GDPR and COPPA | Android

General Data Protection Regulation (GDPR)

As a publisher, you should integrate a Consent Management Platform (CMP) and request for vendor and purpose consents as outlined in IAB Europe’s Mobile In-App CMP API v1.0: Transparency & Consent Framework. You can find a reference implementation of a web-based CMP and the corresponding native wrappers here.

If you are embedding your own custom CMP, the collected end-user consent information needs to be stored in SharedPreferences using the following keys:

Key Type Description
IABConsent_CMPPresent boolean Set to YES if a CMP that follows the IAB specification is present in the application.
IABConsent_SubjectToGDPR String “1” = Subject to GDPR
“0” = Not subject to GDPR
“-1” = Unknown (default before initialization)
IABConsent_ConsentString String Base64-encoded consent string as defined in by the IAB: Consent string and vendor list format v1.1
IABConsent_ParsedPurposeConsents String String of “0”s and “1”s, where the character at position N indicates the consent status to purposeID N as defined in the Global Vendor List
IABConsent_ParsedVendorConsents String String of “0”s and “1”s, where the character at position N indicates the consent status to vendorID N as defined in the Global Vendor List

Example Code

[[NSUserDefaults standardUserDefaults] setObject:@"0" forKey:@"IABConsent_SubjectToGDPR"]; // User is not subject to GDPR

Important Details About CCPA

The California Consumer Privacy Act (CCPA) was created to provide California consumers with greater transparency and control over their personal information. In many ways, the CCPA is a first of its kind regulation in the United States that seeks to create broad privacy and data protection rules that apply to all industries doing business in the jurisdiction of California, rather than focusing on a single sector or specific data collection and use practices.

For more information about the CCPA regulation, please check out the Smaato FAQ. You can also review the IAB’s U.S. Privacy String documentation.

For Publishers with California-Based Users

As a publisher, you need to make sure to request consent from California-based users (to give or refuse consent / to opt-out or opt-in ) about private data transfer. This answer should be saved in SharedPreferences with key “IABUSPrivacy_String” in the US Privacy String format (CCPA Opt-Out Storage Format).

The Smaato NextGen SDK reads this value in the key “IABUSPrivacy_String” if it exists and uses this as an optional parameter for all ad requests.

Sample of US Privacy String Saving in SharedPreferences

As per the guidelines defined by IAB for CCPA, publishers are required to set CCPA value for key IABUSPrivacy_String inside SharedPreferences.

SharedPreferences sharedPreferences = PreferenceManager.getDefaultSharedPreferences(getContext());
SharedPreferences.Editor editor = sharedPreferences.edit();
editor.putString("IABUSPrivacy_String", "1YNN");

Children’s Online Privacy Protection Act (COPPA)

“COPPA” stands for The Children’s Online Privacy Protection Rule. It imposes certain requirements on publishers (operators of websites or online services) with apps/sites directed to children under 13 years of age, and on operators of other websites or online services (i.e., Smaato) that have actual knowledge (defined below) that they are collecting personal information online from a child under 13 years of age.

Enabling COPPA

You are able to activate and deactivate COPPA by using the following example:

mBanner.getUserSettings().setCOPPA(value); // true to enable, false otherwise.

When Should the COPPA Flag be Set to COPPA=1?

If the publisher doesn’t have an age, or even if the publisher has an age gate, Smaato may need to flag the publisher’s application as COPPA=1:

  1. A publisher notifies the Smaato sales or legal departments that they have an application directed towards children OR
  2. If Smaato notices that a publisher’s application is very obviously directed to children under 13 (e.g., the application has “for Kids” in the name, features cartoons, or has other indicators that it’s intended for children).

If the publisher has an age gate, such that the age of the end-user is known, then:

  • Age gate says end-user is <13, then the publisher must send the COPPA=1 flag;
  • Age gate says end-user is ≥13, then the publisher should send the COPPA=0 flag.

Modified: January 14, 2020 at 4:10 pm