Multi-Regulation Configurations
This page explains how consent notices support multiple regulations that are displayed in different countries and regions, and how to work with those notice configurations.
A multi-regulation configuration is a
Configuration
(see Configurations) that enables a single notice to support multiple regulations depending on the country and region of origin for the visitor. For example, EU visitors will see a GDPR version of the notice while visitors from California (US) will see a CPRA version instead, assuming that the notice has been configured to support both regulations either in the console or via the API.The introduction of a
regulation_configurations
property on the Configuration
enables multi-regulation notices. One Configuration
has many Regulation-Configurations
.Migrations to the new console and the new multi-regulation support started in April 2023 and is in the process of being rolled out to all organizations throughout Spring 2023, and should be completed by the Summer.
Access to multi-regulation configurations will be granted by default to new organizations, whilst existing ones should request access to customer support (see here for migration details).
A
Regulation-Configuration
has a set of notice configuration properties of the Configuration
that are nullable by default. This enables the configuration of specific properties that will override the parent Configuration
settings. The
Regulation-Configuration
entities are not managed directly but through the Configuration
entity via the regulation_configurations
property (see here).Each
Regulation-Configuration
entity defines a list of countries and/or regions that the regulation applies to which are set through the geo_locations
array field. In the case of a targeting a country, these are comprised of the 2-letter ISO 3166-1 alpha-2
country codes
(e.g., "FR" for France). In the case of a region within a country, a multipart ISO and region code string separated by an underscore is used (e.g., "US_CA" for United States, California). The region substring contains a code (up to three characters) that represent the viewer's region. The region is the first-level subdivision (the broadest or least specific) of the ISO 3166-2 code.
The wildcard
*
serves as a "global" geo-location, indicating which configuration should be loaded when no specific configuration for a given region is configured.Geo-location configuration constraints:
- Default regulation configurations (those
Regulation-Configuration
entities whereis_default_regulation_configuration
is true) cannot have overlapping geo-locations. ie. Cannot assignUS
toCPRA
if it is assigned toGDPR
. - Non-default regulation configurations must be a subset of their regulation default configuration geo-locations. ie. Select a subset of geo-locations to override certain configurations.
A
Configuration
entity can have multiple Regulation-Configuration
entities per regulation. Every regulation possesses a foundational configuration (identified by the is_default_regulation_config
field), along with optional supplementary configurations that build upon by modifying particular properties for designated geographic areas.A practical instance of this scenario involves the default GDPR notice setup. This setup has a base
Regulation-Configuration
aimed at the European Union, with additional Regulation-Configuration
entities that carry specific setting overrides for Italy and France. Italian regulation necessitates the display of an X
button to close the notice, while the French one mandates the presence of a Disagree and close
button.A multi-regulation
Configuration
can then be pictured as a tree, where the Configuration entity is the root. For example:Configuration
Regulation-Configurations
GDPR
baseGDPR
France overrideGDPR
Italy override
CPRA
base
Settings present on the
Configuration
entity serve as cross-regulation
default configurations. Settings at the Regulation-Configuration
are nullable and will only override Configuration
settings if present. For instance, consider the standard
GDPR
setup in combination with CPRA
; GDPR has 3 variants, a default configuration for all EU countries except for Italy and France, and separate configurations for Italy and France that each have their own country-specific notice settings.{
"id": "jAbmaPzN",
"config": {
"app": {
"vendors": {
"include": ["vendor A"]
},
... other config fields
}
},
... other fields
"negative_action_link_format": "cross",
"negative_action_link": false,
"negative_action_button": false,
"regulation_configurations": [
{
"id": "W37f3Bmd",
"notice_config_id": "jAbmaPzN",
"regulation_id": "gdpr",
"is_default_regulation_config": true,
"geo_locations": ["ES", "FR", "DE", "IT", ...EU],
"config": {
"app": {
"vendors": {
"include": ["vendor A", "vendor B"]
},
... other config fields
}
},
... other fields
"negative_action_link_format": null,
"negative_action_link": null,
"negative_action_button": null
},
{
"id": "Vaz4eBgf",
"notice_config_id": "jAbmaPzN",
"regulation_id": "gdpr",
"is_default_regulation_config": false,
"geo_locations": ["IT"],
... other fields
"negative_action_link_format": "cross",
"negative_action_link": true,
"negative_action_button": false
},
{
"id": "hrQLN24J",
"notice_config_id": "jAbmaPzN",
"regulation_id": "gdpr",
"is_default_regulation_config": false,
"geo_locations": ["FR"],
... other fields
"negative_action_link_format": "text",
"negative_action_link": false,
"negative_action_button": true
},
{
"id": "CbxWneYt",
"notice_config_id": "jAbmaPzN",
"regulation_id": "cpra",
"is_default_regulation_config": true,
"geo_locations": ["US_CA"],
... other fields
"config": {
"app": {
"vendors": {
"include": ["vendor C", "vendor D"]
},
... other config fields
}
},
"negative_action_link_format": null,
"negative_action_link": null,
"negative_action_button": null
}
]
}
Regulation-Configurations
are managed through the Configuration.regulation_configurations
array. When updating the
Configuration
, existing objects within the regulation_configurations
array that have an ID field will be modified, while those without an ID will be created. Existing but absent Regulation-Configurations
will be unmodified and subsequently included in the response.The following properties may be overridden by
Regulation-Configurations
:interface RegulationOverridableFields {
enable_ignore_consent_before: boolean | null;
ignore_consent_before: string | null;
negative_action_link: boolean | null;
negative_action_link_format: 'text' | 'cross' | null;
negative_action_button: boolean | null;
disagree_button_style: 'primary' | 'secondary' | null;
notice_deny_applies_to_li: boolean | null;
preferences_deny_applies_to_li: boolean | null;
consent_duration: number | null;
consent_duration_unit: 'seconds' | 'day' | 'months' | null;
denied_consent_duration: number | null;
denied_consent_duration_unit: 'seconds' | 'day' | 'months' | null;
denied_consent_duration_custom: boolean | null;
cross_device_enabled: boolean | null;
cross_device_timeout: number | null;
gcm_enabled: boolean | null;
gcm_set_default_status: boolean | null;
gcm_analytics_default_status: boolean | null;
gcm_ads_default_status: boolean | null;
gcm_functionality_default_status: boolean | null;
gcm_personalization_default_status: boolean | null;
gcm_security_default_status: boolean | null;
gcm_data_layer_name: string | null;
full_atp: boolean | null;
}
Configurations stored in the
config
object are combined (merged) on a path basis. As the Configuration
and Regulation-Configuration
entities are merged to generate the final output configuration, the following paths are replaced (if present) over the parent configuration. app.essentialPurposes
app.vendors.include
app.vendors.iab
theme.fullscreen
theme.notice.titleTextSize
theme.notice.titleAlignment
theme.notice.titleTextColor
theme.notice.descriptionTextSize
theme.notice.descriptionAlignment
theme.notice.descriptionTextColor
notice.daysBeforeShowingAgain
notice.enableBulkActionOnPurposes
notice.position
notice.content.title
notice.content.notice
notice.content.manageSpiChoices
notice.content.popup
notice.content.notice
notice.content.dismiss
notice.content.deny
notice.content.learnMore
preferences.categories
preferences.description
preferences.sectionTitle
preferences.enableAllButtons
preferences.content.title
preferences.content.text
preferences.content.agree
preferences.content.disagree
preferences.content.viewAllPartners
preferences.content.agreeToAll
preferences.content.disagreeToAll
preferences.content.save
preferences.content.subText
preferences.content.textVendors
preferences.content.authorizeVendors
preferences.content.blockVendors
preferences.content.subTextVendors
Let's consider an example focusing on the selected vendors for a notice within the array located at
app.vendors.include
.We want a notice:
- that is configured for
GDPR
,CPRA
andLGDP
- with base fallback vendors for the notice to be
A
andB
. - with a GDPR exception, for Germany, so as to additionally include vendor
C
. - with CPRA configured to a different set of vendors:
D
andE
.
To achieve the desired setup consider the following configuration:
To set the base fallback vendors for the notice, irrespective of the regulation, configure:
Configuration.config.app.vendors.include = [A, B]
To enable GDPR for the notice we would need a
default GDPR Regulation-Configuration
(included on every notice by default covering EU countries). There is no need to specify vendors on the default GDPR Regulation-Configuration
as we would like them to fallback to [A, B]
(set on the Configuration
as a cross-regulation fallback configuration).To configure the Germany exception, we would need an additional
non default GDPR Regulation-Configuration
with geo locations set as [DE]
where Regulation-Configuration.config.app.vendors.include = [A, B, C]
.To enable LGPD we would need a
default LGDP Regulation-Configuration
with geo locations set to [BR]
, no need to specify vendors as we would like the vendor configuration to fallback to [A, B]
, which were already set on the Configuration
.Finally, to configure CPRA, we would need a
default CPRA Regulation-Configuration
with geo locations set to [US_CA]
. As we want a different set of vendors for CPRA we would need to set Regulation-Configuration.config.app.vendors.include = [D, E]
Summarising, the configuration would look like this:
Configuration:
config.app.vendors.include = [A, B]
GDPR Regulation Configuration:
is_default_regulation_config: true
geo_locations = [DE, ES, FR, IT, ...]
GDPR Regulation Configuration:
is_default_regulation_config: false
geo_locations = [DE]
config.app.vendors.include = [A, B, C]
LGDP Regulation Configuration:
is_default_regulation_config = true
geo_locations = [BR]
CPRA Regulation Configuration:
is_default_regulation_config = true
geo_locations = [US_CA]
config.app.vendors.include = [D, E]
When published, vendor configuration per geo location will be as follows:
DE: A, B, C
ES: A, B
IT: A, B
FR: A, B
...all other EU countries: A, B
BR: A, B
US_CA: D, E
Note: LGDP did not specify vendors resulting in its vendors having to fallback to configuration present in the
Configuration
Last modified 1mo ago