Customization
      Back to home
      1. Help Center
      2. Consent notice creation
      3. Customization

      Processing rule override

      1. What is a processing rule?

      2. Processing rule override feature

      2.1 Definition

      2.2 Processing rule hierarchy

      2.3 Available processing rules

      2.4 Apply a processing rule override

      2.4.1 At notice level

      2.4.2 At vendor list template level

      3. Typical use cases for processing rule override

      4. Recommendations

      FAQs

       

      Managing user consent across multiple regulations can be complex, especially when the same purpose or vendor needs to behave differently depending on jurisdiction.

      The Processing Rule Override feature lets you adjust how purposes appear (opt-in or opt-out) based on the regulation, offering flexibility without changing your global setup.

      This guide explains how it works and how to use it effectively.

      Processing Rules Override is designed to give you greater flexibility in configuring consent experiences across jurisdictions. It lays the foundation for a broader capability that will eventually allow you to fully define and manage your own regulation template.

      Processing Rule Override feature does not apply to IAB TCF purposes under GDPR when IAB TCF is enabled. Use Publisher restrictions instead.

      1. What is a processing rule?

      A processing rule is the lawful justification for collecting and processing a user’s personal data. Each purpose (e.g. analytics, advertising) must rely on a valid legal basis, that we call here processing rule, which directly influences how it appears in the CMP interface and what happens if the user takes no action.

      It determines:

      • Whether the purpose is enabled or disabled by default (when the user doesn’t interact).
      • How the purpose is displayed in the UI.

      In other words, the processing rule defines how user choices for each purpose are handled by the SDK, rendered in the UI, collected, and kept in local device storage or in the database, and how it should be interpreted by your partners and marketing tools and interpreted in the backend.

      There are two main processing rules:

      • Opt in = Consent = user action required
        • The user must actively agree before data is collected.
        • Default status: disabled.
        • Common under regulations like the GDPR.
      • Opt out = Legitimate Interest = enabled by default unless objected to
        • The data is collected by default unless the user opts out.
        • Default status: enabled.
        • Common in US frameworks.

      For example:

      • If a purpose is configured as opt-in, it will show as disabled by default until the user explicitly consents.
      • If it’s opt-out, it appears enabled by default, and the user must opt out to disable it. 

      We can also refer to “processing rule” as a “legal basis” instead.

      2. Processing rule override feature

      2.1 Definition

      Processing Rule Override is a feature that allows you to deliberately modify the default processing rule configuration (e.g. Opt in/consent or opt out/legitimate interest) for a specific purpose. This override can also be applied to a specific context, for example, only for certain vendors using this purpose, or only for certain notices.

      Processing Rule Overrides enable granular customization of how choices are presented to users and what their default status is. This makes it easier to adapt to different regulatory contexts.

      2.2 Processing rule hierarchy

      Processing rules can be defined and applied at different levels within the CMP:

      • Data Manager: While assigning a purpose to a vendor, you can assign a processing rule to each purpose. In this section, you can define which purposes are based on consent = opt-in and which purposes are based on legitimate interest = opt-out  IAB TCF v2.2 purposes may already have a default, non-modifiable processing rule.

       

      • Regulation: Each regulation in Didomi has a default processing rule associated with it, and you cannot modify it. Unless an override rule is in place, each regulation in use on a notice will use the default processing rule for that regulation. For example, each US regulation is created with a legal basis opt-out.

      image (1)-Jul-02-2025-07-15-04-1463-AM

      • Vendor List: You can override the processing rule for each purpose associated with a vendor in the list.
      • Notice: You can override the processing rule for or each purpose associated with a vendor used in a notice. This override can be set up directly in the notice.

      Capture d’écran 2025-06-04 à 18.19.50

      As processing rules can be defined at multiple levels, it is essential that you understand the clear priority order for how processing rules are applied:

      1. Override processing rule at notice or vendor list level (note that you can’t define an override at notice level when a vendor list is used).
      2. Processing rule at regulation level
      3. Default processing rule defined in the Data Manager

      👉 The lowest level (notice/template) takes precedence over higher levels.

      In other words, for example:

      • If purpose A is set to opt-in in the Data Manager but used in an opt-out regulation, it will appear as opt-out in the notice.
      • If purpose A is set to opt-in in the Data Manager, used in an opt-out regulation, but you override it to opt-in at the notice level, it will appear as opt-in.
      • If purpose A is set to opt-in in the Data Manager, used in an opt-in regulation, but you override it to opt-out at the notice level, it will appear as opt-out.

      2.3 Available processing rules

      When specifying processing rule in the console, you will see different options available for configuration:

      • opt-in: choices are disabled by default (requires explicit user consent).
      • opt-out: choices are enabled by default (user must actively refuse).

      At regulation level, a third value may appear, not as a configurable setting, but to indicate that the processing rule is inherited:

      • "Data manager": uses the configuration defined in the Data Manager.

      "Data manager" is only used for GDPR so far as it lets the purpose-by-purpose configuration set in the Data Manager apply directly. Thus, the new override feature does not impact existing GDPR set up.

      2.4 Apply a processing rule override

      The processing rule override applies specifically to a purpose attached to one or more vendors, in a selected regulation.

      2.4.1 At notice level

      To apply a processing rule override in a notice:

      1. Go to the notice where you want to apply the override.

      2. Click the “Edit Vendors & Purposes” button under the regulation you want to configure.

      3. Scroll down to the Processing rule overrides section.

        Capture d’écran 2025-06-04 à 18.19.50

      4. Click “Add override”.

        image (4)-4

      5. Configure the override:

        • Purpose: select the purpose to override.

          Note: overrides cannot be applied to IAB TCF purposes under GDPR when IAB TCF is enabled.

        • Vendors: choose the vendor(s) for whom the override will apply under the selected regulation.

        • Override type:

          • Require consent for selected vendors: the purpose will behave as opt-in (disabled by default).
          • Grant consent for selected vendors: the purpose will behave as opt-out (enabled by default).

      image (2)-4

      1. Click Save. The override will appear in the list below.

        image (3)-3

      2. Save the regulation set up.

      2.4.2 At vendor list template level

      To apply a processing rule override at the vendor list template level:

      1. Go to the vendor list template where you want to apply the override.
      2. Follow steps 3 to 6 from section 2.4.1 of this documentation.
      3. Click Apply or Apply and publish notices.
      4. The override will now appear in all notices linked to the vendor list template.

      An override created at vendor list template level It cannot be edited or deleted from the notice. Changes must be made from the vendor list template directly.

      3. Typical use cases for Processing Rule Override

      1. Different processing rules by regulation

        • In general: If a regulation enforces a processing rule for all purposes, you can override this for specific purposes or vendors to keep them in another processing rule.
        • Handling SPI (Sensitive Personal Information) under US frameworks: In United States privacy law frameworks, you often want SPI-related purposes to remain opt-in under a regulation that normally defaults to opt-out.
        • Handling Legitimate interest under GDPR: In GDPR framework, you want legitimate interest purposes to remain opt-out under a regulation that normally defaults to opt-in.

      2. Shared vendors across jurisdictions

        A vendor used across multiple regulations can behave differently depending on the context. For example, a single vendor’s purpose needs to be shown as opt-in in one regulation and opt-out in another.

      4. Recommendations

      • No need to use the override feature if you're only using the GDPR regulation. The Data Manager configuration is sufficient.
      • Use overrides at the notice or template level for more granular control when working with multiple regulations.
      • Watch out for potential conflicts or redundancies between levels, always clarify which layer should take precedence.
      • Use the Publisher Restrictions feature to override processing rules for IAB purposes under GDPR.
      • Be careful with purpose regulation scope: if you apply overrides in a template for purposes scoped only to Regulations A and B in the Data Manager, those overrides will not apply under Regulation C in your notice.

      FAQs

      Can we override the processing rule of a regulation?

      No, this feature is not available yet. The processing rule for a regulation is defined by Didomi and cannot be customized. You can view it at the top of the page that opens when clicking “Edit vendors & purposes” from a regulation-based notice.

      What’s the difference between a Processing Rule Override and Publisher Restrictions?

      Publisher Restrictions apply only to IAB TCF purposes when the IAB TCF integration is enabled, and only under GDPR. These are defined by the IAB TCF policy.

      Processing Rule Override follows a similar logic but is more flexible: it works across all regulations, whether or not a consent framework is applied. However, the principle works in the same way for both the Processing Rule Override and Publisher Restrictions.

      What happens if some purposes are set as Opt in (Consent) in the Data Manager but are used in a regulation with an opt-out processing rule?

      The regulation’s processing rule takes precedence: the purpose will behave as opt-out (i.e., "legitimate purpose," where consent is granted by default). To apply the processing rules defined in the Data Manager, the regulation must use a "Data Manager" processing rule.

      How are opt-in and opt-out processing rules reflected in the notice shown to end-users?

      • Opt-in purposes are displayed as “Consent”.
      • Opt-out purposes are displayed as “Legitimate Interest”.

      Capture d’écran 2025-06-04 à 18.40.24