Privacy Settings (GDPR and COPPA)
Verizon is committed to ensuring our services comply with all regulatory laws and requirements. Children’s Online Privacy Protection Act (COPPA) and European Union’s General Data Protection Regulation (GDPR) are two such requirements that must be followed by all publishers that wish to serve ads in their applications. This guide will provide information for publishers to comply with these regulations.
Even though the COPPA and GDPR settings can be set and changed at any time, it is recommended they be initially set after SDK initialization and prior to ad retrieval. If the settings are changed they only impact ads retrieved in subsequent ad requests. Any ads that are retrieved prior to a change and cached are not impacted by a changed setting thereby serving content non-conforming to the change.
Children’s Online Privacy Protection Act (COPPA)
Children’s Online Privacy Protection Act (COPPA) is provided to help ensure ads returned are child-directed and conform the COPPA regulations in the case where the app or the user of the app falls under this protection. By default, COPPA is set to false which indicates the user does not fall under COPPA. It is important for the value to be set to true if the user falls under COPPA to ensure the delivery of appropriate content.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a set of requirements designed to give people in Europe more control over their data. The requirements apply to any organization that processes the personal data of European Union (EU) residents. To learn more about Verizon’s approach to privacy and data protection, we recommend visiting Verizon and GDPR: Resources for our advertisers and publishers.
Publishers need user consent from EU users in order to serve personalized advertising based on information such as device advertising identifiers, location, and other personal data. To facilitate complying with GDPR the Verizon Ads SDK provides API call that allow the publisher to pass both consent information and if the user falls under GDPR jurisdiction in order to help ensure compliance. The API setConsentData contain two parameters: consentData which contains information about the user’s consent permissions (consentData) and restrictedOrigin which is used to identify users that fall under GDPR’s scope. If you do not call setConsentData, the SDK will assume that consent is required for your location and you are not within GDPR scope.
GDPR settings should be established after initialization and prior to making and ad requests.Setting consent data allow you to pass consent strings to back end ad servers and specify if the users fall under GDPR restrictions.
Because every app’s user experience is different, the Verizon Ads SDK does not prompt for, nor provide a mechanism to prompt users to gather consent. Once consent has been obtained for the user, ConsentData should be set to ensure appropriate ad content is returned.
For users that have consented to the use of Verizon Media Group ad products for advertising personalization, the SDK provides a mechanism to pass that consent information in the form of a specially-formatted consent string. It should be noted that the OATH SSP currently supports the IAB’s GDPR Transparency and Consent Framework. You can learn more about this consent string by visiting IAB’s GDPR Transparency and Consent Framework github page.
ConsentData takes key-value pairs, a key denoting the consent format type and the value is the consent string itself. When setConsentData is set, the SDK will assume that the publisher has obtained consent from the user for Verizon ad products. It will then begin collecting and passing personal data. All ConsentData key-values are passed on ad requests. When the requests hit the server, the Verizon SSP will try to decode the contents of consentData and verify that consent has been legitimately obtained in a supported format. If consent cannot be verified, the Verizon SSP will drop any personal data contained in the ad request. By default the ConsentData is null/nil which signifies that consent has not been provided.
For convenience, we have provided a constant for the IAB consent key. It is the responsibility of the publisher to translate the user’s consent information into the IAB consent format, which takes the form of base64-encoded string, and set it as the value for the IAB consent key using setConsentData. The keys are IAB_CONSENT_KEY on Android, and kVASConfigIABConsentKey on iOS.
restrictedOrigin is used to indicate if a user is in GDPR scope. If any of the following apply the user is deemed to fall under GDPR regulations:
The user is currently located in the EU
The user has registered with the app as an EU resident
The app is specifically targeted to EU users
Although the Verizon Ads SDK will perform a geo IP lookup on startup, there are situations that the SDK cannot determine if a user fall under GDPR jurisdiction based on their IP address (e.g. a registered EU user traveling outside of the EU). To ensure compliance, publishers should set restrictedOrigin prior to making ad requests based on the criteria. Setting restrictedOrigin to true restricts information about the user from being collected and sent over the network unless there is specific consent information which allows this.