GDPR Publisher Integration Guide

Introduction

MoPub is committed to ensuring that our services comply with the European Union’s new General Data Protection Regulation (GDPR).

This guide will provide information for publishers to be compliant with the regulation. By default, the updated SDK will obtain consent from users located in the European Economic Area, the United Kingdom, and Switzerland for the processing of personal data by MoPub and our partners (including advertising demand partners, supported advertising mediation partners, data partners, and fraud and measurement partners) for personalized advertising purposes. Some publisher partners may be allowed to obtain consent on behalf of MoPub and our partners through their own consent solution if they agree to additional terms.

Timelines to adopt GDPR Supported SDKs

In order to provide continuity of our Services to our Publisher Partners and give your users sufficient time to update their apps to versions using the latest SDK, we will continue to support older versions of the SDK during a short transition period. During this time, we will continue to receive personal data such as iOS Identifier for Advertising or Android Advertising ID from older versions of the SDK. However, in order to protect your users’ privacy, we will not store, use, or share such personal data, and we will only return contextual ads if they use one of these apps in the European Economic Area, the United Kingdom, or Switzerland.

After August 22, 2018, we will stop returning ads to older versions of our SDK in these countries.

Quick Guide to be compliant with MoPub’s approach to GDPR

  1. Initialize the MoPub SDK. This is a new requirement for all publishers using MoPub. The purpose of this API is to initialize the consent mechanism and (optional) rewarded video ad networks.
  2. Check if you should show the consent dialog, then load and show it to your users. Further details about implementing publisher-owned and MoPub-owned consent mechanisms are available below.

Note: We determine whether the consent dialog should be shown based on if GDPR applies, if we previously obtained a consent status for the user, and if the user’s “Limit Ad Tracking” or equivalent preference is enabled.

  • GDPR Applies: If we detect that a user opened a given application for the first time in the European Economic Area, United Kingdom, or Switzerland, as determined by the user’s truncated IP address, MoPub will consider GDPR applying to that user for the lifetime of that application, meaning that MoPub requires the user’s consent before serving personalized ads. Beginning on SDKv 5.1, publishers can determine when GDPR applies to the user, in addition to when the MoPub SDK determines when GDPR Applies. Check below on how to enable consent outside EU.
  • Limit Ad Tracking Preference: If the user’s “Limit Ad Tracking” or equivalent preference is enabled, and if GDPR applies to that user, we will treat the user as not having consented regardless of any other indication of consent.

Note: Only specific (managed) publishers who have been given permission are able to use their own consent dialog. Everyone else must use MoPub’s default consent dialog.

  1. Ensure the consent mechanism is built based on the requirements provided above.
  2. Check if the MoPub consent dialog can be shown and simply call the methods provided in the respective Android/iOS/Unity guides to show the dialog.

    Note: The consent dialog will not load if you attempt to call it for a user that MoPub has determined is outside of the European Economic Area, the United Kingdom, or Switzerland. Please keep this in mind when testing if you have not opened hte app for the first time in the European Economic Area, the United Kingdom, or Switzerland or if you do not set GDPR Applies

  3. Revoke the consent manually when applicable. That is an optional step if a publisher has a UI for that. The MoPub SDK will automatically detect when “Do Not Track” is enabled by users, and revoke the consent on your behalf.

Full integration details are available below:

Beginning on SDKv 5.1, publishers can determine when GDPR applies to the user, in addition to when the MoPub SDK determines when GDPR Applies. SDK v 5.0 does not currently support consent from users located outside of where we have determined GDPR applies and you should not pass consent state for users outside of these regions. If you are passing a consent state for users that MoPub has determined are located outside of the Europoean Econimc Area, the United Kingdom, or Switzerland, MoPub will disregard the consent state, as the SDK will not treat GDPR as applying to users outside of these regions, and we will continue to process their personal data.

  1. Ensure the consent mechanism is built based on the requirements provided above.
  2. Add links to MoPub’s vendor list and the privacy policy URL to your consent UI.
  3. Grant or revoke consent manually by calling the relevant APIs.

Note:

  • When sending GDPR Applies, MoPub will consider GDPR as applying to that user for the lifetime of that application, regardless of if you change GDPR Applies to false on the same user at a later date
  • The API to grant consent manually is only available for publishers using their own consent mechanism. If you do not have approval to use your own custom consent, consent will all be treated as no consent

Full integration details are available below:

Publishers using the 5.1+ can enable consent mechanism outside EU regions by enabling force GDPR applies flag (Android, iOS, Unity). The following will be true for publishers with SDK 5.1 and above

  • If publisher is not using force GDPR flag, consent will be considered be valid where isGDPRApplicable is true as defined by MoPub here.
  • If publisher is using force GDPR flag, consent will be valid for users for whom forceGDPR flag is on.

Note

  • If a publisher starts using force GDPR flag for a user not identified by MoPub as subject to GDPR, the SDK will treat that user as subject to GDPR for the duration of the app life time.
  • If, in a later update, the publisher decides that they no longer want to use force GDPR flag ** New users will be treated as subject to GDPR as determined by MoPub. ** Any existing users for whom force GDPR flag was previously set will still be treated as subject to GDPR as defined by publisher. This cannot be revoked by any means except with app deletion/reinstallation.

Ensure you re-prompt the consent dialog to your users by checking OS relevant shouldShowConsentDialog in the below scenarios

  • When new partners are added to the MoPub partner list.
  • If there are changes to the existing list.
  • If your users have not provided any consent yet by closing the consent Dialog

Note Consent status will become unknown for all users if the partner list changes until the re-prompt of the dialogue happens. And only contextual ads will be served while consent status remains unknown. We recommend checking shouldShowConsentDialog and showing the consent dialogue as frequently as possible preferably before every ad request.

The consent dialog will default to the user’s device language if it is set to Deutsch, English, Español, Français, Italiano, Nederlands, or Português. If the user’s device is not set to one of those 7 languages, the dialog will default to English.

Additionally, the user will have the ability to select the dialog’s language. The links on the MoPub consent mechanism will default to English until a later date. For more information on the consent dialog, see our FAQ.

Targeting

We have added an additional field for Publisher Partners who would like to share demographic (e.g, age or gender) or interests data for ad targeting. Publisher Partners must send any demographic or interest-based targeting data in the fields designated for such data, as described in our technical documentation. Publisher Partners must not include any personal data, including demographic or interest-based targeting data, in any fields intended for contextual targeting (i.e., targeting based on the content of the app).

In this MoPub SDK version 5.0, the userDataKeywords field will not be sent in the ad request if GDPR is applicable and if there is no explicit consent from user.

For purposes of GDPR compliance, if you are not on SDK version 5.0+, you should not target interest or demographic keywords in the European Economic Area, United Kingdom, and Switzerland.

Note: There are certain user data keywords that are prohibited from being sent to MoPub. Please review the “Prohibition on Sensitive Personal Data” section of MoPub’s Publisher Partner Policies for more details.

Server-side Rewarded Video

Publishers using Rewarded Video server-side setup should get user’s consent for using #CUSTOMER_ID# macros

MoPub Mediation

Supported SDK Networks

We will be obtaining consent on behalf of AdColony, AppLovin, Chartboost, Flurry, ironSource, One by AOL, Tapjoy, Unity, and Vungle. We will share the consent via adapters and publishers will need to update the following:

  • GDPR-supported network adapters
  • GDPR-supported SDK
  • GDPR-supported network SDK. For supported versions and other details, please check here for further details.

MoPub will not be obtaining consent on behalf of Alphabet, Inc - Google AdMob and Facebook, Inc. For networks that we are not getting consent for, publishers should work directly with the network to understand their obligations to comply with GDPR.

Supported Server-Side Networks

We will be obtaining consent on behalf of all server-to-server mediation partners. Check for the supported mediation partners here

Javascript Networks

MoPub does not share explicit consent with Javascript networks. Publishers should not insert MoPub macros that contain personal data, such as IFA and latitude and longitude, for users located in the European Economic Area, United Kingdom, or Switzerland.

Mediating MoPub using external mediation platforms

MoPub will collect its own consent and will not use consent from externally mediated partners like Alphabet, Inc - Google AdMob or IronSource. Publishers should share their user’s explicit consent with the MoPub SDK directly using the integrations for Android, iOS, Unity.

Last updated June 22, 2018

TWITTER, MOPUB, and the Bird logo are trademarks of Twitter, Inc. or its affiliates. All third party logos and trademarks included are the property of their respective owners.

© 2018 MoPub Inc.