The European Union’s implementation date for the General Data Protection Regulation, May 25, 2018, will be here before you know it. Our team is eager to help our publishers with compliance and cover the most probable scenarios.
While we are putting the finishing touches on our GDPR-friendly SDK version, we collect the most frequently asked questions so that everyone can make sure they’re on the right path. Check out our Q&A and feel free to ask more questions in the comments and download the updated SDK 2.4 with a GDPR component.
Keep in mind, please, that even though we are always ready to assist you and share as much information on GDPR as we can, we’re still not authorized to provide any legal advice. It’s important to address your questions to lawyers who work specifically in this area.
Q: What user-identifiable data is tracked by Appodeal?
We collect 4 categories of data:
- Device data — such as screen size, IP address, location (latitude and longitude), battery charge level, time zone, etc.
- We also collect app data, such as Bundle ID, store URL, session length, session ID.
- Ad data: impression count per session, click count, finish count, total impression count.
- User data (only when it’s passed by the publisher): gender, age, relationship status, interests.
Q: Will Appodeal collect consent from end users?
Since Appodeal isn’t the first party to speak to end-users, we require our publishers to request consent for us. You, as a publisher, have to pass a value of the consent to our SDK using a consent parameter in initialize() method.
Q: Do I have to request consent only from EU users?
Officially, you’re only required to collect user consent within EEA, Switzerland and the UK. However, as global privacy laws are gradually changing as well, we recommend requesting consent from all users at once, irrespective of where they are located. For example, that will exclude a possible mistake of not collecting consent from EU residents who happen to be on vacation elsewhere.
Q: SDK will automatically detect user’s location in the EU and present a consent dialog. Is that correct?
Not exactly. We understand that a publisher may be using more than just Appodeal for their services, and collecting 10 or 20 separate consent results would simply ruin user experience. Therefore, our SDK will not send a consent dialog but will collect the consent answer given by an end user and send it back to Appodeal. We have shared this information as well as consent examples in our blog post.
Q: Should the consent dialog list all the third-party networks that Appodeal shares information with?
Q: Will the consent dialog have to be re-displayed when new ad networks are added?
No. You don’t have to display the consent dialog again when Appodeal adds new partners. We will simply update the list on our website. However, if you add or change partners you are working with, make sure that you update this information on your website.
Q: Is there any way for a user to request their personally identifiable data to be removed from Appodeal and integrated ad networks?
Q: Should the consent dialog disclose the purpose of collecting data?
We recommend including this information.
Q: Should the consent dialog inform a user about how long their data will be saved for?
No, it is not required to include that information.
Q: Should the consent dialog match users’ language?
We recommend displaying the dialog in the main language of the app.
Q: How long is data held for (by Appodeal and integrated ad networks)?
GDPR states that personal data must be kept “no longer than is necessary for the purposes for which the personal data are processed” [Art.5(1)(e)]. This implies that there is a time limit on how long customers’ data can be kept.
For how long Appodeal keeps such data varies depending on the service. If a customer has an account, then we need to keep the customer’s information for as long as the account is active. We also need a considerable amount of time for compliance purposes (e.g., outstanding payments, sales, and marketing efforts, answering questions). For services where we are the processor, we keep the data according to the instructions we’ve received from the Controllers.
In case we receive a request to delete data from a data subject, we will do so within 30 days.
Q: When will the SDK be available for testing?
We are currently finalizing the last arrangements and making sure it’s stable. It should be released within a week (ETA May 18).
Q: It sounds like the SDK won’t contain a consent dialog to introduce to users, instead we need to develop one on our own. After we do that, we call an API in the SDK stating that we received consent. Is that correct?
Correct. You need to pass a value of the consent to our SDK using a consent parameter in initialize() method.
Q: If one of my users contacts Appodeal and demands removal of their PII, how will you respond and how will you identify that particular user in your system?
Q: If a user asks us to delete their PII, how exactly do we do that? I mean if we don’t gather any information in the app, besides what Appodeal and ad networks gather, how will we forward a request from our user to Appodeal and associated ad networks to delete their PII? How will we even identify that user? By advertising id or IP address?
Q: To get consent from EU users only, I check the IP address and determine the Country Code, then check the country code in the EU list of Countries which I believe are the following: “BE”, “EL”, “LT”, “PT”, “BG”, “ES”, “LU”, “RO”, “CZ”, “FR”, “HU”, “SI”, “DK”, “HR”, “MT”, “SK”, “DE”, “IT”, “NL”, “FI”, “EE”, “CY”, “AT”, “SE”, “IE”, “LV”, “PL”, “UK”, “CH”, “NO”, “IS”, “LI”? Admob will have this built into their SDK. I was hoping Appodeal would expose a method like this as well.
We’re not planning on implementing such functionality so far, but we’ll definitely consider it for the next releases.
Q: Will the flag ConsentState.NOT_EEA and all the other be accessible in the Corona plugin too?
It depends on the Google implementation, we’re still waiting for their solution.
Q: Will you have consent demos for Unity and Corona?
Yes, we’re working on it.
Q: Is it possible to use Google’s Consent SDK instead of yours?
Yes, you can do that as long as you collect consent and pass the value of obtained consent to our SDK.
Q: I understand that user consent should be stored server side, along with the consent message. Your samples are storing user choice locally on a device only, right?
We send the consent value locally and on our server side. As the consent window will be implemented by a publisher, we’ll have no access to the text displayed.
Q: Can you give an example on how to pass the consent to the iOS SDK?
You will find an example in the documentation for the new SDK version 2.4.
We’re doing our best to ride out these changes together with you and we highly appreciate your care and assistance. To learn more about GDPR, please visit our website section where you can find several articles and a webinar recording.