Delete SSC cookie and KV store entry when user withdraws consent #466
Description
User story
As a publisher, I want existing SSC cookies and KV store entries to be deleted when a user revokes consent, so that tracking stops immediately upon withdrawal.
Acceptance criteria
- If consent is not given AND an SSC cookie is present → delete the cookie value AND delete the corresponding KV store entry
- Revocation is acted on in the same request where lack of consent is detected
- After revocation, subsequent requests with no consent and no cookie result in no action (do nothing)
Affected area
Core (synthetic IDs, cookies, GDPR), Fastly runtime
Proposed approach
- After decoding consent (per the TCF/GPP decoding issue), check for the revocation scenario:
has_consent == false && ssc_cookie.is_some(). - If triggered:
- Set the SSC cookie to expire (clear it from the response).
- Delete the corresponding entry from the Fastly KV store.
- If
has_consent == false && ssc_cookie.is_none(), do nothing — no cleanup needed. - This check runs on every request as part of the consent evaluation pipeline.
Additional context
Sub-issue of #54. Related to #312, PR #380.
Handles the consent withdrawal / revocation case required by GDPR Article 7(3) and US state privacy laws.
Metadata
Metadata
Assignees
Labels
No labels