Multi-Regulation Configurations
This page explains how consent notices support multiple regulations that are displayed in different countries and regions, and how to work with those notice configurations.
Last updated
This page explains how consent notices support multiple regulations that are displayed in different countries and regions, and how to work with those notice configurations.
Last updated
A multi-regulation configuration is a Configuration (see Configurations) that enables a single notice to support multiple regulations depending on the country and region of origin for the visitor. For example, EU visitors will see a GDPR version of the notice while visitors from California (US) will see a CPRA version instead, assuming that the notice has been configured to support both regulations either in the console or via the API.
The introduction of a regulation_configurations property on the Configuration enables multi-regulation notices. One Configuration has many Regulation-Configurations.
The multi-regulation approach is not yet compatible with and Batch export features. For those features, the user consent will be considered as GDPR consent.
A Regulation-Configuration has a set of notice configuration properties of the Configuration that are nullable by default. This enables the configuration of specific properties that will override the parent Configuration settings.
The Regulation-Configuration entities are not managed directly but through the Configuration entity via the regulation_configurations property ().
Each Regulation-Configuration entity defines a list of countries and/or regions that the regulation applies to which are set through the geo_locations array field.
In the case of a targeting a country, these are comprised of the 2-letter ISO 3166-1 alpha-2 country codes (e.g., "FR" for France).
In the case of a region within a country, a multipart ISO and region code string separated by an underscore is used (e.g., "US_CA" for United States, California). The region substring contains a code (up to three characters) that represent the viewer's region. The region is the first-level subdivision (the broadest or least specific) of the ISO 3166-2 code.
The wildcard * serves as a "global" geo-location, indicating which configuration should be loaded when no specific configuration for a given region is configured.
Geo-location configuration constraints:
Default regulation configurations (those Regulation-Configuration entities where is_default_regulation_configuration is true) cannot have overlapping geo-locations. ie. Cannot assign US to CPRA if it is assigned to GDPR.
Non-default regulation configurations must be a subset of their regulation default configuration geo-locations. ie. Select a subset of geo-locations to override certain configurations.
A Configuration entity can have multiple Regulation-Configuration entities per regulation. Every regulation possesses a foundational configuration (identified by the is_default_regulation_config field), along with optional supplementary configurations that build upon by modifying particular properties for designated geographic areas.
A practical instance of this scenario involves the default GDPR notice setup. This setup has a base Regulation-Configuration aimed at the European Union, with additional Regulation-Configuration entities that carry specific setting overrides for Italy and France. Italian regulation necessitates the display of an X button to close the notice, while the French one mandates the presence of a Disagree and close button.
A multi-regulation Configuration can then be pictured as a tree, where the Configuration entity is the root. For example:
Configuration
Regulation-Configurations
GDPR base
GDPR France override
GDPR Italy override
CPRA base
Settings present on the Configuration entity serve as cross-regulation default configurations. Settings at the Regulation-Configuration are nullable and will only override Configuration settings if present.
For instance, consider the standard GDPR setup in combination with CPRA ; GDPR has 3 variants, a default configuration for all EU countries except for Italy and France, and separate configurations for Italy and France that each have their own country-specific notice settings.
Regulation-Configurations are managed through the Configuration.regulation_configurations array.
When updating the Configuration, existing objects within the regulation_configurations array that have an ID field will be modified, while those without an ID will be created. Existing but absent Regulation-Configurations will be unmodified and subsequently included in the response.
The following properties may be overridden by Regulation-Configurations:
Configurations stored in the config object are combined (merged) on a path basis. As the Configuration and Regulation-Configuration entities are merged to generate the final output configuration, the following paths are replaced (if present) over the parent configuration.
Let's consider an example focusing on the selected vendors for a notice within the array located at app.vendors.include.
We want a notice:
that is configured for GDPR , CPRA and LGDP
with base fallback vendors for the notice to be A and B.
with a GDPR exception, for Germany, so as to additionally include vendor C.
with CPRA configured to a different set of vendors: D and E.
To achieve the desired setup consider the following configuration:
To set the base fallback vendors for the notice, irrespective of the regulation, configure:
Configuration.config.app.vendors.include = [A, B]
To enable GDPR for the notice we would need a default GDPR Regulation-Configuration (included on every notice by default covering EU countries). There is no need to specify vendors on the default GDPR Regulation-Configuration as we would like them to fallback to [A, B] (set on the Configuration as a cross-regulation fallback configuration).
To configure the Germany exception, we would need an additional non default GDPR Regulation-Configuration with geo locations set as [DE] where Regulation-Configuration.config.app.vendors.include = [A, B, C].
To enable LGPD we would need a default LGDP Regulation-Configuration with geo locations set to [BR], no need to specify vendors as we would like the vendor configuration to fallback to [A, B], which were already set on the Configuration .
Finally, to configure CPRA, we would need a default CPRA Regulation-Configuration with geo locations set to [US_CA]. As we want a different set of vendors for CPRA we would need to set Regulation-Configuration.config.app.vendors.include = [D, E]
Summarising, the configuration would look like this:
When published, vendor configuration per geo location will be as follows:
Note: the list of supported regulations and their default geo_locations.