GDPR Publisher Integration Guide

MoPub is committed to ensuring that our services comply with the European Union’s General Data Protection Regulation (GDPR). Use this guide to ensure that you are compliant with MoPub’s GDPR solution.

By default, the updated MoPub SDK obtains consent from users located in the European Economic Area, the United Kingdom, and Switzerland for the processing of personal data by MoPub and our partners (including advertising demand partners, supported advertising mediation partners, data partners, and fraud and measurement partners) for personalized advertising purposes. Select publisher partners may be allowed to obtain consent on behalf of MoPub and our partners through their own consent solution if they agree to additional terms. Please note that MoPub does not support the IAB’s Transparency and Control Framework (TCF) 1.0 or 2.0

In this article:

Become Compliant with MoPub’s Approach to GDPR

  1. Initialize the MoPub SDK by following the instructions for Android, iOS, or Unity. This is now a requirement for all publishers using MoPub; this API is essential for initializing the GDPR consent mechanism.

  2. Check whether you should show the consent dialog based on the following three factors:

    • Does GDPR apply? If our SDK detects that a user opened a given application for the first time in the European Economic Area, United Kingdom, or Switzerland, as determined by the user’s truncated IP address, MoPub considers that GDPR applies to that user for the lifetime of that application, meaning that MoPub requires the user’s consent before serving personalized ads.

      Beginning with MoPub SDK v5.1, you, the publisher, can determine additional cases where GDPR applies by using the “Force GDPR Applies” flag.

    • Have we already obtained consent? Whether we previously obtained a consent status for the user.

    • Has the user chosen to limit ad tracking? If the user’s Limit Ad Tracking or equivalent preference is enabled, and if GDPR applies to that user, we will treat the user as not having consented, regardless of any other indication of consent.

  3. If these three factors indicate that you should show the consent dialog, load and show it to your users, following the implementation instructions below.

Most publishers use the MoPub-owned consent mechanism. Implement it as follows:

  1. Ensure that your consent mechanism is built following the three factors listed above.

  2. Check if the MoPub consent dialog can be shown, and simply call the methods provided in the respective Android, iOS, or Unity guide to show the dialog.

    The consent dialog will not load if you call it for a user that MoPub has determined is outside of the European Economic Area, the United Kingdom, or Switzerland. Keep this in mind when you are testing if the first time the app was opened was not in the European Economic Area, the United Kingdom, or Switzerland; or if you did not set GDPR Applies to ‘true’.

  3. Revoke the consent manually when applicable. This is an optional step if a you have a UI for it. The MoPub SDK automatically detects when the user has enabled Do Not Track, and revokes the consent on your behalf.

Refer to the complete GDPR integration article for each platform: Android, iOS, and Unity.

  1. Ensure that the consent mechanism is built based on the requirements provided above.

  2. Add links to MoPub’s vendor list and privacy policy URL to your consent UI.

  3. Grant or revoke consent manually by calling the relevant APIs. The API to grant consent manually is only available for publishers using their own consent mechanism. If you do not have approval to use your own custom consent, all consent will be treated as “no consent.”

    When you send GDPR Applies = ‘true’, MoPub will consider GDPR as applying to that user for the lifetime of that application, even if you change GDPR Applies to ‘false’ on the same user at a later date.

Refer to the full integration details for each platform: Android, iOS, and Unity.

Publishers using MoPub SDK v5.1+ can enable the consent mechanism outside EU regions by enabling the “Force GDPR Applies” flag (Android, iOS, Unity), which forces users whom our SDK does not determine to be GDPR-applicable to be treated as GDPR-applicable.

In contrast, MoPub SDK v5.0 only presents the consent mechanism in cases where our SDK has determined that GDPR applies, so you should not pass a consent state for users outside of these regions. If you are on this version of our SDK and you do pass a consent state for users outside of the MoPub-designated set (those located outside of the European Economic Area, the United Kingdom, or Switzerland), MoPub will disregard the consent state. The 5.0 version of our SDK will not consider GDPR applicable to users outside of these regions, and we will continue to process their personal data.

For publishers with MoPub SDK 5.1 and higher:

  • If the publisher is not using the forceGDPRApplies (Android) or forceGDPRApplicable (iOS, Unity) flag, consent is considered valid where isGDPRApplicable is true as defined by the MoPub SDK, as described here.

    If a publisher then starts using the “Force GDPR Applies” flag for a user who was not identified by MoPub as being subject to GDPR, our SDK will treat that user as subject to GDPR for the duration of the app’s lifetime.

  • If the publisher is using the “Force GDPR Applies” flag, consent is valid for users for whom the forceGDPRApplies (Android) or forceGDPRApplicable (iOS, Unity) flag is on.

    If, in a later update, the publisher decides that they no longer want to use the “Force GDPR Applies” flag, new users will be treated as subject to GDPR as determined by MoPub, and any existing users for whom the forceGDPRApplies flag was previously set will still be treated as subject to GDPR as defined by publisher. This cannot be revoked by any means except with app deletion and re-installation.

Ensure that you re-prompt the consent dialog to your users by checking the OS-relevant shouldShowConsentDialog in the following scenarios:

  • When new partners are added to the MoPub partner list.
  • If there are changes to the existing list.
  • If your users have not provided any consent yet by closing the consent dialog.

By adopting 5.11+ SDK, publishers gain access to MoPub incremental consent, a solution that enables demand partners who joined MoPub after May 25, 2018, to show personalized ads to users where GDPR applies. MoPub plans to activate this solution on March 25, 2020. At this point, publishers who are using this SDK can collect incremental consent from all users.

Beginning March 25, 2020, when publishers call shouldShowConsentDialog, users will be prompted to give consent for the updated v1 vendor list. MoPub will maintain the consent status for any users who previously gave explicit consent for v0 of the vendor list until the user gives explicit consent for v1 of the vendor list. Consent for v1 of the vendor list includes the partners on v0 and the additional partners added to v1.

The consent dialog defaults to the user’s device language if it is set to Deutsch, English, Español, Français, Italiano, Nederlands, or Português. If the user’s device is not set to one of those seven languages, the dialog defaults to English.

Additionally, the user can select the dialog’s language. The links on the MoPub consent mechanism default to English until a later date. For more information on the consent dialog, see our FAQ.

Targeting

We have added an additional field for publisher partners who would like to share demographic data (for example, age or gender) or interests data for ad targeting. Publisher partners must send any demographic or interest-based targeting data in the fields designated for such data, as described in our technical documentation. Publisher partners must not include any personal data, including demographic or interest-based targeting data, in any fields intended for contextual targeting (that is, targeting based on the content of the app).

Starting with MoPub SDK v5.0, the userDataKeywords field is not sent in the ad request if GDPR is applicable and if there is no explicit consent from user.

For purposes of GDPR compliance, if you are not on SDK version 5.0+, do not target interest or demographic keywords in the European Economic Area, United Kingdom, and Switzerland.

Note that there are specific user data keywords that are prohibited from being sent to MoPub. Review the “Prohibition on Sensitive Personal Data” section of MoPub’s Publisher Partner Policies for more details.

Server-Side Rewarded Video

Publishers using the Rewarded Video server-side setup must get the user’s consent for using #CUSTOMER_ID# macros. Without the user’s consent, the #CUSTOMER_ID# is not passed server-side.

MoPub Mediation

JavaScript Networks

MoPub does not share explicit consent with JavaScript networks. Publishers should not insert MoPub macros that contain personal data, such as IFA and latitude and longitude, for users located in the European Economic Area, United Kingdom, or Switzerland.

Mediating MoPub Using External Mediation Platforms

MoPub collects its own consent and does not use consent from externally mediated partners like IronSource. Publishers must share their user’s explicit consent with the MoPub SDK directly using the integrations for Android, iOS, Unity.

Legitimate Interest Support

SDK version 5.5.0 allows supported mediated networks and publishers to opt in to process a user’s personal data based on legitimate interest basis when:

  • GDPR applies,
  • The user consent value is unknown, and
  • The publisher and supported advertising mediation partner have mutually agreed to rely upon legitimate interests as a legal basis for the processing of personal data for personalized advertising purposes. MoPub does not rely upon legitimate interests as a basis for processing personal data for personalized advertising purposes. For more details and requirements, use this documentation and the requirements listed in our SDK License Agreement and Partner Policies.

For integration details, refer to our iOS, Android, Unity integration guides. Based on the legitimate interest opt-in flag and user’s consent value, MoPub’s SDK shares whether the network can rely upon legitimate interest as a legal basis for the processing of personal data for personalized advertising purposes.

Legitimate Interest flag User’s consent value Can networks collect user’s personal data?
Publisher set the LI flag to true User consented yes Yes
Publisher set the LI flag to true User does not consent No
Publisher set the LI flag to true User consent value is unknown Yes
Publisher set the LI flag to false User consented yes Yes
Publisher set the LI flag to false User does not consent No
Publisher set the LI flag to false User consent value is unknown No

Refer to our Supported Mediation Partners page to find the ad networks and the adapter versions that support Legitimate Interest.

Support for Older SDKs (MoPub SDK v.4.x and Older)

For users accessing an app using MoPub SDK v.4.x or older, we only return contextual ads where “GDPR Applies” is true.

Last updated November 18, 2020

TWITTER, MOPUB, and the Bird logo are trademarks of Twitter, Inc. or its affiliates. All third party logos and trademarks included are the property of their respective owners.

© 2020 MoPub (a division of Twitter, Inc.)