Prebid SDK support for SharedID

[bretg]

As more of the ecosystem supports SharedID, it's time to consider adding support for it to PBSDK.

Proposal:

1. Create a way for app developers to opt into having Prebid SDK generate a shared ID. e.g. Prebid global class function createSharedId()
2. This function would need to check for permission:
   1. If LimitAdTracking (LMT) is set, there's no permission. Remove any previously stored SharedID value.
   2. If GDPR is in scope and there's not Purpose 1 consent, remove any previously stored SharedID value. See GDPR Device Access consent and reading/writing of cookies #375, involving gdprApplies and deviceAccessConsent.
   3. On iOS, if ATTS is other than 3, remove any previously stored SharedID value.
3. If allowed to create SharedID and it doesn't already exist in device local storage, generate a UUID as per generateUUID in https://github.com/prebid/Prebid.js/blob/master/src/utils.js and stored it.
4. When building the ORTB, check device local storage and append the following ORTB object to the user.eids array:

{
  "source": "pubcid.org",
   "uids": [{
            "id": 'SHAREDID_VALUE',
            "atype": 1
        }]
}

[jdwieland8282]

Would Yahoo offer a legal opinion of how setting a SharediD on the device would comply with the various regulatory environments, ex. gdpr, cpra, etc..

[bretg]

Discussed in the Identity committee - flipped to ready-for-dev

[bretg]

Took this out of ready-for-dev, as it was discussed in a Prebid Mobile committee meeting. There's some skepticism about the value of SharedID -- in iOS, if ATTS is 3, then bidders can have the Device ID. If that's the only scenario where we're setting SharedID, then it doesn't bring much incremental value.

Here are the ATTS values:

0 = not determined
1 = restricted
2 = denied
3 = authorized

Looking at Apple's ATTS page, seems that it's about "access their device’s advertising identifier". So requiring ATTS 3 for SharedID may be overkill because it does not identify the user across apps? Given this doc, I don't know how 'restricted' differs from 'not determined'.

But in any case, even if we stay with the ATTS 3 requirement, perhaps there's still value in the Android environment?

[bretg]

Discussed with Prebid legal counsel. It was agreed that because SharedID is different across different apps, SDK would not need to check either LMT or ATTS. Just GDPR Purpose 1 when in scope. Even if GDPR is in-scope, it would be ok to keep the value in app memory for the session.

Other advice:

• keep it opt-in at the app developer level
• make sure it's clear to app developers what Shared ID is. The word "shared" is misleading.
• encourage app developers to check with their lawyers. If their legal team is uncomfortable with any aspect of SharedID (including session persistence), they should not opt-in to the use of the feature

However, after the meeting, I realized that we have an issue that will prevent this from being truly effective: Prebid Server doesn't pass EIDs when it sees the LMT flag. See PBS issue 833. So PBSDK generating SharedID even in LMT scenarios isn't going to do anything.

I'm not willing to create a hard-coded exception in Prebid Server to preserve just SharedID, but will open an issue to discuss a more generic configuration of which EIDs should be filtered/unfiltered in privacy scenarios. This would allow PBS host companies to analyze which EIDs are privacy-affecting, and which aren't.

[YuriyVelichkoPI]

@jclou will you or your company provide an Android PR for this feature?