Skip to main content

ATS and Privacy Regulations

Note

Migration to TCFv2: As of August 15, LiveRamp expects publishers to pass a TCFv2 string in the European Economic Area (EEA).

ATS.js uses AWS Services to assess the user's geographic location based on their IP address. Based on the user's location, we may require a standardized consent signal.

In this article, you will learn how ATS works in conjucntions with privacy regulations, and what you need to do on your end to make sure envelopes can be successfully retrieved.

For Users in the UK/EU (GDPR)

The General Data Protection Regulation (GDPR) is a "regulation in EU law on data protection and privacy in the European Union and the European Economic Area". If a user is located in an EU (or EEA, in some cases) country, consent is required.

In the European Union, ATS expects a TCF v2 compatible consent string to be present before the ATS JavaScript library can be loaded. Consent signals will automatically be detected by ATS.js via direct communication with the IABs TCF API which should be present on the publisher’s domain.

Within the consent signal, you must list LiveRamp as a vendor (97) and approved for TCF purposes 1 to 10 in order to successfully obtain a RampID envelope. This applies for both API and ATS.js implementation.

When consent is rejected, ATS.js will automatically remove the RampID envelope from configured storage in the browser.

For Users in the U.S. (CCPA)

The California Consumer Privacy Act (CCPA) is "a state statute intended to enhance privacy rights and consumer protection for residents of California, United States".

If the user is in the U.S., ATS.js will automatically check the CCPA Privacy String via direct communication with the IABs USP API.

When consent is rejected, ATS.js will automatically remove the RampID envelope from configured storage in the browser.

Note

Privacy String Policy

At this point, ATS will take an approach of "soft" enforcement to the CCPA Privacy String -- where it is present for users in the U.S., the settings will be parsed and respected. However, the Privacy String is not required for users in California or the U.S. at this point in time.

As adoption increases and clarity emerges on the federal level, we expect to require a consent signal as we do in the European Union.

For Users Outside of UK/EU and U.S.

If a user is located in a country that is outside of the UK/EU and is not the U.S., ATS will successfully return an envelope without the need for a consent signal.

For All Regions

ATS will check for DNT (Do Not Track) and GPC (Global Privacy Control) signal for all users, on all browsers. If a user enables DNT or GPC, ATS.js will automatically remove the RampID envelope from the configured storage in the browser. This behaviour also applies to ATS API.

If a user enables DNT/GPC and has a positive GDPR/CCPA consent string (and vice versa), this counts as no consent. Existing envelope will be removed and no new envelope will be created.