Prebid.js: CMP not found error

Created on 6 Aug 2020  路  32Comments  路  Source: prebid/Prebid.js

Type of issue

bug, or maybe just a feature

Description

When prebid is loaded on the page where there is no CMP module present, we're getting an error:

"ERROR: CMP not found. Canceling auction as per consentManagement config"

Our consent management config allows auction to continue without consent or cmp module present
gdpr: {
cmpApi: 'iab',
timeout: 8000,
allowAuctionWithoutConsent: true
}

Steps to reproduce

Described in previous section

Test page

We can provide one if needed

Expected results

Auction can continue if CMP module is not present

Actual results

Error message is shown and auction exits
"ERROR: CMP not found. Canceling auction as per consentManagement config"

Platform details

prebid version: 4.2.0-pre

Other information

By looking at the consentManagement.js file this behaviour was introduced by the following change: http://prntscr.com/tuqwhz

Most helpful comment

I think I found the line in the code which is causing the confusion here.

https://github.com/prebid/Prebid.js/blob/master/modules/consentManagement.js#L420

Here you can see it only lets auction continue if cmpVersion === 1

This value cmpVersion is only set to 1 if it finds a CMP on the page.

Otherwise it is stuck at 0 until it finds either a CMP or TCFAPI.

This may be intended.

In cmpVersion === 1 world, we did nto have to know which version was on the page, it was only ever the one.

But if a pub is trying to turn on Consent Management for a cmpVersion 2 world, and we remove this cmpVersion === 1 check, then we will allow auctions when maybe we really should not.

So I think this is just a result of the migration from version 1 to 2.

Maybe we can add a new config for defaultCmpVersion so that publishers can let prebid know (hey, I am only setting version 1).

All 32 comments

set defaultgdprscope

thanks for the feedback @patmmccann , but setting defautGdprScope didnt solve it

gdpr: {
cmpApi: 'iab',
timeout: 3000,
defaultGdprScope: true
}

@yieldlift - yes, we always need a test page

What is the scenario here?

If there's a CMP function present, PBJS expects it to respond otherwise it will cancel the auction. If there's not a CMP present, there should be no __tcfapi() function.

@yieldlift I'm going to take a look at this, if you can provide a test page that would be very helpful.

@GLStephen here is the test page: https://cdn1.opstag.com/test/index.html?widgetId=13341&pbjs_debug=true

prebid is initialized inside of an iframe, so you would have to go there to see the config, example: document.getElementById('csci-9361a68b70d8-a1c446b4-8b2751bc-9b2e1f74-957c41b8e0b47fdf').contentWindow.pbjs.getConfig()

@yieldlift based on this test page I think the issues is related to what @bretg has mentioned and the following from @jsnellbaker

  1. the allowAuctionWithoutConsent field does not work for TCF2. This was a relatively recent change, around the time I think we were implementing the gdpr enforcement stuff.
  2. If they don鈥檛 have a CMP defined on the page, they should just remove the consentManagement config object from their setup. Without this config, it would bypass the module entirely when the auction is running.

Basically, it looks like your creating an invalid state in TCF2/PBJS 4.0 which is not including any CMP functionality but including CMP config. You need to align those two things.

allowAuctionWithoutConsent was removed because it doesn't make sense in TCF2: use defaultGdprScope and enforcement flags instead to get the behavior you and your lawyers have defined.

@GLStephen The previous 3.x version was handling it correctly if there is no cmp on the page and the auction proceeded without any issues. Why is the auction aborting if there is no cmp on the page in the 4.x version?

I agree that we could consider refining the interface here -- if the CMP function doesn't exist at all, that could signal Prebid.js that it's not in GDPR scope -- consentManagement config with cmp: "iab" can be ignored.

Would like community input -- it's possible this weakens Prebid's enforcement regime, and a simple workaround would be to avoid calling setConfig when the function doesn't exist.

if (defined __tcfapi) {
   setConfig({consentManagement})
}

@bretg this is how I worked around the issue. Is this the recommended way?

            var consentManagement = {};
            consentManagement.usp = {
                "cmpApi": "iab",
                "timeout": 10000
            };
            if (typeof __tcfapi === 'function') {
                consentManagement.gdpr = {
                    "cmpApi": "iab",
                    "timeout": 10000,
                    "defaultGdprScope": true
                };
            }
            pbjs.setConfig({consentManagement});

@saileshd this may result in no GDPR enforcement if the CMP just hasn't loaded yet

@saileshd this will not work if the __tcfapi is defined in another window/iframe of the actual prebid code

Ok, I stand corrected. The option of looking for tcfapi() has been removed from https://docs.prebid.org/dev-docs/cmp-best-practices.html

@yieldlift and @saileshd -- you're going to have to find a safe way with your specific CMP to determine whether it's active. Once you've confirmed a given approach with your CMP, we're willing to post the approach on the page to help other users. Of course its possible that CMP/Page integration can be done in multiple ways. Please work with your CMP vendor.

Hello Guys, I don't have __tcfapi method defined in my code so the solution suggested by @saileshd here https://github.com/prebid/Prebid.js/issues/5572#issuecomment-683027246 Seems like unreachable code for GDPR settings.
My previous settings,
pbjs.setConfig({ consentManagement: { usp: { timeout: 8000 }, gdpr: { cmpApi: 'iab', timeout: 8000, allowAuctionWithoutConsent: false } } });
and it is not working with Prebid 4.6.0 . Can you please suggest me the solution.

@saileshd Can you please tell me, Which solution you applied?

Adding my answer to this question -- I was coming up with the same error whilst testing the new Prebid v4.

We also had the allowAuctionWithoutConsent: true flag to allow auctions on v3 if no consent existed, but was trying to create the same behaviour for v4.

As mentioned before, you should follow the advice given on this page:
https://docs.prebid.org/dev-docs/cmp-best-practices.html

FYI -- I did not know about this page until I Googled this problem and found the link here.

@bretg can you please make a more prominent link on the sites sidebar for this page? As I believe it contains vital info for upgrading v3 -> v4 and config Prebid changes that were not mentioned in the Prebid blog release post.

@tandalevaibhav if you have consentManagement defined by default, then you may want to do that same approach as I opted for in the end.

If you don't have the CMP or TCF API loading on your non-GDPR pages, you can do something similar to @saileshd approach - mine is just the reverse:

var CMP_TIMEOUT = 8000;
var consentManagement = {
    gdpr: {
        cmpApi: 'iab',
        timeout: CMP_TIMEOUT,
        defaultGdprScope: true // TCF 2.0 & PBJS v4+
    },
    usp: {
        cmpApi: 'iab',
        timeout: CMP_TIMEOUT
    }
}

if (typeof __tcfapi !== 'function') {
    delete consentManagement.gdpr;
}

pbjs.setConfig({consentManagement})

Currently we have the TCF API loading on all countries - but this code works for both CMP and no-CMP pages.
We always load our CMP before Prebid initialises and our CMP stub code contains the __tcfapi function, which makes it safe.

From what I see in the code of the consentModule:

The cmpVersion is set to 0, and then when __tcf is found is set to 2, or when __cmp is found it is set to 1.
When the timeout is hit, the cmpVersion should still be set to 0.

In the flow of cmpTimedOut -> cmpFailed and exitModule there are checks for when the cmpVersion is set to 1 to continue auctions without consent. This no longer works as the cmpVersion never changed from 0 when no consent provider was found.

So from what I see the current implementation of timeout,it only makes sense when the cmp/tcf does get loaded, but the callback for the consent data is delayed. It does not make sense when the CMP is loaded in too slow.

bretg can you please make a more prominent link on the sites sidebar for this page? As I believe it contains vital info for upgrading v3 -> v4 and config Prebid changes that were not mentioned in the Prebid blog release post.

Place links in the left-nav and on the modules index page.

So where are we with this issue.

the timeout does not make sense when the CMP is loaded in too slow.

Is there anything requested here -- code or documentation?

From the documentation it was unclear that you can disable the consent module by removing the consent part from prebid's config.

To elaborate, in our setup we have users for which we load in a CMP, and other for which we dont. At first I was afraid I'd have to build two versions of prebid, one with and one without the consent module, and serve the correct version because I couldnt configure prebid what to do when a CMP was not found.

@ReinoutStevens I think this is covered in the CMP Best Practices, but I'm not sure. https://docs.prebid.org/dev-docs/cmp-best-practices.html Can you take a look and let us know if we need to make something clearer? The below quote is in the page, but it's admittedly sort of buried. Maybe we need to make it a top order item like our explanation of gdprApplies is.

When in the EEA, the page sets consentManagement config, but when not in the EEA, the page avoids setting the consentManagement config, turning off GDPR enforcement.

@GLStephen The best practices covers it fairly well, but I only found that page after google pointed me to it ( via another github issue I think ), and I did not encounter it when reading the consent management documentation ( https://docs.prebid.org/dev-docs/modules/consentManagement.html ). The best practices are linked on the bottom of that page, but tbh 'best practices' does not really indicate that I should read it for implementation details ( nor did I scroll that far :p )

We can't call it an "implementation guide" because it's not really that. I've placed links to the doc in other prominent places, including the left nav bar. Willing to accept other suggestions.

@yieldlift @ReinoutStevens Is this resolved as best we can at this point?

for me this is resolved

although the solution I proposed above seems to be working, I'm not sure if that is the right way. If we are using multiple CMPs on different sites, then there is no correct way to handle it unless the prebid.js framework handles it correctly like how it was doing in the 3.x version.

Prebid is handling it correctly for TCF2.0 which post transition is the only relevant standard. tcfapi is part of the spec and should be available in any CMP or the CMP is in error? Where do you see an issue with multiple/different CMPs?

@GLStephen the problem is that if we have the config management with the gdpr config
gdpr: {
cmpApi: 'iab',
timeout: CMP_TIMEOUT,
defaultGdprScope: true // TCF 2.0 & PBJS v4+
}
and there is no CMP on the page then the auction just aborts silently.

In my opinion prebid should NOT be enforcing the publishers to have the right implementation of the GDPR TCF2.0 on their pages but should be able to handle it correctly if it is not implemented.
So, if my site does not implement the CMP correctly, then the auction should not fail but should continue by removing the GDPR config internally itself. Asking the prebid integration code to do that based on whether the CMP is integrated correctly or not on the site is not the right solution.

That's where the 3.x version was handling it elegantly and left it to the site publisher to correctly configure their site.

@saileshd I understand your frustration on this change. The current state is not going to change as it was determined as the appropriate behavior of Prebid and is explicitly by design in Prebid for TCF2. I'm going to close this ticket as it is resolved to the best of our ability at this point. If you have further items please post another issue. Enjoy!

if my site does not implement the CMP correctly, then the auction should not fail but should continue by removing the GDPR config internally itself

For the record, we disagree with this:

  • By including and configuring the gdprEnforcement module, a publisher is asking Prebid.js to help them address regulatory needs. For us to ignore implementation problems would not likely impress auditors.
  • If you don't want Prebid.js to enforce rules in any given scenario, there are least 4 ways of dealing:

    • don't include the enforcement module in the build where it's not needed

    • alter config to turn off enforcement of a given purpose (e.g. Purpose 2) in the relevant scenarios

    • add vendorExceptions as desired

    • build javascript that sniffs the CMP state and turns on/off the enforcements you want

We recognize that integration of Prebid.js and CMPs was harder than we had anticipated, and apologize for not having pushed harder to collect CMP best practices sooner. That said, we needed the real-world experience of many publishers using several CMPs and running into practical problems to motivate and refine that document. It's probably not done yet -- we welcome revisions.

But we don't regret making default enforcement policies stringent. If you and your lawyers want to loosen them, all the tools are there.

I think I found the line in the code which is causing the confusion here.

https://github.com/prebid/Prebid.js/blob/master/modules/consentManagement.js#L420

Here you can see it only lets auction continue if cmpVersion === 1

This value cmpVersion is only set to 1 if it finds a CMP on the page.

Otherwise it is stuck at 0 until it finds either a CMP or TCFAPI.

This may be intended.

In cmpVersion === 1 world, we did nto have to know which version was on the page, it was only ever the one.

But if a pub is trying to turn on Consent Management for a cmpVersion 2 world, and we remove this cmpVersion === 1 check, then we will allow auctions when maybe we really should not.

So I think this is just a result of the migration from version 1 to 2.

Maybe we can add a new config for defaultCmpVersion so that publishers can let prebid know (hey, I am only setting version 1).

@robertrmartinez
Thanks for your summary. I run in exactly the same issue. I think there should be also a check for cmpVersion === 0 to skip the consentModule if __tcfapi stub was not included in the page at all.

https://github.com/prebid/Prebid.js/blob/fb958509e90c61c5c8861ff822f7702a847088ed/modules/consentManagement.js#L420

should be:

if (allowAuction.value && (cmpVersion === 1 || cmpVersion === 0)) {
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Rubioli picture Rubioli  路  3Comments

jdwieland8282 picture jdwieland8282  路  5Comments

mkendall07 picture mkendall07  路  5Comments

eyedar picture eyedar  路  6Comments

amelzer picture amelzer  路  6Comments