Compliance Topics | iOS

General Data Protection Regulation (GDPR)

As a publisher, you should integrate a Consent Management Platform (CMP) and request for vendor and purpose consents as outlined in IAB Europe’s Mobile In-App CMP API v1.0: Transparency & Consent Framework. You can find a reference implementation of a web-based CMP and the corresponding native wrappers here in the IAB’s GDPR Transparency and Consent Framework.

If you are embedding your own custom CMP, the collected end-user consent information needs to be stored in NSUserDefaults using the following keys:

Key Type Description
IABConsent_CMPPresent boolean Set to YES if a CMP that follows the IAB specification is present in the application.
IABConsent_SubjectToGDPR String “1” = Subject to GDPR
“0” = Not subject to GDPR
“-1” = Unknown (default before initialization)
IABConsent_ConsentString String Base64-encoded consent string as defined in by the IAB: Consent string and vendor list format v1.1
IABConsent_ParsedPurposeConsents String String of “0”s and “1”s, where the character at position N indicates the consent status to purposeID N as defined in the Global Vendor List
IABConsent_ParsedVendorConsents String String of “0”s and “1”s, where the character at position N indicates the consent status to vendorID N as defined in the Global Vendor List

Example Code

[[NSUserDefaults standardUserDefaults] setObject:@"0" forKey:@"IABConsent_SubjectToGDPR"]; // User is not subject to GDPR

Important Details About CCPA

The California Consumer Privacy Act (CCPA) was created to provide California consumers with greater transparency and control over their personal information. In many ways, the CCPA is a first of its kind regulation in the United States that seeks to create broad privacy and data protection rules that apply to all industries doing business in the jurisdiction of California, rather than focusing on a single sector or specific data collection and use practices.

For more information about the CCPA regulation, please check out the Smaato FAQ. You can also review the IAB’s U.S. Privacy String documentation.

For Publishers with California-Based Users

As a publisher, you need to make sure to request consent from California-based users (to give or refuse consent / to opt-out or opt-in) about private data transfer. This answer should be saved in NSUserDefaults with key “IABUSPrivacy_String” in the US Privacy String format (CCPA Opt-Out Storage Format).

Sample of US Privacy String Saving in NSUserDefaults

As per the guidelines defined by IAB for CCPA, publishers are required to set CCPA value for key IABUSPrivacy_String inside NSUserDefaults.

[NSUserDefaults.standardUserDefaults setObject:iabCCPAString forKey:@"IABUSPrivacy_String"]; //  "1YNN"
 

Children’s Online Privacy Protection Act (COPPA)

“COPPA” stands for The Children’s Online Privacy Protection Rule. It imposes certain requirements on Publishers (operators of websites or online services) with apps/sites directed to children under 13 years of age, and on operators of other websites or online services (i.e., Smaato) that have actual knowledge (defined below) that they are collecting personal information online from a child under 13 years of age.

Enabling COPPA

COPPA can be enabled or disabled like this:

adSettings.coppaEnabled = YES;

// default is set to NO

When should the COPPA Flag be set to COPPA=1?

If the publisher doesn’t have an age, or even if the publisher has an age gate, Smaato may need to flag the publisher’s application as COPPA=1:

  1. A publisher notifies the Smaato sales department (or emails Smaato legal department) that they have an application directed towards children OR
  2. If Smaato notices that a publisher’s application is very obviously directed to children under 13 (e.g., the application has “for Kids” in the name, features animation, or has other indicators that the app is for children).

If the publisher has an age gate, such that the age of the end-user is known, then:

  • Age gate says end-user is <13, then the publisher must send the COPPA=1 flag;
  • Age gate says end-user is ≥13, then the publisher should send the COPPA=0 flag.

Modified: January 14, 2020 at 4:35 pm