Publisher Privacy Settings
As a publisher, you are responsible for complying with all regulatory laws in which you operate. The Yahoo Mobile SDK provides a robust Privacy API that allows you to comply with these regulations.
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) is a regulatory framework designed to give people in the European Union more control over their data. Its requirements apply to any organization that processes the personal data of European Union (EU) residents. To learn more about Yahoo’s approach to privacy and data protection, visit the Yahoo Privacy Center.
The SDK initially assumes the user is in GDPR Jurisdiction until it has an opportunity to determine GDPR Jurisdiction based on the location of the IP address by performing a Geo IP Lookup. A Geo IP Lookup is performed after SDK initialization and every 24 hours while the application is running. In the unlikely event the cache has not been updated in 7 days, then the SDK will default to the user being in GDPR Jurisdiction. The publisher has the ability to override the GDPR Jurisdiction determined by the Geo IP Lookup by using GDPR Applies which establishes the user as being in GDPR Jurisdiction. When a user falls in GDPR Jurisdiction, the SDK does not transmit any user data in ad requests or bidding tokens unless the publisher overrides this using one of the GDPR Jurisdiction Overrides outlined in the following section.
If either Geo IP Lookup or GDPR Applies indicate that the user falls under GDPR jurisdiction then user data cannot be collected. This can be overridden by the publisher indicating they have “Legitimate Interest,” a “Contractual Agreement,” or “Consent” from the user. In this case the user data will be collected.
Geo IP Lookup
The SDK makes an effort to determine if the user of an application falls within GDPR Jurisdiction. It does so by performing a lookup of the device’s IP address to see if it falls in a country within GDPR jurisdiction. Prior to performing the Geo IP Lookup, the SDK considers the user to be in GDPR Jurisdiction. Once a successful Geo IP Lookup has been performed then the user is considered in or out of GDPR Jurisdiction based on the value returned by the Geo IP Lookup service.
The SDK provides a method that can be called by the publisher to explicitly indicate a user falls within GDPR Jurisdiction. This overrides the determination made by Geo IP Lookup. This is important in order to be compliant in scenarios where the publisher knows that the user falls within GDPR Jurisdiction while the device has an IP address that does not fall within GDPR Jurisdiction. An example would be when an EU citizen travels to the US. Once the publisher calls this method and indicates GDPR applies, then this state remains in place for the duration the app is running. It is not possible to unapply GDPR.
GDPR Jurisdiction Overrides
The SDK provides the following GDPR overrides which allow user data to be collected, sent to the server and used for targeting in cases where GDPR Jurisdiction applies. The SDK provides overrides to cover Contractual Agreements, Legitimate Interest, and for the case where the user has provided consent for collecting their user data.
GDPR Contractual Agreement
The SDK exposes a boolean property that defaults to FALSE which enforces data privacy restrictions for users where GDPR Jurisdiction applies. This can be set to TRUE by the publisher to indicate the publisher has a contract with Yahoo Inc allowing data to be sent irrespective of GDPR Jurisdiction. When set to TRUE, user data is collected and sent to the server for ad targeting. For example: If a publisher indicates that GDPR applies and indicates they have contractual agreement in place then user data will be collected and used in targeting.
GDPR Legitimate Interest
The SDK exposes a boolean property that defaults to FALSE which enforces data privacy restrictions for users where GDPR Jurisdiction applies. This can be set to TRUE by the publisher indicating the publisher has a “Legitimate Interest” as defined in the GDPR regulations. GDPR allows publishers having “Legitimate Interest” to collect and use user information. When set to TRUE, user data is collected and the data sent to the server for ad targeting.
GDPR User Consent
The SDK exposes a property that takes an “IAB Consent String’’ indicating the publisher has received consent by the end user to collect data. When this property is set by the publisher then user data is collected and the data sent to the server for ad targeting irrespective of GDPR Jurisdiction. By default, this property is not set which enforces data privacy restrictions for users where GDPR Jurisdiction applies.
Yahoo’s services are fully compliant with the IAB’s GDPR Transparency and Consent Framework and the Yahoo Mobile SDK supports passing the GDPR Consent String along with the ad request. The publisher is responsible for obtaining the user’s consent. Once consent is obtained, the consent string can be passed to the SDK as shown below.
Please note that the Yahoo SSP will verify the format and validity of any EU Consent strings prior to processing any personal data. If consent cannot be verified, the SSP will drop any personal data contained in the request.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) introduces data privacy rights for California consumers. To learn more about Yahoo’s approach in regards to CCPA, we recommend this article on Yahoo’s Help Center.
The SDK provides support for compliance for CCPA by providing signals to the SSP in the form of CCPA Consent and Apply CCPA. The SSP uses these signals for CCPA compliance. User data is still collected by the SDK and sent to the SSP irrespective of CCPA settings.
Publishers have two options for complying with the regulation:
Using the DAA’s Opt-Out tool. You can learn more about this tool here.
Obtaining consent from the user and setting the US Privacy consent string in the SDK. Once you have got the user’s consent, you can set the CCPA Consent.
By default the SDK assumes that the user does not fall under CCPA jurisdiction. The SDK exposes this method to allow the publisher to declare that the user falls under CCPA Jurisdiction. Note that you cannot unapply CCPA.
This property takes a “US Privacy string” as defined by the IAB. The SDK performs no validation to determine conformance to the IAB specification and accepts any non-empty string.
Children’s Online Privacy Protection Act (COPPA)
Children’s Online Privacy Protection Act (COPPA) helps ensure that child-directed apps or children in general are not exposed to inapproriate ads or ad targeting. By default, the user does not fall under COPPA. It is important to apply COPPA if the user is protected by COPPA to ensure legal compliance. To learn more about Yahoo’s approach to privacy and data protection, visit the Yahoo Privacy Center.
By default the SDK assumes that the user does not fall under COPPA, thus ads are not restricted according to COPPA guidelines. The SDK exposes a method that allows the publisher to declare that the user falls under COPPA and thus provides a signal on ad requests and to MRAID creatives indicating the user is protected under COPPA. This signals the server that ads returned must conform to COPPA guidelines. Additionally, MRAID 3.0 requires the “coppa” attribute of the window.MRAID_ENV object to be set to “TRUE” as outlined in the MRAID 3.0 Specification. This provides a signal to MRAID creatives that the user is protected by COPPA. By default the SDK assumes that COPPA does not apply to the user. Note that you cannot unapply COPPA.
Setting and Updating Privacy Settings
It is recommended Privacy Settings be set after SDK initialization and prior to ad retrieval. Any changes to the settings will impact subsequent ad requests. Any ads that are retrieved prior to a change (including ads that may have been cached) are not impacted by changed settings and may not be in immediate compliance with the user’s status.