Prebid Server support for DSA fields

[bretg]

The EU has an upcoming legal regulation - the Digital Services Act (DSA). See https://iabtechlab.com/blog/iab-tech-lab-releases-for-public-comment-specification-for-dsa-transparency/ . The EU rule takes effect in February, though the IAB's specification for DSA is still in the public comment period.

The new objects are added as extensions to the ORTB request and response as defined in https://github.com/InteractiveAdvertisingBureau/openrtb/blob/main/extensions/community_extensions/dsa_transparency.md .

Request: $.regs.ext.dsa
Response: $.seatbid.bid.ext.dsa

At least initially, Prebid Server just needs to be able to support DSA parameters in stored requests and pass DSA parameters on the request and response:

1. Support regs.ext.dsa in top-level stored requests (for mobile apps, AMP, etc.)
2. pass the DSA request field through to all bidders. This is probably already done by nature of it being an ext field. No defaults or validation on the request side.
3. Core bid response validation: check request regs.ext.dsa.dsarequired and if it's 2 or 3, reject bid responses that do not have seatbid[].bid[].ext.dsa objects. If the request didn't contain regs.ext.dsa.dsarequired doesn't exist, then no response validation is done.
   1. Reject with seat non-bid code 300 and a message in ext.prebid.warnings when in debug mode.
4. If not rejected, pass bidder DSA response fields back to the client. We should confirm that bid adapters can just add whatever $.seatbid.bid.ext fields they wish and make sure this is documented.

[bretg]

Discussed in committee.

PBS should be able to read regs.ext.dsa.required and if it's 2 or 3, reject bid responses without seatbid.bid.ext.dsa objects. No other validation would be done.

2 = Required, bid responses without DSA object will not be accepted
3 = Required, bid responses without DSA object will not be accepted, Publisher is an Online Platform

Need to determine what the seat-non-bid code will be for this rejection scenario. We'll start with code 300 until there's something better.

[bretg]

The IAB has merged the DSA standard -- https://github.com/InteractiveAdvertisingBureau/openrtb/blob/main/extensions/community_extensions/dsa_transparency.md

Updated the description with the validation.

Question: should we make this validation configurable?

[markd-fs]

Question: should we make this validation configurable?

I think we had discussed that the regs.ext.dsa.required field in the request would essentially be the configuration on whether or not to reject responses. Unless there is a use case for passing the bids through and letting a downstream system (like js?) make that call?

[bretg]

Unless there is a use case for passing the bids through and letting a downstream system (like js?) make that call?

Given how new this whole thing is, I wondered if someone might (A) get the required field wrong and (B) object to PBS filtering bids.

Would prefer to keep this simple, a configurable flag can be added later.

[bsardo]

PBS should be able to read regs.ext.dsa.required and if it's 2 or 3, reject bid responses without seatbid.bid.ext.dsa objects. No other validation would be done.

2 = Required, bid responses without DSA object will not be accepted 3 = Required, bid responses without DSA object will not be accepted, Publisher is an Online Platform

@bretg if the request indicates that dsa is required, are we rejecting the bid response if at least one bid is missing a dsa object?

For example, is this bid response rejected because the second bid, bid3, by seat2 does not contain a dsa object?

{
    "id": "1234567890",
    "bidid": "abc1123",
    "seatbid": [{
        "seat": "seat1",
        "bid": [{
            "id": "bid1",
            "price": 1.0,
            "ext": {
                "dsa": {
                    "behalf": "Advertiser1",
                    "paid": "Advertiser1",
                    "transparency": {
                        "domain": “dsp1domain.com”,
                        "params": [1]
                    },
                    "adrender": 1
                }
            }
        }]
    }, {
        "seat": "seat2",
        "bid": [{
            "id": "bid2",
            "price": 2.0,
            "ext": {
                "dsa": {
                    "behalf": "Advertiser2",
                    "paid": "Advertiser2",
                    "transparency": {
                        "domain": “dsp2domain.com”,
                        "params": [2]
                    },
                    "adrender": 1
                }
            }
        },{
            "id": "bid3",
            "price": 3.0
        }]
    }]
}

[bretg]

Just remove the individual bids that don't provide the required DSA field - no need to sink the boat because of one bad passenger.

[bretg]

The IAB has seen fit to make an 11th hour change to the field name that I disagree with, but we have to adjust our code. I've updated the requirements to reflect the change.

Core bid response validation: check request regs.ext.dsa.dsarequired and if it's 2 or 3, reject bid responses that do not have seatbid[].bid[].ext.dsa objects. If the request didn't contain regs.ext.dsa.dsarequired doesn't exist, then no response validation is done.

[bsardo]

There are some cases (invalid creative size or adm) where we invalidate a bid removing it from the bid response and also return an error. I just wanted to check that, in this case, we want to silently remove the bid instead of attaching an error/warning to the response.

[bretg]

Added "Reject with seat non-bid code 300 and a message in ext.prebid.warnings when in debug mode."

[bretg]

Done in PBS-Java 2.10

[bsardo]

Done in PBS-Go v2.8.0