Skip to content

As a publisher, I want edge cookies creation gated on consent so non-consenting users are not tracked #464

Description

@ChristianPavilonis

User story

As a publisher, I want the system to check TCF (EU/UK) and GPP (US) consent flags before creating a Synthetic Session Cookie, so that my site complies with GDPR opt-in and US state privacy opt-out requirements.

Acceptance criteria

  • EU/UK user without opt-in consent → EC is not created
  • US user who has opted out → EC is not created
  • No cookie present and no consent given → do nothing (no EC, no cookie set)
  • Consent decision is based on decoded TCF/GPP strings

Affected area

Core (synthetic IDs, cookies, GDPR), Fastly runtime

Proposed approach

Before the SSC creation path, add a consent check that:

  1. Reads the decoded consent result (from TCF/GPP decoding).
  2. Determines jurisdiction (EU/UK vs US) from the consent signal type.
  3. For EU/UK (TCF): requires explicit opt-in — block SSC if consent is not granted.
  4. For US (GPP): checks opt-out — block SSC if user has opted out.
  5. If no consent string is present, treat as no-consent and do not create SSC.

Additional context

Sub-issue of #54. Related to #312, PR #380.

Metadata

Metadata

Labels

No labels
No labels

Type

Fields

No fields configured for Story.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions