GDPR: A technical checklist for sellers

May 31, 2018
By Garrett McGrath, VP Product, Rubicon Project

Whether you’ve enabled a consent management provider (CMP) using the IAB Europe Transparency & Consent Framework or built your own, you might still not be able to pass the consent signal properly to monetization partners like Rubicon Project.

We created the short checklist below to help you navigate the complexity of “what needs to be done and how.”  In terms of “when it needs to be done,” the answer is easy … It’s NOW!

Video & Audio Publishers

The Rubicon Project VPAID tag will automatically look for the presence of a CMP conforming to the IAB Europe Framework. No other changes are necessary if this is in place.

If the CMP Javascript is not present on the page, you will need to wrap the VPAID tag with a CMP open redirect URL.

If you are using a CMP, you must either (1) retag the existing VAST tag with the CMP open redirect url or (2) send the following additional GDPR consent parameters:

URL parameter  possible values  purpose 
gdpr 0/1 0=GDPR does not apply
1=GDPR applies
If not present, callee should do geoIP lookup, and GDPR applies for EU IP addresses
gdpr_consent URL-safe base64-encoded GDPR consent string. Only meaningful if gdpr=1 Encodes the consented-to purposes and vendor consent string, as obtained from the CMP JS API or OpenRTB

You can refer to the following VAST example (with GDPR parameters in bold):

xAPI Publishers

Our xAPI specification has been updated to include instructions for passing the required extensions in the Regs and User objects. These follow the OpenRTB GDPR advisory, found here (Q13 of the same document).

Prebid.js Publishers

Rubicon Project’s preferred header bidding wrapper is Prebid version 1.11, which supports a GDPR module that integrates against the IAB EU Consent framework. Prebid v1.11 will make any available consent data via CMPs based on the framework available to bidders who are integrated into the wrapper and also registered on the IAB Global Vendor List.

Individual demand partners using the wrapper will also need to update their adapters to Prebid v1.11 to receive consent data. maintains a list of compliant demand partners.

If you are using a version of the Prebid wrapper that does not support the GDPR consent module and you would like to pass consent through the Prebid wrapper, please work with your Rubicon Project Solutions Engineering representative to update to Prebid v1.11.

As a general best practice, you should upgrade to the latest version of Prebid as soon as you can as it offers improved performance, better handling of infinite scroll, and many upcoming features.

Prebid Server Publishers

If you are using Prebid Server hosted by Rubicon Project, you need to:

1) Upgrade your Prebid.js installation to v1.11 and incorporate the ‘consentManagement’ module.

2) Change the endpoint of Prebid Server in Prebid.js config

3) Those using the mobile app will need to modify their use of Prebid SDK

Prebid SDK Developers

iOS and Android have their own mechanisms for collecting consent and passing it to openrtb through targeting parameters. Mobile app developers will need to update to the latest version of Prebid SDK and pass these parameters through. In particular:


[[PBTargetingParams sharedInstance] setConsent:@”testconsent”];[[PBTargetingParams sharedInstance] setGdpr:FALSE];


TargetingParams.setGDPRConsentString(activity, “World”);TargetingParams.setSubjectToGDPR(activity, false);

For more information about maintaining compliance with the GDPR and passing consent data to us, check out this article by our Data Protection Officer, Eve Filip, reach out to your account manager, or shoot us an email at  

Tags: , , ,