Switzerland privacy: account-level override for the list of EEA countries

[bretg]

Got advice from legal about adding Switzerland to the TCF-EU behavior list.

As done in prebid/prebid-server-java#3186, please update PBS-Go to ad 'ch' to the list of default EEA countries. Couldn't find it in the repo.

[bsardo]

@bretg can you expand on the motivation for including this? This appears to be a controversial subject. It is the committee's understanding that TCF does not necessarily apply in Switzerland and that some publishers there take it upon themselves as to whether they want to enforce it. In that case, the gdpr applies signal would be set indicating that they want to enforce. If that field is not set, it could be considered an overreach in that PBS would attempt to enforce TCF which could be to the detriment of the publisher.
@patmmccann is interested in learning more about this discussion with legal.

[bretg]

The driver here was an email I received noting that Google's default is changing. Magnite's legal counsel advised that "Switzerland started to enforce their data protection law similar to the GDPR"

---

---------- Forwarded message ---------
From: Google Ad Manager [email protected]
Date: Fri, May 3, 2024 at 9:18 AM
Subject: New consent requirements for traffic in Switzerland
To: [email protected]

Hello,
 
Update to Google’s EU User Consent Policy
 
You’re receiving this email because you’re listed as the contact for a Google ads and/or analytics product.
 
The advertising industry as a whole is taking into consideration evolving user expectations with regards to privacy across Europe. Google is committed to providing users with consistent transparency and controls over their data. In line with this commitment, from 31 July 2024, we are expanding the scope of our EU User Consent Policy to apply to users in Switzerland. You can preview the updated policy here. Customers using Google advertising products will be required to obtain Swiss users’ consent to the use of cookies or other local storage, where legally required; and the collection, sharing and use of personal data for personalisation of ads. This is in addition to existing requirements for European Economic Area (EEA) and UK users.
 
Publisher Support
 
From 31 July 2024, in order to comply with the EU User Consent Policy, partners using our publisher products — Google AdSense, Ad Manager, or AdMob — will be required to use a certified CMP that integrates with the TCF when serving ads to users in Switzerland, in addition to the EEA and the UK.
 
After this date, if you send Google an ad request for Swiss traffic and it does not use a certified CMP (Ad Manager, AdMob, AdSense), personalized and non-personalized ads will no longer be eligible to serve. Instead, only limited ads will be eligible to serve on Ad Manager, AdMob, and AdSense. As a reminder, limited ads are significantly more restrictive than non-personalized ads; as such, relying solely on limited ads will likely impact your revenue for Swiss traffic.
 
We will continue to support your transition as you prepare for the new requirements. Please review our help center for further details (Ad Manager, AdMob, AdSense), including the full list of certified CMPs. If you are already working with a certified CMP for your EEA and UK traffic, please reach out to them to ensure they have plans to support the TCF on Swiss traffic. If you have or are building a proprietary CMP and you have not certified this CMP, you can reach out to Google using this form to register your interest in becoming certified.
 
If you use Google consent management solutions in Privacy & messaging (Ad Manager, AdMob, AdSense) to gather consent from users in the EEA and the UK, your European regulations messages will be updated automatically to obtain consent from users in Switzerland beginning 31 July 2024.
 
Until next time,
The Google Ad Manager Team

[bretg]

Done with PBS-Java 3.0

There is an outstanding request to Prebid legal counsel, but honestly I don't expect the default to change. Host companies can decide what default makes sense for them.

[bretg]

Prebid legal counsel has weighed in, essentially agreeing that there's room for interpretation in the Swiss laws:

The simplest, most conservative approach for Prebid would be to implement EU-like requirements in Switzerland (i.e., requiring user consent before dropping non-essential cookies).  However, (as the GitHub discussion reflects), it is not totally clear that consent is required in Switzerland in the same way it is in the EU. While we think that’s largely solved through publisher discretion to set their own defaults, if Prebid wanted a deeper dive on the current state of Swiss law, we would need to engage local counsel to understand the contours of when consent actually is required.

Currently this setting is global to the PBS host company, but we could pretty easily make this an account-level setting.

Another option that host companies and publishers would have is the use of Activity Controls. They could, for instance, put Switzerland in the EEA, but then globally allow certain activities by geo. e.g.

{
  "privacy": {
    "allowactivities": {
      "fetchBids": {
        "rules": [{
            "condition": {
                "geo": ["CH"]
            },
            "allow": true
        }]
      }
    }
  }
}

[bretg]

PBS-Java added account.privacy.gdpr.eea-countries config in v3.3