GDPR and COPPA | Android
General Data Protection Regulation (GDPR)
As a publisher, you should integrate a Consent Management Platform (CMP) and request for vendor and purpose consents as outlined in IAB Europe’s Mobile In-App CMP API v1.0: Transparency & Consent Framework. You can find a reference implementation of a web-based CMP and the corresponding native wrappers here.
If you are embedding your own custom CMP, the collected end-user consent information needs to be stored in SharedPreferences using the following keys:
||boolean||Set to YES if a CMP that follows the IAB specification is present in the application.|
||String||“1” = Subject to GDPR
“0” = Not subject to GDPR
“-1” = Unknown (default before initialization)
||String||Base64-encoded consent string as defined in by the IAB: Consent string and vendor list format v1.1|
||String||String of “0”s and “1”s, where the character at position N indicates the consent status to purposeID N as defined in the Global Vendor List|
||String||String of “0”s and “1”s, where the character at position N indicates the consent status to vendorID N as defined in the Global Vendor List|
[[NSUserDefaults standardUserDefaults] setObject:@"0" forKey:@"IABConsent_SubjectToGDPR"]; // User is not subject to GDPR
Important Details About CCPA
The California Consumer Privacy Act (CCPA) was created to provide California consumers with greater transparency and control over their personal information. In many ways, the CCPA is a first of its kind regulation in the United States that seeks to create broad privacy and data protection rules that apply to all industries doing business in the jurisdiction of California, rather than focusing on a single sector or specific data collection and use practices.
For Publishers with California-Based Users
As a publisher, you need to make sure to request consent from California-based users (to give or refuse consent / to opt-out or opt-in ) about private data transfer. This answer should be saved in
SharedPreferences with key “
IABUSPrivacy_String” in the US Privacy String format (CCPA Opt-Out Storage Format).
The Smaato NextGen SDK reads this value in the key “
IABUSPrivacy_String” if it exists and uses this as an optional parameter for all ad requests.
Sample of US Privacy String Saving in SharedPreferences
As per the guidelines defined by IAB for CCPA, publishers are required to set CCPA value for key IABUSPrivacy_String inside SharedPreferences.
SharedPreferences sharedPreferences = PreferenceManager.getDefaultSharedPreferences(getContext()); SharedPreferences.Editor editor = sharedPreferences.edit(); editor.putString("IABUSPrivacy_String", "1YNN"); editor.commit();
Please Make sure to use the exact name as given for the key “IABUSPrivacy_String” and to review the IAB’s guidelines for entering and formatting the U.S. Privacy String (CCPA Opt-Out Storage Format).
Our sample provided above (“1YNN”) for the US Privacy String demonstrates when the user has not made a choice to opt-out.
Further Examples of the U.S. Privacy String
1YNN: User has not made a choice to opt-out
1NYY: User has made a choice to opt-out
1—: A Digital Property has determined to use a U.S. Privacy string version 1 and that CCPA does not apply to the transaction.
Children’s Online Privacy Protection Act (COPPA)
“COPPA” stands for The Children’s Online Privacy Protection Rule. It imposes certain requirements on publishers (operators of websites or online services) with apps/sites directed to children under 13 years of age, and on operators of other websites or online services (i.e., Smaato) that have actual knowledge (defined below) that they are collecting personal information online from a child under 13 years of age.
You are able to activate and deactivate COPPA by using the following example:
mBanner.getUserSettings().setCOPPA(value); // true to enable, false otherwise.
When Should the COPPA Flag be Set to COPPA=1?
If the publisher doesn’t have an age, or even if the publisher has an age gate, Smaato may need to flag the publisher’s application as COPPA=1:
- A publisher notifies the Smaato sales or legal departments that they have an application directed towards children OR
- If Smaato notices that a publisher’s application is very obviously directed to children under 13 (e.g., the application has “for Kids” in the name, features cartoons, or has other indicators that it’s intended for children).
If the publisher has an age gate, such that the age of the end-user is known, then:
- Age gate says end-user is <13, then the publisher must send the
- Age gate says end-user is ≥13, then the publisher should send the
Modified: January 14, 2020 at 4:10 pm