Multi-Regulation Configurations
This page explains how consent notices support multiple regulations that are displayed in different countries and regions, and how to work with those notice configurations.
Last updated
This page explains how consent notices support multiple regulations that are displayed in different countries and regions, and how to work with those notice configurations.
Last updated
A multi-regulation configuration is a Configuration
(see Configurations) that enables a single notice to support multiple regulations depending on the country and region of origin for the visitor. For example, EU visitors will see a GDPR version of the notice while visitors from California (US) will see a CPRA version instead, assuming that the notice has been configured to support both regulations either in the console or via the API.
The introduction of a regulation_configurations
property on the Configuration
enables multi-regulation notices. One Configuration
has many Regulation-Configurations
.
The multi-regulation approach is not yet compatible with and Batch export features. For those features, the user consent will be considered as GDPR consent.
A Regulation-Configuration
has a set of notice configuration properties of the Configuration
that are nullable by default. This enables the configuration of specific properties that will override the parent Configuration
settings.
The Regulation-Configuration
entities are not managed directly but through the Configuration
entity via the regulation_configurations
property ().
Each Regulation-Configuration
entity defines a list of countries and/or regions that the regulation applies to which are set through the geo_locations
array field.
In the case of a targeting a country, these are comprised of the 2-letter ISO 3166-1 alpha-2 country codes
(e.g., "FR" for France).
In the case of a region within a country, a multipart ISO and region code string separated by an underscore is used (e.g., "US_CA" for United States, California). The region substring contains a code (up to three characters) that represent the viewer's region. The region is the first-level subdivision (the broadest or least specific) of the ISO 3166-2 code.
The wildcard *
serves as a "global" geo-location, indicating which configuration should be loaded when no specific configuration for a given region is configured.
Geo-location configuration constraints:
Default regulation configurations (those Regulation-Configuration
entities where is_default_regulation_configuration
is true) cannot have overlapping geo-locations. ie. Cannot assign US
to CPRA
if it is assigned to GDPR
.
Non-default regulation configurations must be a subset of their regulation default configuration geo-locations. ie. Select a subset of geo-locations to override certain configurations.
A Configuration
entity can have multiple Regulation-Configuration
entities per regulation. Every regulation possesses a foundational configuration (identified by the is_default_regulation_config
field), along with optional supplementary configurations that build upon by modifying particular properties for designated geographic areas.
A practical instance of this scenario involves the default GDPR notice setup. This setup has a base Regulation-Configuration
aimed at the European Union, with additional Regulation-Configuration
entities that carry specific setting overrides for Italy and France. Italian regulation necessitates the display of an X
button to close the notice, while the French one mandates the presence of a Disagree and close
button.
A multi-regulation Configuration
can then be pictured as a tree, where the Configuration entity is the root. For example:
Configuration
Regulation-Configurations
GDPR
base
GDPR
France override
GDPR
Italy override
CPRA
base
Settings present on the Configuration
entity serve as cross-regulation
default configurations. Settings at the Regulation-Configuration
are nullable and will only override Configuration
settings if present.
For instance, consider the standard GDPR
setup in combination with CPRA
; GDPR has 3 variants, a default configuration for all EU countries except for Italy and France, and separate configurations for Italy and France that each have their own country-specific notice settings.
Regulation-Configurations
are managed through the Configuration.regulation_configurations
array.
When updating the Configuration
, existing objects within the regulation_configurations
array that have an ID field will be modified, while those without an ID will be created. Existing but absent Regulation-Configurations
will be unmodified and subsequently included in the response.
The following properties may be overridden by Regulation-Configurations
:
Configurations stored in the config
object are combined (merged) on a path basis. As the Configuration
and Regulation-Configuration
entities are merged to generate the final output configuration, the following paths are replaced (if present) over the parent configuration.
Let's consider an example focusing on the selected vendors for a notice within the array located at app.vendors.include
.
We want a notice:
that is configured for GDPR
, CPRA
and LGDP
with base fallback vendors for the notice to be A
and B
.
with a GDPR exception, for Germany, so as to additionally include vendor C
.
with CPRA configured to a different set of vendors: D
and E
.
To achieve the desired setup consider the following configuration:
To set the base fallback vendors for the notice, irrespective of the regulation, configure:
Configuration.config.app.vendors.include = [A, B]
To enable GDPR for the notice we would need a default GDPR Regulation-Configuration
(included on every notice by default covering EU countries). There is no need to specify vendors on the default GDPR Regulation-Configuration
as we would like them to fallback to [A, B]
(set on the Configuration
as a cross-regulation fallback configuration).
To configure the Germany exception, we would need an additional non default GDPR Regulation-Configuration
with geo locations set as [DE]
where Regulation-Configuration.config.app.vendors.include = [A, B, C]
.
To enable LGPD we would need a default LGDP Regulation-Configuration
with geo locations set to [BR]
, no need to specify vendors as we would like the vendor configuration to fallback to [A, B]
, which were already set on the Configuration
.
Finally, to configure CPRA, we would need a default CPRA Regulation-Configuration
with geo locations set to [US_CA]
. As we want a different set of vendors for CPRA we would need to set Regulation-Configuration.config.app.vendors.include = [D, E]
Summarising, the configuration would look like this:
When published, vendor configuration per geo location will be as follows:
Note: the list of supported regulations and their default geo_locations.