ATS and Privacy Regulations
Note
Migration to TCFv2: As of August 15, LiveRamp expects publishers to pass a TCFv2 string in the European Economic Area (EEA).
ATS.js uses AWS Services to assess the user's geographic location based on their IP address. Based on the user's location, we may require a standardized consent signal.
The illustration below defines how ATS for Web (ATS.js) and ATS Mobile SDK handle consent checks. This should give you an idea of when an envelope can be retrieved for the given user based on their location and privacy selection.
The initial consent check applies globally to check for the following:
Existing local opt-out state for publishers running Publisher-Specific Opt-Out (currently in closed beta)
In this article, you will learn how ATS works in conjunction with privacy regulations, and what you need to do on your end to make sure envelopes can be successfully retrieved.
For Users in the UK/EU (GDPR)
The General Data Protection Regulation (GDPR) is a "regulation in EU law on data protection and privacy in the European Union and the European Economic Area". If a user is located in an EU (or EEA, in some cases) country, consent is required.
In the European Union, ATS expects a TCF v2.2 compatible consent string to be present before the ATS JavaScript library can be loaded. Consent signals will automatically be detected by ATS.js via direct communication with the IABs TCF API which should be present on the publisher’s domain.
Within the consent signal, you must list LiveRamp as a vendor (97) and approved for TCF purposes 1 to 10 , special purposes 1 and 2, and features 1 and 2 to successfully obtain a RampID envelope. This applies for both API and ATS.js implementation. You can check whether a TCF consent string has these requirements by decoding them using IAB's TC string decoder.
When consent is rejected, ATS.js will automatically remove the RampID envelope from configured storage in the browser.
Caution
For ATS to successfully communicate with your Consent Management Platform (CMP), make sure that the CMP loads before ATS. If the CMP does not have enough time to load, ATS will consider it as no consent. This will cause ATS to remove all envelopes from the storage due to failure to obtain consent strings for countries that require them.
For Users in the U.S. (GPP and CCPA)
During the initial rollout of the Global Privacy Platform (GPP), customers can still use the California Consumer Privacy Act (CCPA) strings if they haven’t implemented GPP. When a user is located in the U.S., ATS.js will first check if a GPP National String is present before checking for CCPA Privacy String as a fallback.
Global Privacy Platform (GPP)
The US-National and State-Level Global Privacy Platform (GPP), is "a state statute intended to enhance privacy rights and consumer protection for residents of the United States as of July 1st, 2023".
If the user is in the U.S., ATS.js will automatically check the US String via direct communication with the IABs GPP API. When consent is rejected, ATS.js will automatically remove the RampID envelope from configured storage in the browser.
LiveRamp expects the following values in the decoded consent string for a RampID envelope to be generated:
SharingNotice, SaleOptOutNotice, SharingOptOutNotice, TargetedAdvertisingOptOutNotice:
1
SensitiveDataProcessingOptOutNotice, SensitiveDataLimitUseNotice:
0
or1
SensitiveDataProcessing, KnownChildSensitiveDataConsents:
0
SaleOptOut, SharingOptOut, TargetedAdvertisingOptOut:
2
PersonalDataConsents:
0
or2
You can check whether a GPP string contains the required values using IAB's GPP string decoder.
Currently, ATS.js supports the following GPP consent string types:
US-National
California
Virginia
Colorado
Utah
Connecticut
Note
GPP strings will not be a requirement during this initial rollout of the functionality for partners, however, we strongly suggest that partners implement this protocol as quickly as possible as it will become the new industry standard for conveying opt-in consent through the ad tech ecosystem in the US.
Caution
If you are working with your own consent management platform, make sure to always use the latest version of the Global Privacy Platform (GPP) API. See IAB's specification to learn more about the latest version.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is "a state statute intended to enhance privacy rights and consumer protection for residents of California, United States".
If the user is in the U.S., ATS.js will automatically check the CCPA Privacy String via direct communication with the IAB's USP API. When consent is rejected, ATS.js will automatically remove the RampID envelope from the configured storage in the browser.
Note
At this point, ATS will take an approach of "soft" enforcement to the CCPA Privacy String -- where it is present for users in the U.S., the settings will be parsed and respected. However, the Privacy String is not required for users in California or the U.S. at this point in time.
As adoption increases and clarity emerges on the federal level, we expect to require a consent signal as we do in the European Union.
For Users Outside of UK/EU and U.S.
If a user is located in a country that is outside of the UK/EU and is not the U.S., ATS will successfully return an envelope without the need for a consent signal.
For All Regions
ATS will check for DNT (Do Not Track) and GPC (Global Privacy Control) signal for all users, on all browsers. If a user enables DNT or GPC, ATS.js will automatically remove the RampID envelope from the configured storage in the browser. This behaviour also applies to ATS API.
If a user enables DNT/GPC and has a positive GDPR/CCPA consent string (and vice versa), this counts as no consent. Existing envelope will be removed and no new envelope will be created.