wavebird logo

Consent and privacy signals

If your app operates in regulated markets, pass the consent payload on every createJob() call. For partner-enabled traffic, wavebird forwards the relevant privacy fields to the configured ad path and keeps raw prompt text behind the firewall.

Built-in consent collection (beta)

built-in-consent.tsx

typescript

BETA
import { WavebirdAd } from "@csl/wrapper-sdk/react";
import { getConsent, needsRefresh } from "@csl/wrapper-sdk/consent";

const storedConsent = getConsent();
const initialConsent =
  storedConsent && !needsRefresh(storedConsent)
    ? {
        gdpr_applies: true,
        consent_source: "wavebird_consent",
      }
    : {
        gdpr_applies: true,
        consent_source: "none",
      };

const job = await client.createJob({
  job_type: "chat",
  consent: initialConsent,
});

<WavebirdAd
  decision={decision}
  sendBeacon={client.sendBeacon.bind(client)}
  jurisdictionZone="eu_strict"
  resolveDecisionWithConsent={async ({ consent_source, purposes }) => {
    const retryJob = await client.createJob({
      job_type: "chat",
      consent: {
        semantic_targeting: purposes.personalized_ads,
        session_persistence: purposes.measurement,
        cross_session_persistence: false,
        prompt_shared: false,
        gdpr_applies: true,
        consent_source,
      },
    });
    if (!retryJob || "error" in retryJob) return null;
    return client.getDecision(retryJob.slot_ids[0]);
  }}
/>

The browser widget can render an inline consent card before the ad when the wrapper's Task 0 project jurisdiction requires consent collection. This is driven only by project settings and jurisdiction overrides. wavebird does not use browser geo-IP detection for this flow.

  • Enable it by passing jurisdictionZone and resolveDecisionWithConsent() to WavebirdAd.
  • Disable it with disableConsentCollection when your wrapper already owns CMP collection.
  • Wrapper-provided CMP consent strings always take precedence and skip the built-in collector.
  • Wrappers should still pass stored or external consent into createJob() whenever it is already available.

Limitations: this beta flow is not an IAB Europe TCF registered CMP, does not create a valid IAB TC string, and must not be represented as a registered CMP or forwarded to SSPs as an IAB TCF signal.

If enabled, the widget may store wavebird_consent_v1in the end user's browser on your domain to remember the local semantic-targeting choice. As controller for your wrapper application, you are responsible for disclosing this storage in your own privacy and cookie notice and for obtaining any legally required consent or relying on an applicable strict-necessity exemption. wavebird does not use this storage for cross-site tracking.

Upgrade path: for production EU/EEA programmatic traffic that requires TCF signaling, use an IAB Europe registered CMP, pass the CMP-provided TC string into createJob(), and set disableConsentCollection while continuing to pass consent_source: "wrapper_cmp".

Passing GDPR consent

gdpr.ts

typescript

GDPR
const job = await client.createJob({
  job_type: "chat",
  consent: {
    gdpr_applies: true,
    tcf_consent_string: "CO...",
    consent_source: "wrapper_cmp",
  },
});
  1. Your IAB Europe registered CMP provides the TC string.
  2. Pass it to the SDK in every createJob() call.
  3. When a partner path is enabled, wavebird supports pass-through handling for current TCF-compatible partner requirements where technically supported by the integration.

If you operate in the EU without a CMP, set gdpr_applies: true and omit the consent string. Partner demand may then apply stricter GDPR handling, usually meaning no personalized ads and lower CPMs.

US privacy

ccpa.ts

typescript

US
const job = await client.createJob({
  job_type: "chat",
  consent: {
    gpp_string: "DBAB...",
    gpp_sections: [7],
    consent_source: "wrapper_cmp",
  },
});

For US privacy regimes, pass the applicable GPP string and section IDs where your CMP supports GPP. Legacy us_privacy strings may be accepted for backward compatibility where supported by partners, but production US privacy signaling should follow the applicable CMP and partner requirements.

Prompt sharing

prompt-shared.ts

typescript

TOPIC
const job = await client.createJob({
  job_type: "chat",
  consent: {
    prompt_shared: true,
  },
});

By default, prompts are not shared with anyone. When you opt into prompt_shared, the prompt is sent only to wavebird's firewall for topic extraction. The extracted topic category may be sent to the configured partner path when that path is enabled. The raw prompt is never sent to SSPs, DSPs, or advertisers.

Related docs: Configuration and Troubleshooting.

API first, Script Tag second, SDK third

Back to API docsContact the team

These pages are the advanced package layer for teams that intentionally choose @csl/wrapper-sdk. Primary onboarding still lives in the API docs, and browser-first installs should start with the Script Tag. Use contact only when you want rollout review, enterprise coordination, or help with non-standard integration constraints. Beacon billing rules live in SDK Concepts.