prebid · osulzhenko · Feb 28, 2025 · Feb 24, 2025 · Feb 27, 2025 · Feb 28, 2025
diff --git a/src/test/groovy/org/prebid/server/functional/model/config/GppModuleConfig.groovy b/src/test/groovy/org/prebid/server/functional/model/config/GppModuleConfig.groovy
@@ -23,6 +23,11 @@ class GppModuleConfig {
     List<GppSectionId> skipSidsSnakeCase
     @JsonProperty("skip-sids")
     List<GppSectionId> skipSidsKebabCase
+    Boolean allowPersonalDataConsent2
+    @JsonProperty("allow_personal_data_consent_2")
+    Boolean allowPersonalDataConsent2SnakeCase
+    @JsonProperty("allow-personal-data-consent-2")
+    Boolean allowPersonalDataConsent2KebabCase
 
     static GppModuleConfig getDefaultModuleConfig(ActivityConfig activityConfig = ActivityConfig.configWithDefaultRestrictRules,
                                                   List<GppSectionId> sids = [GppSectionId.US_NAT_V1],
@@ -35,8 +40,8 @@ class GppModuleConfig {
     }
 
     static GppModuleConfig getDefaultModuleConfigSnakeCase(ActivityConfig activityConfig = ActivityConfig.configWithDefaultRestrictRules,
-                                                  List<GppSectionId> sids = [GppSectionId.US_NAT_V1],
-                                                  Boolean normalizeFlags = true) {
+                                                           List<GppSectionId> sids = [GppSectionId.US_NAT_V1],
+                                                           Boolean normalizeFlags = true) {
         new GppModuleConfig().tap {
             it.activityConfigSnakeCase = [activityConfig]
             it.sids = sids

diff --git a/src/test/groovy/org/prebid/server/functional/tests/privacy/GppFetchBidActivitiesSpec.groovy b/src/test/groovy/org/prebid/server/functional/tests/privacy/GppFetchBidActivitiesSpec.groovy
@@ -604,10 +604,7 @@ class GppFetchBidActivitiesSpec extends PrivacyBaseSpec {
         }
 
         and: "Activities set for fetchBid with rejecting privacy regulation"
-        def rule = new ActivityRule().tap {
-            it.privacyRegulation = [privacyAllowRegulations]
-        }
-
+        def rule = new ActivityRule(privacyRegulation: [privacyAllowRegulations])
         def activities = AllowActivities.getDefaultAllowActivities(FETCH_BIDS, Activity.getDefaultActivity([rule]))
 
         and: "Account gpp configuration"
@@ -1312,9 +1309,7 @@ class GppFetchBidActivitiesSpec extends PrivacyBaseSpec {
         }
 
         and: "Activities set for fetchBid with allowing privacy regulation"
-        def rule = new ActivityRule().tap {
-            it.privacyRegulation = [privacyAllowRegulations]
-        }
+        def rule = new ActivityRule(privacyRegulation: [privacyAllowRegulations])
 
         def activities = AllowActivities.getDefaultAllowActivities(FETCH_BIDS, Activity.getDefaultActivity([rule]))
 

diff --git a/src/test/groovy/org/prebid/server/functional/tests/privacy/GppSyncUserActivitiesSpec.groovy b/src/test/groovy/org/prebid/server/functional/tests/privacy/GppSyncUserActivitiesSpec.groovy
@@ -352,9 +352,7 @@ class GppSyncUserActivitiesSpec extends PrivacyBaseSpec {
         }
 
         and: "Activities set for cookie sync with allowing privacy regulation"
-        def rule = new ActivityRule().tap {
-            it.privacyRegulation = [privacyAllowRegulations]
-        }
+        def rule = new ActivityRule(privacyRegulation: [privacyAllowRegulations])
 
         def activities = AllowActivities.getDefaultAllowActivities(SYNC_USER, Activity.getDefaultActivity([rule]))
 
@@ -1185,9 +1183,7 @@ class GppSyncUserActivitiesSpec extends PrivacyBaseSpec {
         def uidsCookie = UidsCookie.defaultUidsCookie
 
         and: "Activities set for cookie sync with allowing privacy regulation"
-        def rule = new ActivityRule().tap {
-            it.privacyRegulation = [privacyAllowRegulations]
-        }
+        def rule = new ActivityRule(privacyRegulation: [privacyAllowRegulations])
 
         def activities = AllowActivities.getDefaultAllowActivities(SYNC_USER, Activity.getDefaultActivity([rule]))
 
@@ -2055,4 +2051,132 @@ class GppSyncUserActivitiesSpec extends PrivacyBaseSpec {
         cleanup: "Stop and remove pbs container"
         pbsServiceFactory.removeContainer(pbsConfig)
     }
+
+    def "PBS cookie sync should exclude bidders URLs when privacy regulation match and personal data consent is 2"() {
+        given: "Cookie sync request with link to account"
+        def accountId = PBSUtils.randomString
+        def cookieSyncRequest = CookieSyncRequest.defaultCookieSyncRequest.tap {
+            it.gppSid = US_NAT_V1.value
+            it.account = accountId
+            it.gpp = new UsNatV1Consent.Builder().setPersonalDataConsents(2).build()
+        }
+
+        and: "Activities set for cookie sync with allowing privacy regulation"
+        def rule = new ActivityRule(privacyRegulation: [privacyAllowRegulations])
+        def activities = AllowActivities.getDefaultAllowActivities(SYNC_USER, Activity.getDefaultActivity([rule]))
+
+        and: "Account gpp configuration"
+        def accountGppConfig = new AccountGppConfig().tap {
+            it.enabled = true
+            it.code = IAB_US_GENERAL
+        }
+
+        and: "Existed account with cookie sync and privacy regulation setup"
+        def account = getAccountWithAllowActivitiesAndPrivacyModule(accountId, activities, [accountGppConfig])
+        accountDao.save(account)
+
+        when: "PBS processes cookie sync request"
+        def response = activityPbsService.sendCookieSyncRequest(cookieSyncRequest)
+
+        then: "Response should not contain any URLs for bidders"
+        assert !response.bidderStatus.userSync.url
+
+        where:
+        privacyAllowRegulations << [IAB_US_GENERAL, IAB_ALL, ALL]
+    }
+
+    def "PBS cookie sync should exclude bidders URLs when privacy regulation match and personal data consent is 2 and allowPersonalDataConsent2 is false"() {
+        given: "Cookie sync request with gpp privacy"
+        def accountId = PBSUtils.randomString
+        def cookieSyncRequest = CookieSyncRequest.defaultCookieSyncRequest.tap {
+            it.gppSid = US_NAT_V1.value
+            it.account = accountId
+            it.gpp = new UsNatV1Consent.Builder().setPersonalDataConsents(2).build()
+        }
+
+        and: "Activities set for cookie sync with allowing privacy regulation"
+        def rule = new ActivityRule(privacyRegulation: [privacyAllowRegulation])
+        def activities = AllowActivities.getDefaultAllowActivities(SYNC_USER, Activity.getDefaultActivity([rule]))
+
+        and: "Account gpp configuration"
+        def accountGppConfig = new AccountGppConfig().tap {
+            enabled = true
+            code = IAB_US_GENERAL
+            config = gppModuleConfig
+        }
+
+        and: "Save account with cookie sync and privacy regulation setup"
+        def account = getAccountWithAllowActivitiesAndPrivacyModule(accountId, activities, [accountGppConfig])
+        accountDao.save(account)
+
+        when: "PBS processes cookie sync request"
+        def response = activityPbsService.sendCookieSyncRequest(cookieSyncRequest)
+
+        then: "Response should not contain any URLs for bidders"
+        assert !response.bidderStatus.userSync.url
+
+        where:
+        privacyAllowRegulation | gppModuleConfig
+        IAB_US_GENERAL         | new GppModuleConfig(allowPersonalDataConsent2: false)
+        IAB_ALL                | new GppModuleConfig(allowPersonalDataConsent2: false)
+        ALL                    | new GppModuleConfig(allowPersonalDataConsent2: false)
+        IAB_US_GENERAL         | new GppModuleConfig(allowPersonalDataConsent2KebabCase: false)
+        IAB_ALL                | new GppModuleConfig(allowPersonalDataConsent2KebabCase: false)
+        ALL                    | new GppModuleConfig(allowPersonalDataConsent2KebabCase: false)
+        IAB_US_GENERAL         | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: false)
+        IAB_ALL                | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: false)
+        ALL                    | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: false)
+        IAB_US_GENERAL         | new GppModuleConfig(allowPersonalDataConsent2: null)
+        IAB_ALL                | new GppModuleConfig(allowPersonalDataConsent2: null)
+        ALL                    | new GppModuleConfig(allowPersonalDataConsent2: null)
+        IAB_US_GENERAL         | new GppModuleConfig(allowPersonalDataConsent2KebabCase: null)
+        IAB_ALL                | new GppModuleConfig(allowPersonalDataConsent2KebabCase: null)
+        ALL                    | new GppModuleConfig(allowPersonalDataConsent2KebabCase: null)
+        IAB_US_GENERAL         | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: null)
+        IAB_ALL                | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: null)
+        ALL                    | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: null)
+    }
+
+    def "PBS cookie sync shouldn't exclude bidders URLs when privacy regulation match and personal data consent is 2 and allowPersonalDataConsent2 is true"() {
+        given: "Cookie sync request with gpp privacy"
+        def accountId = PBSUtils.randomString
+        def cookieSyncRequest = CookieSyncRequest.defaultCookieSyncRequest.tap {
+            it.gppSid = US_NAT_V1.value
+            it.account = accountId
+            it.gpp = new UsNatV1Consent.Builder().setPersonalDataConsents(2).build()
+        }
+
+        and: "Activities set for cookie sync with allowing privacy regulation"
+        def rule = new ActivityRule(privacyRegulation: [privacyAllowRegulation])
+        def activities = AllowActivities.getDefaultAllowActivities(SYNC_USER, Activity.getDefaultActivity([rule]))
+
+        and: "Account gpp configuration"
+        def accountGppConfig = new AccountGppConfig().tap {
+            enabled = true
+            code = IAB_US_GENERAL
+            config = gppModuleConfig
+        }
+
+        and: "Save account with cookie sync and privacy regulation setup"
+        def account = getAccountWithAllowActivitiesAndPrivacyModule(accountId, activities, [accountGppConfig])
+        accountDao.save(account)
+
+        when: "PBS processes cookie sync request"
+        def response = activityPbsService.sendCookieSyncRequest(cookieSyncRequest)
+
+        then: "Response should contain any URLs for bidders"
+        assert response.bidderStatus.userSync.url
+
+        where:
+        privacyAllowRegulation | gppModuleConfig
+        IAB_US_GENERAL         | new GppModuleConfig(allowPersonalDataConsent2: true)
+        IAB_ALL                | new GppModuleConfig(allowPersonalDataConsent2: true)
+        ALL                    | new GppModuleConfig(allowPersonalDataConsent2: true)
+        IAB_US_GENERAL         | new GppModuleConfig(allowPersonalDataConsent2KebabCase: true)
+        IAB_ALL                | new GppModuleConfig(allowPersonalDataConsent2KebabCase: true)
+        ALL                    | new GppModuleConfig(allowPersonalDataConsent2KebabCase: true)
+        IAB_US_GENERAL         | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: true)
+        IAB_ALL                | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: true)
+        ALL                    | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: true)
+    }
 }
diff --git a/...st/groovy/org/prebid/server/functional/tests/privacy/GppTransmitEidsActivitiesSpec.groovy b/...st/groovy/org/prebid/server/functional/tests/privacy/GppTransmitEidsActivitiesSpec.groovy
@@ -619,9 +619,7 @@ class GppTransmitEidsActivitiesSpec extends PrivacyBaseSpec {
         }
 
         and: "Activities set for transmitEIDS with rejecting privacy regulation"
-        def rule = new ActivityRule().tap {
-            it.privacyRegulation = [privacyAllowRegulations]
-        }
+        def rule = new ActivityRule(privacyRegulation: [privacyAllowRegulations])
 
         def activities = AllowActivities.getDefaultAllowActivities(TRANSMIT_EIDS, Activity.getDefaultActivity([rule]))
 
@@ -1588,9 +1586,7 @@ class GppTransmitEidsActivitiesSpec extends PrivacyBaseSpec {
         }
 
         and: "Activities set for transmitEIDS with allowing privacy regulation"
-        def rule = new ActivityRule().tap {
-            it.privacyRegulation = [privacyAllowRegulations]
-        }
+        def rule = new ActivityRule(privacyRegulation: [privacyAllowRegulations])
 
         def activities = AllowActivities.getDefaultAllowActivities(TRANSMIT_EIDS, Activity.getDefaultActivity([rule]))
 
@@ -2334,4 +2330,123 @@ class GppTransmitEidsActivitiesSpec extends PrivacyBaseSpec {
                     new EqualityValueRule(CHILD_CONSENTS_FROM_13_TO_16, NO_CONSENT)]       | new UsCtV1Consent.Builder()
                                                                                               .setKnownChildSensitiveDataConsents(PBSUtils.getRandomNumber(0, 2), 1, PBSUtils.getRandomNumber(0, 2))
     }
+
+    def "PBS should remove EIDS fields in request when privacy regulation match and personalDataConsents is 2"() {
+        given: "Default bid requests with EIDS fields and account id"
+        def accountId = PBSUtils.randomNumber as String
+        def bidRequest = getBidRequestWithPersonalData(accountId).tap {
+            regs.gppSid = [US_NAT_V1.intValue]
+            regs.gpp = new UsNatV1Consent.Builder().setPersonalDataConsents(2).build()
+        }
+
+        and: "Activities set for transmitEIDS with rejecting privacy regulation"
+        def rule = new ActivityRule(privacyRegulation: [privacyAllowRegulations])
+        def activities = AllowActivities.getDefaultAllowActivities(TRANSMIT_EIDS, Activity.getDefaultActivity([rule]))
+
+        and: "Account gpp configuration"
+        def accountGppConfig = new AccountGppConfig(code: IAB_US_GENERAL, enabled: true)
+
+        and: "Existed account with privacy regulation setup"
+        def account = getAccountWithAllowActivitiesAndPrivacyModule(accountId, activities, [accountGppConfig])
+        accountDao.save(account)
+
+        when: "PBS processes auction requests"
+        activityPbsService.sendAuctionRequest(bidRequest)
+
+        then: "Bidder request shouldn't contain EIDS fields"
+        def bidderRequest = bidder.getBidderRequest(bidRequest.id)
+        assert !bidderRequest.user.eids
+        assert !bidderRequest.user?.ext?.eids
+
+        where:
+        privacyAllowRegulations << [IAB_US_GENERAL, IAB_ALL, ALL]
+    }
+
+    def "PBS should remove EIDS fields in request when privacy regulation match and personalDataConsents is 2 and allowPersonalDataConsent2 is false"() {
+        given: "Default bid requests with EIDS fields and account id"
+        def accountId = PBSUtils.randomNumber as String
+        def bidRequest = getBidRequestWithPersonalData(accountId).tap {
+            regs.gppSid = [US_NAT_V1.intValue]
+            regs.gpp = new UsNatV1Consent.Builder().setPersonalDataConsents(2).build()
+        }
+
+        and: "Activities set for transmitEIDS with rejecting privacy regulation"
+        def rule = new ActivityRule(privacyRegulation: [privacyAllowRegulations])
+        def activities = AllowActivities.getDefaultAllowActivities(TRANSMIT_EIDS, Activity.getDefaultActivity([rule]))
+
+        and: "Account gpp configuration"
+        def accountGppConfig = new AccountGppConfig(enabled: true, code: IAB_US_GENERAL, config: gppModuleConfig)
+
+        and: "Existed account with privacy regulation setup"
+        def account = getAccountWithAllowActivitiesAndPrivacyModule(accountId, activities, [accountGppConfig])
+        accountDao.save(account)
+
+        when: "PBS processes auction requests"
+        activityPbsService.sendAuctionRequest(bidRequest)
+
+        then: "Bidder request shouldn't contain EIDS fields"
+        def bidderRequest = bidder.getBidderRequest(bidRequest.id)
+        assert !bidderRequest.user.eids
+        assert !bidderRequest.user?.ext?.eids
+
+        where:
+        privacyAllowRegulations | gppModuleConfig
+        IAB_US_GENERAL          | new GppModuleConfig(allowPersonalDataConsent2: false)
+        IAB_ALL                 | new GppModuleConfig(allowPersonalDataConsent2: false)
+        ALL                     | new GppModuleConfig(allowPersonalDataConsent2: false)
+        IAB_US_GENERAL          | new GppModuleConfig(allowPersonalDataConsent2KebabCase: false)
+        IAB_ALL                 | new GppModuleConfig(allowPersonalDataConsent2KebabCase: false)
+        ALL                     | new GppModuleConfig(allowPersonalDataConsent2KebabCase: false)
+        IAB_US_GENERAL          | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: false)
+        IAB_ALL                 | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: false)
+        ALL                     | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: false)
+        IAB_US_GENERAL          | new GppModuleConfig(allowPersonalDataConsent2: null)
+        IAB_ALL                 | new GppModuleConfig(allowPersonalDataConsent2: null)
+        ALL                     | new GppModuleConfig(allowPersonalDataConsent2: null)
+        IAB_US_GENERAL          | new GppModuleConfig(allowPersonalDataConsent2KebabCase: null)
+        IAB_ALL                 | new GppModuleConfig(allowPersonalDataConsent2KebabCase: null)
+        ALL                     | new GppModuleConfig(allowPersonalDataConsent2KebabCase: null)
+        IAB_US_GENERAL          | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: null)
+        IAB_ALL                 | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: null)
+        ALL                     | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: null)
+    }
+
+    def "PBS shouldn't remove EIDS fields in request when privacy regulation match and personalDataConsents is 2 and allowPersonalDataConsent2 is true"() {
+        given: "Default bid requests with EIDS fields and account id"
+        def accountId = PBSUtils.randomNumber as String
+        def bidRequest = getBidRequestWithPersonalData(accountId).tap {
+            regs.gppSid = [US_NAT_V1.intValue]
+            regs.gpp = new UsNatV1Consent.Builder().setPersonalDataConsents(2).build()
+        }
+
+        and: "Activities set for transmitEIDS with rejecting privacy regulation"
+        def rule = new ActivityRule(privacyRegulation: [privacyAllowRegulations])
+        def activities = AllowActivities.getDefaultAllowActivities(TRANSMIT_EIDS, Activity.getDefaultActivity([rule]))
+
+        and: "Account gpp configuration"
+        def accountGppConfig = new AccountGppConfig(enabled: true, code: IAB_US_GENERAL, config: gppModuleConfig)
+
+        and: "Existed account with privacy regulation setup"
+        def account = getAccountWithAllowActivitiesAndPrivacyModule(accountId, activities, [accountGppConfig])
+        accountDao.save(account)
+
+        when: "PBS processes auction request"
+        activityPbsService.sendAuctionRequest(bidRequest)
+
+        then: "Bidder request should contain EIDS fields"
+        def bidderRequest = bidder.getBidderRequest(bidRequest.id)
+        assert bidderRequest.user.eids
+
+        where:
+        privacyAllowRegulations | gppModuleConfig
+        IAB_US_GENERAL          | new GppModuleConfig(allowPersonalDataConsent2: true)
+        IAB_ALL                 | new GppModuleConfig(allowPersonalDataConsent2: true)
+        ALL                     | new GppModuleConfig(allowPersonalDataConsent2: true)
+        IAB_US_GENERAL          | new GppModuleConfig(allowPersonalDataConsent2KebabCase: true)
+        IAB_ALL                 | new GppModuleConfig(allowPersonalDataConsent2KebabCase: true)
+        ALL                     | new GppModuleConfig(allowPersonalDataConsent2KebabCase: true)
+        IAB_US_GENERAL          | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: true)
+        IAB_ALL                 | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: true)
+        ALL                     | new GppModuleConfig(allowPersonalDataConsent2SnakeCase: true)
+    }
 }