Privacy and GDPR

The minimal SDK call does not require prompt text or consent fields. Add privacy controls only when your app needs them, and prefer context.topic when you want matching context without sharing prompt text.

Recommended privacy-first shape

privacy.ts

typescript

PRIVACY

const { slot_ids } = await client.createJob({
  job_type: "chat",
  context: { topic: "programming" },
  consent: {
    semantic_targeting: true,
    prompt_shared: false,
    gdpr_applies: true,
    consent_source: "wrapper_cmp",
    tcf_consent_string: "CONSENT_STRING",
    gpp_string: "DBAB...",
    gpp_sections: [7],
  },
});

prompt_shared: false keeps prompt text out of the targeting path while still letting you send a direct context.topic.
gdpr_applies maps to OpenRTB regs.gdpr.
tcf_consent_string maps to OpenRTB user.consent only when consent_source: "wrapper_cmp".
gpp_string and gpp_sections are the preferred US privacy signal fields for wrapper CMP integrations. Legacy us_privacy may be accepted where partners still require it.
If you enable the built-in wavebird consent widget, it may store wavebird_consent_v1in the end user's browser on your domain to remember the local semantic-targeting choice. Disclose this in your own privacy and cookie notice and obtain any legally required consent or rely on an applicable strict-necessity exemption.

What can leave your system

The contract supports topic, consent, brand-safety, publisher, and slot metadata. If you choose to send prompt text, the CSL's data firewall reduces it to abstract matching signals before SSP egress.

What ad partners do not receive

Raw prompt text does not go to SSPs, DSPs, or advertisers. If you omit prompt text entirely and provide only context.topic, no prompt text enters the flow at all.

Consent and CS

Disclosure template

API first, Script Tag second, SDK third

Back to API docs Contact the team

These pages are the advanced package layer for teams that intentionally choose @csl/wrapper-sdk. Primary onboarding still lives in the API docs, and browser-first installs should start with the Script Tag. Use contact only when you want rollout review, enterprise coordination, or help with non-standard integration constraints. Beacon billing rules live in SDK Concepts.