NAME
GDPR::IAB::TCFv2 - Transparency & Consent String version 2 parser
SYNOPSIS
The purpose of this package is to parse Transparency & Consent String (TC String) as defined by IAB version 2.
use strict;
use warnings;
use GDPR::IAB::TCFv2;
use GDPR::IAB::TCFv2::Constants::Purpose qw<:all>;
use GDPR::IAB::TCFv2::Constants::SpecialFeature qw<:all>;
use GDPR::IAB::TCFv2::Constants::RestrictionType qw<:all>;
my $consent = GDPR::IAB::TCFv2->Parse(
'CLcVDxRMWfGmWAVAHCENAXCkAKDAADnAABRgA5mdfCKZuYJez-NQm0TBMYA4oCAAGQYIAAAAAAEAIAEgAA.argAC0gAAAAAAAAAAAA'
);
use feature qw<say>;
say $consent->version; # 2
say $consent->created; # epoch 1228644257 or 07/12/2008
say $consent->last_updated; # epoch 1326215413 or 10/01/2012
say $consent->cmp_id; # 21 - Traffective GmbH
say $consent->cmp_version; # 7
say $consent->consent_screen; # 2
say $consent->consent_language; # "EN"
say $consent->vendor_list_version; # 23
use List::MoreUtils qw<all>;
say "find consent for purpose ids 1, 3, 9 and 10" if all {
$consent->is_purpose_consent_allowed($_)
} ( # constants exported by GDPR::IAB::TCFv2::Constants::Purpose
InfoStorageAccess, # 1
PersonalizationProfile, # 3
MarketResearch, # 9
DevelopImprove, # 10
);
say "find consent for vendor id 284 (Weborama)" if $consent->vendor_consent(284);
# Geolocation exported by GDPR::IAB::TCFv2::Constants::SpecialFeature
say "user is opt in for special feature 'Geolocation (id 1)'"
if $consent->is_special_feature_opt_in(Geolocation);
# NotAllowed exported by GDPR::IAB::TCFv2::Constants::RestrictionType
say "publisher restriction for purpose Info Storage Access (1), restriction type NotAllowed (0) for weborama (284)"
if $consent->check_publisher_restriction(InfoStorageAccess, NotAllowed, 284);
ACRONYMS
GDPR: General Data Protection Regulation
IAB: Interactive Advertising Bureau
TCF: The Transparency & Consent Framework
CONSTRUCTOR
Parse
The Parse method will decode and validate a base64 encoded version of the tcf v2 string.
Will return a GDPR::IAB::TCFv2
immutable object that allow easy access to different properties.
Will die if can't decode the string.
use GDPR::IAB::TCFv2;
my $consent = GDPR::IAB::TCFv2->Parse(
'CLcVDxRMWfGmWAVAHCENAXCkAKDAADnAABRgA5mdfCKZuYJez-NQm0TBMYA4oCAAGQYIAAAAAAEAIAEgAA.argAC0gAAAAAAAAAAAA'
);
or
use GDPR::IAB::TCFv2;
my $consent = GDPR::IAB::TCFv2->Parse(
'CLcVDxRMWfGmWAVAHCENAXCkAKDAADnAABRgA5mdfCKZuYJez-NQm0TBMYA4oCAAGQYIAAAAAAEAIAEgAA.argAC0gAAAAAAAAAAAA',
json => {
verbose => 0,
compact => 1,
use_epoch => 0,
boolean_values => [ 0, 1 ],
date_format => '%Y%m%d', # yyymmdd
},
strict => 1,
prefetch => 284,
);
Parse may receive an optional hash with the following parameters:
On
strict
mode we will validate if the version of the consent string is the version 2 (or die with an exception).The
strict
mode is disabled by default.The
prefetch
option receives one (as scalar) or more (as arrayref) vendor ids.This is useful when parsing a range based consent string, since we need to visit all ranges to find a particular id.
json
is hashref with the following properties used to customize the json format:verbose
changes the json encoding. By default we omit some false values such asvendor_consents
to create a compact json representation. Withverbose
we will present everything. See "TO_JSON" for more details.compact
changes the json encoding. All fields that are a mapping of something to a boolean will be changed to an array of all elements keys where the value is true. This affects the following fields:special_features_opt_in
,purpose/consents
,purpose/legitimate_interests
,vendor/consents
andvendor/legitimate_interests
. See "TO_JSON" for more details.use_epoch
changes the json encode. By default we format thecreated
andlast_updated
are converted to string using ISO_8601. Withuse_epoch
we will return the unix epoch in seconds. See "TO_JSON" for more details.boolean_values
if present, expects an arrayref if two elements: thefalse
and thetrue
values to be used in json encoding. If omit, we will try to useJSON::false
andJSON::true
if the package JSON is available, else we will fallback to0
and1
.date_format
if present accepts two kinds of value: anstring
(to be used onPOSIX::strftime
) or a code reference to a subroutine that will be called with two arguments: epoch in seconds and nanoseconds. If omitted the format ISO_8601 will be used except if the optionuse_epoch
is true.
METHODS
tc_string
Returns the original consent string.
The consent object GDPR::IAB::TCFv2 will call this method on string interpolations.
version
Version number of the encoding format. The value is 2 for this format.
created
Epoch time format when TC String was created in numeric format. You can easily parse with DateTime if needed.
On scalar context it returns epoch in seconds. On list context it returns epoch in seconds and nanoseconds.
use GDPR::IAB::TCFv2;
use Test::More tests => 3;
my $consent = GDPR::IAB::TCFv2->Parse(
'CLcVDxRMWfGmWAVAHCENAXCkAKDAADnAABRgA5mdfCKZuYJez-NQm0TBMYA4oCAAGQYIAAAAAAEAIAEgAA.argAC0gAAAAAAAAAAAA'
);
is $consent->created, 1228644257,
'should return the creation epoch 07/12/2008';
my ( $seconds, $nanoseconds ) = $consent->created;
is $seconds, 1228644257,
'should return the creation epoch 07/12/2008 on list context';
is $nanoseconds, 700000000,
'should return the 700000000 nanoseconds of epoch on list context';
last_updated
Epoch time format when TC String was last updated in numeric format. You can easily parse with DateTime if needed.
On scalar context it returns epoch in seconds. On list context it returns epoch in seconds and nanoseconds, like the created
cmp_id
Consent Management Platform ID that last updated the TC String. Is a unique ID will be assigned to each Consent Management Platform.
cmp_version
Consent Management Platform version of the CMP that last updated this TC String. Each change to a CMP should increment their internally assigned version number as a record of which version the user gave consent and transparency was established.
consent_screen
CMP Screen number at which consent was given for a user with the CMP that last updated this TC String. The number is a CMP internal designation and is CmpVersion specific. The number is used for identifying on which screen a user gave consent as a record.
consent_language
Two-letter ISO 639-1 language code in which the CMP UI was presented.
vendor_list_version
Number corresponds to GVL vendorListVersion. Version of the GVL used to create this TC String.
policy_version
Version of policy used within GVL.
From the corresponding field in the GVL that was used for obtaining consent.
is_service_specific
This field must always have the value of 1. When a Vendor encounters a TC String with is_service_specific=0
then it is considered invalid.
use_non_standard_stacks
If true, CMP used non-IAB standard texts during consent gathering.
Setting this to 1 signals to Vendors that a private CMP has modified standard Stack descriptions and/or their translations and/or that a CMP has modified or supplemented standard Illustrations and/or their translations as allowed by the policy..
is_special_feature_opt_in
If true means Opt in.
The TCF Policies designates certain Features as "special" which means a CMP must afford the user a means to opt in to their use. These "Special Features" are published and numerically identified in the Global Vendor List separately from normal Features.
See also: GDPR::IAB::TCFv2::Constants::SpecialFeature.
is_purpose_consent_allowed
If true means Consent.
The user's consent value for each Purpose established on the legal basis of consent.
my $ok = $instance->is_purpose_consent_allowed(1);
See also: GDPR::IAB::TCFv2::Constants::Purpose.
is_purpose_legitimate_interest_allowed
The user's consent value for each Purpose established on the legal basis of legitimate interest.
my $ok = $instance->is_purpose_legitimate_interest_allowed(1);
See also: GDPR::IAB::TCFv2::Constants::Purpose.
purpose_one_treatment
CMPs can use the publisher_country_code
field to indicate the legal jurisdiction the publisher is under to help vendors determine whether the vendor needs consent for Purpose 1.
Returns true if Purpose 1 was NOT disclosed at all.
Returns false if Purpose 1 was disclosed commonly as consent as expected by the Policies.
publisher_country_code
Two-letter ISO 639-1 language code of the country that determines legislation of reference. Commonly, this corresponds to the country in which the publisher's business entity is established.
max_vendor_id_consent
The maximum Vendor ID that is represented in the following bit field or range encoding.
Because this section can be a variable length, this indicates the last ID of the section so that a decoder will know when it has reached the end.
vendor_consent
If true, vendor has consent.
The consent value for each Vendor ID.
my $ok = $instance->vendor_consent(284); # if true, consent ok for Weborama (vendor id 284).
max_vendor_id_legitimate_interest
The maximum Vendor ID that is represented in the following bit field or range encoding.
Because this section can be a variable length, this indicates the last ID of the section so that a decoder will know when it has reached the end.
vendor_legitimate_interest
If true, legitimate interest established.
The legitimate interest value for each Vendor ID
my $ok = $instance->vendor_legitimate_interest(284); # if true, legitimate interest established for Weborama (vendor id 284).
check_publisher_restriction
It true, there is a publisher restriction of certain type, for a given purpose id, for a given vendor id:
# return true if there is publisher restriction to vendor 284 regarding purpose id 1
# with restriction type 0 'Purpose Flatly Not Allowed by Publisher'
my $ok = $instance->check_publisher_restriction(1, 0, 284);
or
my $ok = $instance->check_publisher_restriction(
purpose_id => 1,
restriction_type => 0,
vendor_id => 284);
Version 2.0 of the Framework introduced the ability for publishers to signal restrictions on how vendors may process personal data. Restrictions can be of two types:
Purposes. Restrict the purposes for which personal data is processed by a vendor.
Legal basis. Specify the legal basis upon which a publisher requires a vendor to operate where a vendor has signaled flexibility on legal basis in the GVL.
Publisher restrictions are custom requirements specified by a publisher. In order for vendors to determine if processing is permissible at all for a specific purpose or which legal basis is applicable (in case they signaled flexibility in the GVL) restrictions must be respected.
Vendors must always respect a restriction signal that disallows them the processing for a specific purpose regardless of whether or not they have declared that purpose to be "flexible".
Vendors that declared a purpose with a default legal basis (consent or legitimate interest respectively) but also declared this purpose as flexible must respect a legal basis restriction if present. That means for example in case they declared a purpose as legitimate interest but also declared that purpose as flexible and there is a legal basis restriction to require consent, they must then check for the consent signal and must not apply the legitimate interest signal.
For the avoidance of doubt:
In case a vendor has declared flexibility for a purpose and there is no legal basis restriction signal it must always apply the default legal basis under which the purpose was registered aside from being registered as flexible. That means if a vendor declared a purpose as legitimate interest and also declared that purpose as flexible it may not apply a "consent" signal without a legal basis restriction signal to require consent.
publisher_restrictions
Similar to "check_publisher_restriction" but return an hashref of purpose => { restriction type => bool } for a given vendor.
publisher_tc
If the consent string has a Publisher TC
section, we will decode this section as an instance of GDPR::IAB::TCFv2::PublisherTC.
Will return undefined if there is no Publisher TC
section.
TO_JSON
Will serialize the consent object into a hash reference. The objective is to be used by JSON package.
With option convert_blessed
, the encoder will call this method.
use strict;
use warnings;
use feature qw<say>;
use JSON;
use DateTime;
use DateTimeX::TO_JSON formatter => 'DateTime::Format::RFC3339';
use GDPR::IAB::TCFv2;
my $consent = GDPR::IAB::TCFv2->Parse(
'COyiILmOyiILmADACHENAPCAAAAAAAAAAAAAE5QBgALgAqgD8AQACSwEygJyAAAAAA.argAC0gAAAAAAAAAAAA',
json => {
compact => 1,
date_format => sub { # can be omitted, with DateTimeX::TO_JSON
my ( $epoch, $ns ) = @_;
return DateTime->from_epoch( epoch => $epoch )
->set_nanosecond($ns);
},
},
);
my $json = JSON->new->convert_blessed;
my $encoded = $json->pretty->encode($consent);
say $encoded;
Outputs:
{
"tc_string" : "COyiILmOyiILmADACHENAPCAAAAAAAAAAAAAE5QBgALgAqgD8AQACSwEygJyAAAAAA",
"consent_language" : "EN",
"purpose" : {
"consents" : [],
"legitimate_interests" : []
},
"cmp_id" : 3,
"purpose_one_treatment" : false,
"publisher" : {
"consents" : [
2,
4,
6,
8,
9,
10
],
"legitimate_interests" : [
2,
4,
5,
7,
10
],
"custom_purpose" : {
"consents" : [],
"legitimate_interests" : []
},
"restrictions" : {}
},
"special_features_opt_in" : [],
"last_updated" : "2020-04-27T20:27:54.200000000Z",
"use_non_standard_stacks" : false,
"policy_version" : 2,
"version" : 2,
"is_service_specific" : false,
"created" : "2020-04-27T20:27:54.200000000Z",
"consent_screen" : 7,
"vendor_list_version" : 15,
"cmp_version" : 2,
"publisher_country_code" : "AA",
"vendor" : {
"consents" : [
23,
42,
126,
127,
128,
587,
613,
626
],
"legitimate_interests" : []
}
}
If JSON is installed, the "TO_JSON" method will use JSON::true
and JSON::false
as boolean value.
By default it returns a compacted format where we omit the false
on fields like vendor_consents
and we convert the dates using ISO_8601. This behaviour can be changed by extra option in the Parse constructor.
FUNCTIONS
looksLikeIsConsentVersion2
Will check if a given tc string starts with a literal C
.
SEE ALSO
The original documentation of the TCF v2 from IAB documentation.
AUTHOR
Tiago Peczenyj mailto:tiago.peczenyj+gdpr-iab-tcfv2@gmail.com
THANKS
Special thanks to ikegami for the patience on several question about Perl on Stack Overflow.
BUGS
Please report any bugs or feature requests to https://github.com/peczenyj/GDPR-IAB-TCFv2/issues.
LICENSE AND COPYRIGHT
Copyright 2023 Tiago Peczenyj
This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.
See http://dev.perl.org/licenses/ for more information.
DISCLAIMER
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.