GDPR Publisher Integration Guide

MoPub is committed to ensuring that our services comply with the European Union’s new General Data Protection Regulation (GDPR).

This guide provides information for publishers to be compliant with the regulation. By default, the updated SDK will obtain consent from users located in the European Economic Area, the United Kingdom, and Switzerland for the processing of personal data by MoPub and our partners (including advertising demand partners, supported advertising mediation partners, data partners, and fraud and measurement partners) for personalized advertising purposes. Some publisher partners may be allowed to obtain consent on behalf of MoPub and our partners through their own consent solution if they agree to additional terms.

In this article:

Become Compliant with MoPub’s Approach to GDPR

  1. Initialize the MoPub SDK. This is a new requirement for all publishers using MoPub. The purpose of this API is to initialize the consent mechanism and (optional) rewarded video ad networks.

  2. Check whether you should show the consent dialog, then load and show it to your users. Further details about implementing MoPub-owned and publisher-owned (the latter applies only to select managed publishers who have been given permission to use their own consent dialog; everyone else must use MoPub’s default consent dialog) consent mechanisms are described in this section.

    We determine whether the consent dialog should be shown based on the following three factors:

    • GDPR Applies: If we detect that a user opened a given application for the first time in the European Economic Area, United Kingdom, or Switzerland, as determined by the user’s truncated IP address, MoPub will consider that GDPR applies to that user for the lifetime of that application, meaning that MoPub requires the user’s consent before serving personalized ads.

      Beginning with MoPub SDKv 5.1, publishers can determine when GDPR applies to the user, in addition to when the MoPub SDK determines whether GDPR Applies. Check below on how to enable consent outside EU.

    • Previously obtained consent: Whether we previously obtained a consent status for the user.

    and

    • Limit Ad Tracking: Whether the user’s “Limit Ad Tracking” or equivalent preference is enabled. If the user’s “Limit Ad Tracking” or equivalent preference is enabled, and if GDPR applies to that user, we will treat the user as not having consented, regardless of any other indication of consent.
  1. Ensure that your consent mechanism is built based on the requirements provided above.

  2. Check if the MoPub consent dialog can be shown, and simply call the methods provided in the respective Android/iOS/Unity guides to show the dialog.

    The consent dialog will not load if you attempt to call it for a user that MoPub has determined is outside of the European Economic Area, the United Kingdom, or Switzerland. Keep this in mind when testing if you have not opened the app for the first time in the European Economic Area, the United Kingdom, or Switzerland; or if you did not set ‘GDPR Applies’.

  3. Revoke the consent manually when applicable. This is an optional step if a publisher has a UI for it. The MoPub SDK will automatically detect when “Do Not Track” is enabled by users, and revoke the consent on your behalf.

Refer to the full integration details for each platform: Android, iOS, and Unity.

Beginning with MoPub SDKv 5.1, publishers can determine when GDPR applies to the user, in addition to when the MoPub SDK determines whether GDPR Applies. SDK v 5.0 does not currently support consent from users located outside of where we have determined GDPR applies and you should not pass a consent state for users outside of these regions. If you are passing a consent state for users that MoPub has determined are located outside of the European Economic Area, the United Kingdom, or Switzerland, MoPub will disregard the consent state, because the SDK will not treat GDPR as applying to users outside of these regions, and we will continue to process their personal data.

  1. Ensure that the consent mechanism is built based on the requirements provided above.

  2. Add links to your consent UI in MoPub’s vendor list and in the privacy policy URL .

  3. Grant or revoke consent manually by calling the relevant APIs. The API to grant consent manually is only available for publishers using their own consent mechanism. If you do not have approval to use your own custom consent, all consent will be treated as “no consent.”

    When you send GDPR Applies = ‘true’, MoPub will consider GDPR as applying to that user for the lifetime of that application, even if you change GDPR Applies to ‘false’ on the same user at a later date.

Refer to the full integration details for each platform: Android, iOS, and Unity.

Publishers using the 5.1+ can enable the consent mechanism outside EU regions by enabling the force GDPR applies flag (Android, iOS, Unity).

For publishers with MoPub SDK 5.1 and higher:

  • If the publisher is not using the forceGDPRApplies (Android) or forceGDPRApplicable (iOS, Unity) flag, consent is considered valid where isGDPRApplicable is true as defined by MoPub, as described here.

    If a publisher then starts using the forceGDPRApplies flag for a user not identified by MoPub as being subject to GDPR, our SDK will treat that user as subject to GDPR for the duration of the app lifetime.

  • If the publisher is using the forceGDPRApplies flag, consent is valid for users for whom the forceGDPRApplies (Android) or forceGDPRApplicable (iOS, Unity) flag is on.

    If, in a later update, the publisher decides that they no longer want to use the forceGDPRApplies flag, new users will be treated as subject to GDPR as determined by MoPub, and any existing users for whom the forceGDPRApplies flag was previously set will still be treated as subject to GDPR as defined by publisher. This cannot be revoked by any means except with app deletion and re-installation.

Ensure that you re-prompt the consent dialog to your users by checking the OS-relevant shouldShowConsentDialog in the following scenarios:

  • When new partners are added to the MoPub partner list.
  • If there are changes to the existing list.
  • If your users have not provided any consent yet by closing the consent dialog.

By adopting 5.11+ SDK, publishers gain access to MoPub incremental consent, a solution that enables demand partners who joined MoPub after May 25, 2018, to show personalized ads to users where GDPR applies. MoPub plans to activate this solution on March 25, 2020. At this point, publishers who are using this SDK can collect incremental consent from all users.

Beginning March 25, 2020, when publishers call shouldShowConsentDialog, users will be prompted to give consent for the updated v1 vendor list. MoPub will maintain the consent status for any users who previously gave explicit consent for v0 of the vendor list until the user gives explicit consent for v1 of the vendor list. Consent for v1 of the vendor list includes the partners on v0 and the additional partners added to v1.

The consent dialog defaults to the user’s device language if it is set to Deutsch, English, Español, Français, Italiano, Nederlands, or Português. If the user’s device is not set to one of those seven languages, the dialog defaults to English.

Additionally, the user can select the dialog’s language. The links on the MoPub consent mechanism default to English until a later date. For more information on the consent dialog, see our FAQ.

Targeting

We have added an additional field for publisher partners who would like to share demographic data (for example, age or gender) or interests data for ad targeting. Publisher partners must send any demographic or interest-based targeting data in the fields designated for such data, as described in our technical documentation. Publisher partners must not include any personal data, including demographic or interest-based targeting data, in any fields intended for contextual targeting (that is, targeting based on the content of the app).

In this MoPub SDK version 5.0, the userDataKeywords field is not sent in the ad request if GDPR is applicable and if there is no explicit consent from user.

For purposes of GDPR compliance, if you are not on SDK version 5.0+, do not target interest or demographic keywords in the European Economic Area, United Kingdom, and Switzerland.

Note that there are specific user data keywords that are prohibited from being sent to MoPub. Review the “Prohibition on Sensitive Personal Data” section of MoPub’s Publisher Partner Policies for more details.

Server-Side Rewarded Video

Publishers using Rewarded Video server-side setup must get the user’s consent for using #CUSTOMER_ID# macros.

MoPub Mediation

Supported SDK Networks

We obtain consent on behalf of supported mediation partners. We share the consent via adapters, and publishers must update the following:

MoPub does not obtain consent on behalf of Facebook, Inc. For networks on whose behalf we do not obtain consent, publishers must work directly with that network to understand their obligations for GDPR compliance.

JavaScript Networks

MoPub does not share explicit consent with JavaScript networks. Publishers should not insert MoPub macros that contain personal data, such as IFA and latitude and longitude, for users located in the European Economic Area, United Kingdom, or Switzerland.

Mediating MoPub Using External Mediation Platforms

MoPub collects its own consent and does not use consent from externally mediated partners like IronSource. Publishers must share their user’s explicit consent with the MoPub SDK directly using the integrations for Android, iOS, Unity.

Legitimate Interest Support

SDK version 5.5.0 allows supported mediated networks and publishers to opt in to process a user’s personal data based on legitimate interest basis when:

  • GDPR applies,
  • The user consent value is unknown, and
  • The publisher and supported advertising mediation partner have mutually agreed to rely upon legitimate interests as a legal basis for the processing of personal data for personalized advertising purposes. MoPub does not rely upon legitimate interests as a basis for processing personal data for personalized advertising purposes. For more details and requirements, use this documentation and the requirements listed in our SDK License Agreement and Partner Policies.

For integration details, refer to our iOS, Android, Unity integration guides. Based on the legitimate interest opt-in flag and user’s consent value, MoPub’s SDK shares whether the network can rely upon legitimate interest as a legal basis for the processing of personal data for personalized advertising purposes.

Legitimate Interest flag User’s consent value Can networks collect user’s personal data?
Publisher set the LI flag to true User consented yes Yes
Publisher set the LI flag to true User does not consent No
Publisher set the LI flag to true User consent value is unknown Yes
Publisher set the LI flag to false User consented yes Yes
Publisher set the LI flag to false User does not consent No
Publisher set the LI flag to false User consent value is unknown No

Refer to our Supported Mediation Partners page to find the ad networks and the adapter versions that support Legitimate Interest.

Support for Older SDKs (MoPub SDK v.4.x and Older)

For users accessing an app on MoPub SDK v.4.x or older, we will only return contextual ads where GDPR Applies is true`

Last updated March 04, 2020

TWITTER, MOPUB, and the Bird logo are trademarks of Twitter, Inc. or its affiliates. All third party logos and trademarks included are the property of their respective owners.

© 2020 MoPub (a division of Twitter, Inc.)