User story
As a deployer, I want Edge Cookie creation gated by technical permissions that are established outside the core, so that the legal policy is mine to set and is not baked into Trusted Server.
Description
Replace the country-based allows_ec_creation check with a technical permission model that separates legal policy from the core. Each provider declares the permissions its data use requires, named by the IAB TCF Europe purpose set and used only as technical identifiers. No policy framework is implemented in the core. The core runs a provider only when every required permission is held. Whether a permission is held is established from the country a geo provider returns (keyed by ISO 3166-1, with a fail-closed fallback when no country is known) and from request signals. The model is source-agnostic, so a held permission can equally come from an interaction with the user that establishes a preference, or from data provided by another source. The EC Set-Cookie operation always requires store-on-device (purpose 1). A vendor-neutral provider requires nothing, so a default deployment needs no policy interaction at all.
Done when
- A technical permission model resolves held permissions, keyed by country or region (i.e. EU27), with a fail-closed default fallback.
- A provider's required permissions are honored, and it runs only when all are held.
- The built-in HMAC provider declares store-on-device (purpose 1), and a neutral provider requires nothing.
consent::allows_ec_creation is removed, and its country-based gate tests are replaced by permission-model tests.- The permission vocabulary is the IAB TCF Europe purpose set used only as identifiers, with no policy framework in the core.
References
User story
As a deployer, I want Edge Cookie creation gated by technical permissions that are established outside the core, so that the legal policy is mine to set and is not baked into Trusted Server.
Description
Replace the country-based
allows_ec_creationcheck with a technical permission model that separates legal policy from the core. Each provider declares the permissions its data use requires, named by the IAB TCF Europe purpose set and used only as technical identifiers. No policy framework is implemented in the core. The core runs a provider only when every required permission is held. Whether a permission is held is established from the country a geo provider returns (keyed by ISO 3166-1, with a fail-closed fallback when no country is known) and from request signals. The model is source-agnostic, so a held permission can equally come from an interaction with the user that establishes a preference, or from data provided by another source. The EC Set-Cookie operation always requires store-on-device (purpose 1). A vendor-neutral provider requires nothing, so a default deployment needs no policy interaction at all.Done when
consent::allows_ec_creationis removed, and its country-based gate tests are replaced by permission-model tests.References