2. Who will be included on the List and what are their obligations?
The List will include all vendors that agree to the following:
- Compliance with Framework policies and technical specifications, such as
- Updating their code so that cookies are not set unless they have received a consent signal from a CMP JS API or in the bid request, or unless they have an applicable legal basis to set a cookie.
- Not processing personal data for a purpose that relies on consent until they have received a consent signal directly from a CMP or in any given online request for that purpose. For example, if a vendor receives a bid request and the bid request reveals that the vendor does not have consent to process the personal data contained in that bid request, it may not process any personal data contained in that bid request unless it has another legal basis for doing so.
Vendors may choose not to pass bid requests containing personal data to other vendors who do not have consent. In the event that a bid request containing personal data is passed to a receiving vendor without consent, the vendor that does not have consent is responsible for only acting upon that data if it has another applicable legal basis for doing so.