Combined Sourcepoint CCPA and GDPR TCFv2 Code (Legacy

Change Details

Change

Date

Description

Update

10/27/2020

-Added info panel with benefits of single CNAME change

-Updated lines 23, 24, and 35 of code block to reflect improved solution

-Updated instructions on setting up messaging domain

-Added definitions for configuration parameters

This article covers the implementation steps for an updated TCFv2 and CCPA onsite configuration that utilizes an improved CDN setup and cloud infrastructure. In comparison to previous versions this updated configuration provides the following benefits once implemented.

  • Reduced risk of consent messaging being blocked by ad blockers

  • Improved performance in the delivery of first layer messages

  • Simplified implementation of optional CNAME strategy to improve the persistence of 1st party cookies in adverse browser environments.

If you wish to upgrade from a previous TCFv2 and CCPA configuration you will have to change your current Sourcepoint cnaming setup as outlined in this article. The minimum version of the CCPA client-side library is 1.0.44 and above. The minimum version of the TCFv2 client-side library is 1.1.3 and above. If you are hosting the client-side library in your own CDN you will have to update the library versions in order to benefit from these improvements.

Overview

Setting up Sourcepoint’s combined CCPA and GDPR TCFv2 solution is a simple process that publisher teams can follow to get up and running quickly. This document is a quick start guide on how to implement a Do Not Sell (my data) experience on your website using Sourcepoint’s Javascript code-snippet along with Sourcepoint's GDPR TCFv2 solution. The JS code-snippet needs to be placed on your site, preferably in the head tag before any advertising technology scripts implemented on your site. The goal of the implementation is to render a Do Not Sell (my data) notification required under CCPA and syndicate the user's privacy settings to any relevant third party technology running on your site along with a GDPR TCFv2 message when appropriate. The Sourcepoint script implementation has been optimized for high performance and fast delivery.

Below are the tags and libraries necessary to serve a CCPA "Do Not Sell" message and a GDPR TCFv2 message.

Configuration Details

<script type="text/javascript">
//GDPR Stub file
!function () { var e = function () { var e, t = "__tcfapiLocator", a = [], n = window; for (; n;) { try { if (n.frames[t]) { e = n; break } } catch (e) { } if (n === window.top) break; n = n.parent } e || (!function e() { var a = n.document, r = !!n.frames[t]; if (!r) if (a.body) { var i = a.createElement("iframe"); i.style.cssText = "display:none", i.name = t, a.body.appendChild(i) } else setTimeout(e, 5); return !r }(), n.__tcfapi = function () { for (var e, t = arguments.length, n = new Array(t), r = 0; r < t; r++)n[r] = arguments[r]; if (!n.length) return a; if ("setGdprApplies" === n[0]) n.length > 3 && 2 === parseInt(n[1], 10) && "boolean" == typeof n[3] && (e = n[3], "function" == typeof n[2] && n[2]("set", !0)); else if ("ping" === n[0]) { var i = { gdprApplies: e, cmpLoaded: !1, cmpStatus: "stub" }; "function" == typeof n[2] && n[2](i) } else a.push(n) }, n.addEventListener("message", (function (e) { var t = "string" == typeof e.data, a = {}; try { a = t ? JSON.parse(e.data) : e.data } catch (e) { } var n = a.__tcfapiCall; n && window.__tcfapi(n.command, n.version, (function (a, r) { var i = { __tcfapiReturn: { returnValue: a, success: r, callId: n.callId } }; t && (i = JSON.stringify(i)), e.source.postMessage(i, "*") }), n.parameter) }), !1)) }; "undefined" != typeof module ? module.exports = e : e() }();
</script>
<script type="text/javascript">
//CCPA Stub file
(function () { var e = false; var c = window; var t = document; function r() { if (!c.frames["__uspapiLocator"]) { if (t.body) { var a = t.body; var e = t.createElement("iframe"); e.style.cssText = "display:none"; e.name = "__uspapiLocator"; a.appendChild(e) } else { setTimeout(r, 5) } } } r(); function p() { var a = arguments; __uspapi.a = __uspapi.a || []; if (!a.length) { return __uspapi.a } else if (a[0] === "ping") { a[2]({ gdprAppliesGlobally: e, cmpLoaded: false }, true) } else { __uspapi.a.push([].slice.apply(a)) } } function l(t) { var r = typeof t.data === "string"; try { var a = r ? JSON.parse(t.data) : t.data; if (a.__cmpCall) { var n = a.__cmpCall; c.__uspapi(n.command, n.parameter, function (a, e) { var c = { __cmpReturn: { returnValue: a, success: e, callId: n.callId } }; t.source.postMessage(r ? JSON.stringify(c) : c, "*") }) } } catch (a) { } } if (typeof __uspapi !== "function") { c.__uspapi = p; __uspapi.msgHandler = l; c.addEventListener("message", l, false) } })();
</script>
<script type="text/javascript">
window._sp_ = {
config: {
accountId: ACCOUNT_ID_HERE,
baseEndpoint: 'https://cdn.privacy-mgmt.com',
targetingParams: {
type: "GDPR"
}
}
}
window._sp_ccpa = {
config: {
baseEndpoint: "https://cdn.privacy-mgmt.com",
accountId: ACCOUNT_ID_HERE,
getDnsMsgMms: true,
alwaysDisplayDns: false,
targetingParams: {
type: "CCPA"
}
}
}
</script>
<script src="https://cdn.privacy-mgmt.com/wrapperMessagingWithoutDetection.js"></script>
<script src="https://cdn.privacy-mgmt.com/ccpa.js"></script>

Previous versions of this documentation included the mmsDomain and ccpaOrigin configuration parameters have been replaced by the new baseEndpoint parameter for optimization reasons.

These changes are completely backwards compatible. However, it is recommended that older implementations move to the new parameter to benefit from the optimizations.

TCFv2 Configuration Details

The first section of the snippet contains the so called IAB Stub file. The Stub file is defining the "__tcfapi" function to queue all calls into the CMP's onsite API to be released as soon as the consent information is available. It is important to have this script tag always at the top of the HTML document in the first position to avoid errors and failure of the service. To learn more about the IAB Stub file please refer to the IAB's TCF v2 Technical Specifications.

The second section of the snippet contains your account specific configuration parameters. This section sets up the parameters necessary for your website to communicate with the Sourcepoint messaging platform and establishes a communication channel with the Sourcepoint messaging and consent service libraries. In addition to the standard parameters in the example above, there are additional parameters that allow for Javascript callbacks to be triggered for different customization purposes. For GDPR TCF v2 implementations there are currently two required parameters to deliver a user notification successfully:

  1. baseEndpoint - "https://cdn.privacy-mgmt.com" is a single server endpoint from where the messaging as well as the GDPR and TCFv2 experience is served. The baseEndpoint can also be changed to a CNAMED 1st party subdomain in order to persist 1st party cookies on Safari web browser (due to Safari’s ITP) by setting cookies through the server with "set-cookie" rather than using "document.cookie" on the page. Changing the baseEndpoint domain is optional but recommended! More information can be found in our documentation on setting up a subdomain with a CNAME DNS Record.

  2. accountId – This parameter needs to be used to set the account ID you received from your Sourcepoint account manager - The ID associates your data and website with the your account in the Sourcepoint dashboard.

Other optional parameters:

  • propertyHref – Maps the implementation to a specific URL as set up in the Sourcepoint account dashboard.

  • propertyId – Maps the message to a specific property (website, app, OTT) as set up in Sourcepoint account dashboard.

  • targetingParams –This parameter enables you to create key-value pairs that can be used for targeting in the scenario builder in the Sourcepoint dashboard. Key-value pairs can be created in the following format:

targetingParams: {
key1: valueA,
key2: valueB
}
  • events – An array of events that allow Javascript callbacks to be triggered. Please refer to the Optional Callback document to learn more about how to use events as part of your setup configuration.

  • consentLanguage - If you want to ensure that the purposes or stack names listed in a consent message to remain in the same language regardless of users browser language setting, you can set this using the consent language parameter. The parameter below would be added to the config section of the Sourcepoint tag and would set the language to Dutch.

    • If this parameter is not present, the stacks and purposes will appear according the user's preferred language. A list of two-letter codes is available here.

consentLanguage: "nl"

CCPA Configuration Details

The first section of the CCPA snippet contains the IAB Stub function. The Stub function sets up the IAB US Privacy String object “__uspapi” and makes it available on queue to be called and released when needed. It is important to have this script tag always at the top in the first position to avoid errors and failure of the service.

The second section of the snippet contains your account specific configuration parameters. This section sets up the parameters necessary for your website to communicate with the Sourcepoint messaging platform and establishes a communication channel with the Sourcepoint messaging service library. In addition to the standard parameters in the example above, there are additional parameters that allow for Javascript callbacks to be triggered for different customization purposes. For CCPA implementations. there are currently four required parameters to deliver a message successfully:

  1. accountId – This parameter needs to be used to set the account ID you received from your Sourcepoint account manager - The ID associates your data and website with the your account in the Sourcepoint dashboard.

  2. baseEndpoint - "https://cdn.privacy-mgmt.com" is a single server endpoint from where the messaging as well as the CCPA experience is served. The baseEndpoint can also be changed to a CNAMED 1st party subdomain in order to persist 1st party cookies on Safari web browser (due to Safari’s ITP) by setting cookies through the server with "set-cookie" rather than using "document.cookie" on the page. Changing the baseEndpoint domain is optional but recommended! More information can be found in our documentation on setting up a subdomain with a CNAME DNS Record.

  3. getDnsMsgMms - As an alternative to establishing the communication with the message management service through the mmsDomain, you can set this value to false to establish the channel through the ccpaOrigin URL. This approach enables uses cases in where a CCPA Do Not Sell (my data) notification is shown on the website without creating a campaign in the Sourcepoint dashboard.

  4. alwaysDisplayDns - Setting this parameter to true enables use cases where a Sourcepoint Do Not Sell (my data) notification is hardcoded.

Other optional parameters:

  • propertyHref (GDPR TCFv2 only)– maps the message to a specific URL.

  • siteHref (CCPA only)– maps the message to a specific URL.

  • siteId – maps the message to a specific property (website, app, OTT)

  • targetingParams –This parameter enables you to create key-value pairs that can be used for targeting in the scenario builder in the Sourcepoint dashboard. Key-value pairs can be created in the following format:

targetingParams: {
key1: valueA,
key2: valueB
}

Setting up The Messaging Domain

Setting up a first-party subdomain with a CNAME record for the baseEndpoint is optional. The goal of creating a first-party subdomain is for the CCPA and TCFv2 Javascript libraries to communicate with the Sourcepoint messaging server in a first-party capacity. The benefit of this approach is to allow Sourcepoint cookies to be “first party” and thus, circumventing Safari’s Intelligent Tracking Prevention (ITP). This creates a discrete messaging channel between the publisher’s messaging subdomain and the Sourcepoint messaging server. For instructions on creating a first-party subdomain and the adding a CNAME record to point to the Sourcepoint servers, please read the documentation on setting up a subdomain with a CNAME DNS Record.

You can utilize the same CNAME for both CCPA & GDPR