prebid · SyntaxNode · Jan 21, 2021 · Jan 14, 2021 · Jan 20, 2021 · Jan 21, 2021
diff --git a/endpoints/auction_test.go b/endpoints/auction_test.go
@@ -349,7 +349,7 @@ func TestCacheVideoOnly(t *testing.T) {
 		t.Fatal(err.Error())
 	}
 	syncers := usersyncers.NewSyncerMap(cfg)
-	gdprPerms := gdpr.NewPermissions(nil, config.GDPR{
+	gdprPerms := gdpr.NewPermissions(context.Background(), config.GDPR{
 		HostVendorID: 0,
 	}, nil, nil)
 	prebid_cache_client.InitPrebidCache(server.URL)

diff --git a/gdpr/gdpr.go b/gdpr/gdpr.go
@@ -34,18 +34,25 @@ const (
 
 // NewPermissions gets an instance of the Permissions for use elsewhere in the project.
 func NewPermissions(ctx context.Context, cfg config.GDPR, vendorIDs map[openrtb_ext.BidderName]uint16, client *http.Client) Permissions {
-	// If the host doesn't buy into the IAB GDPR consent framework, then save some cycles and let all syncs happen.
-	if cfg.HostVendorID == 0 {
-		return AlwaysAllow{}
+	if !cfg.Enabled {
+		return &AlwaysAllow{}
 	}
 
-	return &permissionsImpl{
+	permissionsImpl := &permissionsImpl{
 		cfg:       cfg,
 		vendorIDs: vendorIDs,
 		fetchVendorList: map[uint8]func(ctx context.Context, id uint16) (vendorlist.VendorList, error){
 			tcf1SpecVersion: newVendorListFetcher(ctx, cfg, client, vendorListURLMaker, tcf1SpecVersion),
 			tcf2SpecVersion: newVendorListFetcher(ctx, cfg, client, vendorListURLMaker, tcf2SpecVersion)},
 	}
+
+	if cfg.HostVendorID == 0 {
+		return &AllowHostCookies{
+			permissionsImpl: permissionsImpl,
+		}
+	}
+
+	return permissionsImpl
 }
 
 // An ErrorMalformedConsent will be returned by the Permissions interface if

diff --git a/gdpr/gdpr_test.go b/gdpr/gdpr_test.go
@@ -0,0 +1,50 @@
+package gdpr
+
+import (
+	"context"
+	"net/http"
+	"testing"
+
+	"github.com/prebid/prebid-server/config"
+	"github.com/prebid/prebid-server/openrtb_ext"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewPermissions(t *testing.T) {
+	tests := []struct {
+		description  string
+		gdprEnabled  bool
+		hostVendorID int
+		wantType     Permissions
+	}{
+		{
+			gdprEnabled:  false,
+			hostVendorID: 32,
+			wantType:     &AlwaysAllow{},
+		},
+		{
+			gdprEnabled:  true,
+			hostVendorID: 0,
+			wantType:     &AllowHostCookies{},
+		},
+		{
+			gdprEnabled:  true,
+			hostVendorID: 32,
+			wantType:     &permissionsImpl{},
+		},
+	}
+
+	for _, tt := range tests {
+
+		config := config.GDPR{
+			Enabled:      tt.gdprEnabled,
+			HostVendorID: tt.hostVendorID,
+		}
+		vendorIDs := map[openrtb_ext.BidderName]uint16{}
+
+		perms := NewPermissions(context.Background(), config, vendorIDs, &http.Client{})
+
+		assert.IsType(t, tt.wantType, perms, tt.description)
+	}
+}
diff --git a/gdpr/impl.go b/gdpr/impl.go
@@ -223,6 +223,16 @@ func (p *permissionsImpl) parseVendor(ctx context.Context, vendorID uint16, cons
 	return
 }
 
+// AllowHostCookies represents a GDPR permissions policy with host cookie syncing always allowed
+type AllowHostCookies struct {
+	*permissionsImpl
+}
+
+// HostCookiesAllowed always returns true
+func (p *AllowHostCookies) HostCookiesAllowed(ctx context.Context, consent string) (bool, error) {
+	return true, nil
+}
+
 // Exporting to allow for easy test setups
 type AlwaysAllow struct{}