Prebid Mobile Guide to Privacy Regulation

Prebid Mobile Guide to European Ad Inventory and Providing Notice, Transparency and Choice (GDPR)

Framework APIs

Prebid Mobile provides API for app publishers to use with the Framework. This API allow you to:

  • Define whether the user is located in the European Economic Area (the “EEA”) and if European privacy regulations should apply
  • Set the IAB Europe (IAB) consent string

This information will be persisted by Prebid Mobile and will be added to each ad call to the demand partners.

Publishers/Consent Management Platforms (CMPs) are free to store these values in an UserDefaults/SharedPreferences interface (as defined by IAB Tech Lab - CMP API v2) instead of passing them via the new APIs, and Prebid SDK will read the values as a fallback. The consent API’s will check for TCF2.0 params -IABTCF_gdprApplies and IABTCF_TCString.

Publishers are responsible for providing notice, transparency and choice and collecting consent from their users in accordance with the Framework policies, either using their own CMP or working with a vendor.

All vendor SDKs (including mediation SDKs) are responsible for looking up approved vendor and consent information on their own.

Sending Device Information

To ensure proper monetization and relevant targeting, the SDK should be enabled to send the device information. Setting the consentRequired and purposeConsents flag correctly will help ensure proper device information is sent. The table below provides information on:

  • Determining whether the device details will be passed or not.
  • Describing the actions taken for the different purposeConsents values in combination with consentRequired values.
  deviceAccessConsent= true deviceAccessConsent= false deviceAccessConsent= undefined
consentRequired=false
(gdprApplies = false)
The SDK will read and pass IDFA/AAID info to server. The SDK will not read and pass IDFA/AAID info to server. The SDK will read and pass IDFA/AAID info to server.
consentRequired=true
(gdprApplies = true)
The SDK will read and pass IDFA/AAID info to server. The SDK will not read and pass IDFA/AAID info to server. The SDK will not read and pass IDFA/AAID info to server.
consentRequired=undefined
(gdprApplies = undefined)
The SDK will read and pass IDFA/AAID info to server. The SDK will not read and pass IDFA/AAID info to server. The SDK will read and pass IDFA/AAID info to server.

Code Samples

iOS

Targeting.shared.subjectToGDPR = false;

Targeting.shared.gdprConsentString = "BOMyQRvOMyQRvABABBAAABAAAAAAEA";

Targeting.shared.purposeConsents = "100000000000000000000000";

let deviceAccessConsent = Targeting.shared.getDeviceAccessConsent();

Android

TargetingParams.setSubjectToGDPR(context, true);

TargetingParams.setGDPRConsentString("BOMyQRvOMyQRvABABBAAABAAAAAAEA");
    
TargetingParams.setPurposeConsents("101010001");

California Consumer Privacy Act (CCPA)

Notice and Opt out signal

Prebid mobile supports the IAB US Privacy signal implementation for CCPA. Publishers will be required perform the following actions:

  • Collect notice and opt out signals from eligible CCPA users
  • Translate notice and opt-out signals into IAB US Privacy String format
  • Store IAB US Privacy signal in UserDefaults for iOS or SharedPreferences for Android for persistent storage allowing access for vendors per IAB recommendations

The job of the Prebid SDK will:

  • Read from UserDefaults (iOS) or SharedPreferences (Android) for US Privacy signal
    • Prebid SDK will look for the key IABUSPrivacy_String, all other key names or spellings will be ignored
    • If the IABUSPrivacy_String key is present with a non-empty string value, the Prebid SDK will relay the privacy string to Prebid Server in the regs.ext.us_privacy extention
  • Not perform or make any attempt to validate or ensure correctness of the US Privacy string
  • Not strip any user data or signaling of the request regardless of Notice and Opt out signal

It is worth noting Prebid Server will be a passthrough as well and will not validate format or correctness of US Privacy signal nor strip any user data from the request either, even if the presence of an opt out.