Update ozone.md: add strictly necessary cookie description #5967
Conversation
✅ Deploy Preview for prebid-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
| pbjs.setConfig({ | ||
| allowActivities: { | ||
| fetchBids: { | ||
| rules: [ | ||
| { | ||
| condition({componentType, adapterCode, gdprConsent}) { | ||
| return ( | ||
| componentType === 'bidder' && | ||
| adapterCode === 'ozone' && | ||
| gdprConsent?.gdprApplies && | ||
| !gdprConsent?.vendorData?.purpose?.consents?.[1] | ||
| ) | ||
| }, | ||
| allow: false | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| }) |
There was a problem hiding this comment.
Is this simply the tcfConsent module ?
| pbjs.setConfig({ | |
| allowActivities: { | |
| fetchBids: { | |
| rules: [ | |
| { | |
| condition({componentType, adapterCode, gdprConsent}) { | |
| return ( | |
| componentType === 'bidder' && | |
| adapterCode === 'ozone' && | |
| gdprConsent?.gdprApplies && | |
| !gdprConsent?.vendorData?.purpose?.consents?.[1] | |
| ) | |
| }, | |
| allow: false | |
| } | |
| ] | |
| } | |
| } | |
| }) | |
| pbjs.setConfig({ | |
| consentManagement: { | |
| gdpr: { | |
| rules: [{ | |
| purpose: "storage", | |
| enforcePurpose: true, | |
| enforceVendor: true | |
| }] | |
| } | |
| } | |
| }); |
There was a problem hiding this comment.
no, these are third party cookies, the tcfControl module can only prevent first party cookies, not the third party cookies ozone is setting in violation of e-priovacy. we need to demonstrate how to get rid of ozone altogether when there isnt consent because they ignore the law [ or rather, insist on an unusual reading of it ]
| Cookie Name: __cf_bm | ||
| Provider: Cloudflare | ||
| Purpose: This cookie is set by Cloudflare, our security and performance partner. It distinguishes between humans and bots to protect the website from automated malicious traffic. The cookie supports performance optimization and security features such as bot management and threat mitigation. | ||
| Duration: Expires after 30 minutes of inactivity | ||
| Data Collected: Encrypted, non-personally identifiable information used solely for security and performance purposes. No tracking of users across different websites or sessions. | ||
| Consent: As this cookie is strictly necessary for the functioning and security of the website, it is exempt from consent requirements under applicable data protection laws, including the UK GDPR and ePrivacy Directive. | ||
| Cookie Names: AWSALBG & AWSALBGTCORS | ||
| Provider: Amazon Web Services (via our load balancing service) | ||
| Purpose: These cookies are used to maintain session stickiness for load balancing purposes. When a load balancer receives a client request, it routes the request to a specific target server using a chosen algorithm. | ||
| AWSALBG: | ||
| Encodes and encrypts information about the selected target server. | ||
| Is automatically included in the response to the client with a fixed expiry of 7 days, which is non-configurable. | ||
| AWSALBGTCORS: | ||
| For cross-origin resource sharing (CORS) requests, some browsers require cookies with SameSite=None; Secure attributes. | ||
| This cookie is generated alongside AWSALBG and carries the same target information with the required SameSite attribute. | ||
| Duration: Both cookies expire after 7 days. | ||
| Data Collected: The cookies store information related to load balancing. The data is encrypted and used solely to ensure consistent session routing. | ||
| Consent: As these are strictly necessary technical cookies, they are exempt from user consent requirements under applicable data protection laws. | ||
| Technical Breakdown: | ||
| __cf_bm: | ||
| Cloudflare’s __cf_bm cookie is used to identify and mitigate automated traffic. It is essential for Cloudflare’s bot management and threat mitigation functions. Each end-user device visiting a protected site gets a unique __cf_bm cookie that expires after 30 minutes of inactivity. The content (except for time-related data) is encrypted and used only for computing a proprietary bot score and a session identifier if Anomaly Detection is enabled. | ||
| AWSALBG & AWSALBGTCORS: | ||
| When Amazon Web Services' load balancer receives a request, it routes the request to a target server based on a predetermined algorithm. The AWSALBG cookie encodes and encrypts information about the selected target server and is set with a fixed expiry of 7 days. For browsers that require cookies with SameSite=None; Secure attributes to support CORS, the AWSALBGTCORS cookie is generated alongside AWSALBG, containing the same target information with the necessary security attributes. |
There was a problem hiding this comment.
While these details are highly appreciated, those tend to get out of date pretty fast I would assume.
Is there are way to link to the necessary privacy declarations of AWS and cloudfront ?
If that's not possible, than it is what it is.
There was a problem hiding this comment.
personally i find these assertions rather absurd and i have disabled ozone when the user does not give purpose 1 consent so as to not incur these risks. I hope they get some flack from regulators for this bizarre stance. I do not think it makes sense to link to these things on the cdn provider as it is ozone settings in that cdn provider that create them, they could easily follow the law instead
muuki88
left a comment
muuki88
left a comment
There was a problem hiding this comment.
Hi @patmmccann
Sorry... this took me way to long. Thanks for the clarifications, makes sense to me!
|
Hi @patmmccann @muuki88 - apologies for not responding sooner - I was awaiting confirmation from our infrastructure teams that they made the necessary changes to ensure these are no longer set. |
disclosure on ozone strictly necessary cookies