Kind Regards
Stefan Boos

--
Stefan Boos
Senior Software Developer

Ligatus D-A-CH
Ligatus GmbH, Christophstraße 19, 50670 Cologne
Executive Board: Klaus Ludemann, Arne Wolter

Unclear if this is an oversight, or just not documented, but we have these two statements:

From CMP API v1.1:

PurposeId's 1-24 indicate standard purposes, while 25-88 indicate custom (publisher-configured) purposes.

From Consent String and Vendor List Format:

CustomPurposeIds are numbered 1 to NumberCustomPurposes.

If the publisher is depending on the customPurposeId that they configured, they will need to know to check it with a 24 point offset in the PublisherConsents object, right? This isn't documented anywhere that the customPurposeId would be different across contexts.

In light of #68 , I think some of the consents previously obtained are invalid. This is an ecosystem problem, where the only way out is, I think, to invalidate all the bits affected, and disambiguate by creating more specific and granular bits.

These should read:

• "Personalisation for advertising": The collection and processing of information about user of a site to subsequently personalize advertising for them in other contexts, i.e. on other sites or apps, over time. Typically, the content of the site or app is used to make inferences about user interests, which inform future selections.
• "Personalisation for content": The collection and processing of information about user of a site to subsequently personalize content for them in other contexts, i.e. on other sites or apps, over time. Typically, the content of the site or app is used to make inferences about user interests, which inform future selections.
• "Personalisation": The collection and processing of information about user of a site to subsequently personalize content and advertising for them in other contexts, i.e. on other sites or apps, over time. Typically, the content of the site or app is used to make inferences about user interests, which inform future selections.

(note that we can't move from the ambiguous bit to the third bit listed here -- even though it is the same text-- because it is unclear how some actors inside and outside the ecosystem will have interpreted the corrupted bit, e.g. the data subject or the publishers)

Is there a process for allowing publishers to support vendors not on the Vendor List? Given requirements to be IAB or other trade organization members as well as the associated fees there are likely to be legitimate vendors that are not on the list yet which do provide value to publishers. Does the Framework have a method by which publishers add their own vendors?

Hi there,
I'm able to access the vendorlist.json via browser but not via fetch. It seems the response is missing the appropriate CORS headers.

Access to fetch at 'https://vendorlist.consensu.org/vendorlist.json' from origin 
'https://andresilveirah.github.io' has been blocked by CORS policy: No 
'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque
response serves your needs, set the request's mode to 'no-cors' to fetch the resource
with CORS disabled.

Any chance of adding the headers to the response?

Hi team,

would be great if the popup didn't disappeared completely after preferences are set. User should have the option to change his/her mind and activate/de-activate as pleased.
A good example is CivikUk solution.

thanks

The strings given as example in the TCF2 string format section do not conform to the provided rules.

The DisclosedVendor string is given as PVAfDObdrA. Which in binary becomes 00111101010100000001111100001100111001101101110110101100.
From this I am getting:

• SegmentType: 1
• MaxVendorId: 60032
• IsRangeEncoding: 1
• NumEntries: 3852
  - IsARange: true

Then get exception since I can not read the next 16 bits for StartOrOnlyVendorId.

Am I missing something or are the examples invalid?

In TCData object cmpStatus and eventStatus fields have contradictory description if we look at the documentation and usage. I believe that cmpStatus should refer to the ping status codes and eventStatus to the addEventListener codes and not vice versa.

TCData = {
tcString: 'base64url-encoded TC string with segments',
tcfPolicyVersion: 2,
cmpId:1000,
cmpVersion: 1000,

/**

• true - GDPR Applies
• false - GDPR Does not apply
• undefined - unknown whether GDPR Applies
• see the section: "What does the gdprApplies value mean?"
  */
  gdprApplies: Boolean,

/*

• see addEventListener command
  */
  cmpStatus: String,

/**

• see Ping Status Codes in following table
  */
  eventStatus: 'string', ...

Having a look at https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20Consent%20string%20and%20vendor%20list%20formats%20v2.md#the-core-string

In the "Vendor Legitimate Interest Section" as well in the "Vendor Consent Section" there is a "MaxVendorId" defined which defines the last part of an RangeEntry.

I am trying to figure out where the "Publisher Restrictions Section" RangeEntrys actually end or how to determine the end?

Many thanks in advance.

It is not trivial to contribute to this project while it is using binary pdf files. Specifically, there's no way to suggest changes to specific parts of the document and have them reviewed using pull requests.

It would be great if this repository had the sources to build the document. Contributions could suggest changes by issuing pull requests. IAB could use those pull requests to ask for clarifications or merge the suggestions.

Getting technical, an external process could keep the master branch sources compiled and available at all times, as the working version. Periodically, tagged releases could freeze the document into a new version, which could be made available through GitHub's repository download section and the web site.

This is way more technical than what exists today, but if this project is to move forward in a truly open-source style, expecting contribution from the industry directly on GitHub, that's the way to go.

The description of the getVendorConsents command does not mention the purposeConsents property of the VendorConsents object. In fact none of the command descriptions mention this property. Is the VendorConsents object passed to the callback of a getVendorConsents __cmp() call required to include information about all consented purposes?

The Go implementation of the Vendor Consent String relies on a package, 'go-bits', which has poor error handling that will panic in error scenarios, instead of returning the error and allowing the handler to handle it appropriately.

https://github.com/rupertchen/go-bits/blob/master/bits.go#L66-L104

Hi,
how can I view a detailed list of all purposes with their respective ids and their meanings? I would like to study them so I can integrate various callback functions but I don't seem to find anything related in the docs.

Just that by using getPublisherConsents I will retrieve a list of purpose Ids in my callback function but without explaining what each purpose id is.

The API uses the term "vendor" in various areas. Since the aim is to facilitate GDPR compliency, I think it would be better to use GDPR terminology where possible.
In case of 'vendor', the better term would be 'Data Controller', which can be a vendor but not necessarily. This brings the following benefits:

• Using such terminology makes the API's more clear to anyone with GDPR-knowledge.
• The APIs may facailitate a wider range of use cases
• The semantics for attributes in schema definitions can more easily be defined by cut&pasting relevant quotes from the GDPR.

For some reason it isn't working in Internet Explorer 11. Just shows blank page. Tried to debug it but no success, can't find the reason, looks like react app doesn't even starts in IE. In development mode I gets all the time (in IE11) promise error:
'Promise' is undefined

Hi!
In the "Example Vendor Consent String" (part of "Consent string and vendor list formats v1.1 Final.md") there are some 0-bits missing at the end of the cookie value field bits.
These five fill-bits have to be added in order to pad the binary bits at the end with zeroes to the nearest multiple of 8 bits.
If this information is missing in the example it stays unclear which binary bits leads to the correct base64 string.

In previous issues that I opened but were closed without action (such as #68 and #69), I pointed out that the IAB Consent Framework was bundling two consents into one (and misleading spec readers in communicating what they were doing).

The 50M EUR fine today against Google by the CNIL confirms this (see item 160).

Please reopen the associated issues, lest you want to expose your members to similar fines (particularly, I presume, the French ones).

I was not able to find information if there is a machine-readable version of the registered CMPs list (equivalent of the vendorlist.json file). Does such a list exist?

This would be useful for building tools which introspect about the consent cookie.

I'd like to provide some technical feedback on the TCF v2 API.

Based on my experience with version 1 of the API, I feel the new API has taken the command approach from the first version of the API and made it worse.

I'd like to question the benefits of a command-based API - per the example in the v2 spec:

__tcfapi('getTCData', 2, (tcData, success) => {
  if(success) {
    // do something with tcData
  } else {
    // do something else
  }
}, [1,2,3]);

I find this approach to be fragile, as demonstrated by the documentation for this particular command:

A value of false will be passed as the argument to the success callback parameter if an invalid verdorIds argument is passed with this command. An invalid vendorIds argument would constitute anything other than an array of positive integers.

In other words, client code is burdened with the responsibility of checking whether the client code itself passed valid arguments. It effectively makes argument checking optional.

I understand why it was implemented this way: you want to be able to preload a simple stub, and so of course we can't have the command call itself throwing an error for the call, since the command implementation might not actually be loaded yet.

But there's a much simpler way to defer calls to an API:

__tcfapi(2, tc => {
  try {
    var tcData = tc.getTCData([1,2,3]);
    // do something with tcData
  } catch (e) {
    // do something else
  }
});

In other words, instead of queing and deferring individual commands, simply defer all interactions with the API entirely. (The edge case here is ping, to which the stub needs to respond immediately, so this could be changed to e.g. __tcfapi.ping())

This leads to more readable code: the arguments to the function are supplied with the actual call tc.getTCData([1,2,3]), rather than arguments floating around at the tail of the call, after the body of the callback.

It also leads to a more traditional JavaScript API: you invoke commands by merely calling a function - for synchronous commands, you can use the traditional exception-handling approach, as in the example above, while (much more likely) you wouldn't want to handle errors in your own client code at all, and likely want to simplify it even further:

__tcfapi(2, tc => {
  var tcData = tc.getTCData([1,2,3]);
  // do something with tcData
});

This is much safer and much closer to how most normal JavaScript APIs function: if you supply the wrong arguments, you get an exception. Error handling is only necessary or relevant if, for example, the argument is dynamic - in this example, as in most real use-cases, it's just a static array of values, and the error-handling mechanism really is only something you rely on to tell you (immediately) that there's something wrong with your client code.

The stub for something like this ought to be much simpler - along the lines of:

window.__tcfapi = window.__tcfapi || (function() {
  var queue = [];
  var api = cb => queue.push(cb);
  api.queue = queue;
  api.ping = () => ({
    gdprApplies: gdprApplies,
    cmpLoaded: false,
    apiVersion: '2.0',
  });
  return api;
})();

I realize there's a bit more to it than that, but it's greatly simplified. The full implementation merely picks up window.__tcfapi.queue, replaces window.__tcfapi with the full implementation, and initializes by invoking every function in the queue.

The stub should be small enough to minify and embed directly on the page for better startup time - many stubs for version 1 of the API are already large enough that they're supplied as a separate, external script, and the version 2 sample stub is even more complex.

Because it's trivial, you can guarantee it'll never need to change, at least for the same version of the API - embedding it directly on the page is easy and safe. (You might as well just make it part of the standard, so that individual vendors don't need to supply their own stubs - and publishers can safely insert this on their page and not worry about switching to a vendor that requires a different proprietary stub, for example.)

On a side note, I don't know what good the apiVersion field in the PingResult does. In the proposed API, you have to supply the API version number yourself to invoke the ping command - you invoke it with a version number and it returns a string, which is difficult to wor with, if you wanted to test for the exact version number. Either way, if I have to specify the version number to get the version number, well -- it's probably better to leave this command as separate from the main API, since it isn't supposed to queue up like other commands, and the implementation is always going to be a simple synchronous function anyhow.

Hi,

I was reading the specifications about the TC string format.

In [What are the different scopes for a TC String?](What are the different scopes for a TC String?) it is stated that:

• Global TC strings must NOT contain Publisher restrictions or a Publisher TC segment but they may contain a DisclosedVendors segment.
• Specific TC strings may contain Publisher restrictions, a Publisher TC segment and an AllowedVendors segment.

A few chapters below, in [TC String Format](TC String Format), there is different information:

For example, a globally-scoped TC String with all four segments present would be surfaced through CMP API – not stored – and look like: [ Core String ].[ Disclosed Vendors ].[ AllowedVendors ].[ Publisher TC ]

I thought Global TC strings must NOT contain Publisher restrictions or a Publisher TC segment ...

And

A service-specific TC String must contain a Core TC String and may optionally contain a Publisher TC segment, but must not contain the OOB-related segments because those segments are not allowed in service-specific contexts: [ Core String ].[ Publisher TC ]

I thought that Specific TC strings may contain Publisher restrictions, a Publisher TC segment and an AllowedVendors segment

What is true, what is false? 🤔

Thanks!

The new validator wouldn't find any CMP API that is implementing TCF 2.0. Please update the validator to respect the new specification. See major changes: https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/TCFv2/IAB%20Tech%20Lab%20-%20CMP%20API%20v2.md#major-changes-from-11

I've tried to find but I didn't. Question is: is there a list of supported languages for vendors and purposes ?

Thank you

Commands such as getVendorConsents provide a success flag to the callback.

I didn't find anything in the documentation explaining the purpose of this flag?

Version 1.1 of the API spec merely states:

The boolean success parameter passed to the callback indicates whether the call to getVendorConsents() was successful.

Successful at what?

When (or under what conditions) would this command be expected to fail?

More importantly, how should client code interpret a failed command?

Presumably, client code needs to check the success flag before doing anything with the VendorConsents object?

How should the callback behave if invoked with success set to false? What does it mean?

What url should be passed to consentToolURL property of CMPConsentToolViewController?
We need to get consent strings for Flurry and Amazon ads SDKs but when trying to pass, for example, https://policies.oath.com/ie/en/oath/privacy/index.html (which mentioned in Flurry docs ) from https://vendorlist.consensu.org/vendorlist.json it just never redirects with "consent://" to parse result. Looks like it's only working with https://demofiles.smaato.com/cmp/index.html from demo app.

I don't know if this an appropriate place to put this issue. But I have certain browsers which can't close their consent banner because of this error:
Error: ConsentString - Unsupported version 27 in the string to decode It is a pretty unpleasant UX for our users and I can't figure out what is going on.
It is only happening when accessing our desktop site via iOS or on a Mac using safari. when I decode the consent string, I don't see 27 as a value for any of the object properties, so I don't know what "version this code is pointing to. Anyone seen this before?

The 'spec' currently says nothing about the vendor id ranges being supplied sorted or not. It would be nice to have this clarified. E.g.

StartVendorId[idx] is less than (or equal) to EndVendorId[idx] in the case of a range; and each Range in the list of ranges are also sorted in ascending order; and there are no overlaps amongst the supplied ranges.

Also, please clarify the expected behaviour when a VendorIdRange overlaps, or exceeds the MaxVendorId value.

In the https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-Framework/blob/master/In-App%20Reference/Android/app/src/main/java/com/smaato/soma/cmpconsenttooldemoapp/cmpconsenttool/CMPConsentToolActivity.java, please move away from using a static callback. This neither work well with Android UI components life-cycle, nor with the Android process life-cycle.

For the purposes of notifying the caller with some result consider using result propagation - https://developer.android.com/training/basics/intents/result

Hello,
It seems that methods are well implemented but button is missing.

The links to the JavaScript and C Consent String SDKs from GDPR-Transparency-and-Consent-Framework/Consent String SDK/Transparency and Consent Framework Consent String SDK Resources.md lead to invalid pages.

The JavaScript link leads to https://raw.githubusercontent.com/InteractiveAdvertisingBureau/Consent-String-SDK-JS which says "404: Invalid request."

The C link lead to https://github.com/InteractiveAdvertisingBureau/Consent-String-SDK-C and that brings up a GitHub 404 page.

Hello,
It would be great if we could pull out the cookie formatting components to create a standalone library out of the CMP reference implementation.

This component needs to be standard to ensure a reduction in formatting bugs.

Dennis

It's a bad practice to start a CMP UI component (CMPConsentToolActivity) just to init/update CMP storage. Specifically this is happening at CMPConsentToolActivity.onCreate() method:

    @Override
    protected void onCreate(@Nullable Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        cmpSettings = getCMPSettingsExtra();

        if (cmpSettings == null) {
            CMPStorage.setSubjectToGdpr(this, SubjectToGdpr.CMPGDPRUnknown);
            clearConsentStringPurposesAndVendors();
            finish();
            return;
        }

        CMPStorage.setSubjectToGdpr(this, cmpSettings.getSubjectToGdpr());

        if (TextUtils.isEmpty(cmpSettings.getConsentToolUrl())) {
            clearConsentStringPurposesAndVendors();
            finish();
            return;
        }

        ...
    }

It's looks unexpected to update/init CMP storage as a side effect of calling CMPConsentToolActivity.openCmpConsentToolView() and actually not to start the CMPConsentToolActivity. Why not to update CMP storage directly (or via some CMPToolInitializer)?

Hey guys,

can you please confirm how the cookies are being managed once preferences have been set.

I found that all cookies are loaded at first in spite of the cookie manager shows to set preferences.
Once preferences are set, all cookies are still there when I browse thought the website and pages. The feeling that I am getting is that the cookie manager is not really managing my preferences and most probably because they are all already used in first instance.

Thank you.

The mobile environment is different than the web one. We need an empty "mobile" branch in this repo to push code.

The most significant flaw here are the names of the companies under the License section.

A "Transparency and Consent Framework" will be heavily scrutinized and discredited if published by companies who have business models that seem to depend on the lack of transparency and the lack of consent.

Initiatives towards self-regulation within the industry is an amazing step in the right direction, but ultimately the clear conflict of interest will overshadow the substance, for better or worse.

/cc @gobengo

Splitting the CMP data model into several pieces (persisting them under different SharedPreferences keys) introduces potential issues with data consistency/integrity.

For instance, it is possible to read the CMP data at the same time while the storage is being updated from CMP UI, which may result in getting some fields from old storage state and some fields from new storage state. Or it is possible to clear/remove/corrupt the main consent string, while vendors and purposes are still remain present/valid. There are other possible ways to make things messy with the current approach.

What I suggest is to create a CMP data model, which would include only core CMP fields (cmpPresent, subjectToGdpr, consentString), make it serializable to a string (possibly a JSON), and store under the only key in SharedPreferences. There is no need for this model to serialize a pre-parsed versions of vendors/purposes strings for persisting. The pre-parsed versions of vendors and purposes strings can be created from the consent string at any time. There is a Java library for parsing consent string - https://github.com/InteractiveAdvertisingBureau/Consent-String-SDK-Java/blob/master/src/main/java/com/iab/gdpr/VendorConsent.java, which looks like a right tool.