How to: Add Privacy and Consent to Your Application

A guide for configuring consent on your mobile applications

Who This Document Is For

This document is suitable for teams configuring consent for:

  • web applications

  • mobile applications incl. advertising SDKs

  • batch and ETL pipelines

Introduction

Ethyca unifies and manages consent for all defined purposes of processing across your business for which consent may need to be gathered.

This means that an end user of your systems can manage their consent preferences and you can ensure that this consent is respected by both internal and 3rd party systems that process your users data.

This article outlines how you can implement consent checking within your codebase and applies to Ethyca customers that build and maintain their own applications (both web and mobile applications) as well as data teams that have batch/ETL processes that may need to be aware of users consent.

How Ethyca Consent Works

Once Ethyca's Privacy Center is fully configured, your users and customers can manage their consent preferences directly from your Privacy Center (for information on how to configure your privacy center, please see this article).

38403840

As shown in the diagram above, you can check Ethyca's Services at any time to validate a users consent status and appropriate manage data flows throughout your systems.

When a user changes their consent for a processing activity, a record of this is stored in Ethyca against the user identity. This record of consent can be used in two ways:

  1. Suppressing or managing cookies and pixel data flow for events from the front end of your website. (for information on how to configure your pixel and cookie level consent with Ethyca, please see this article).

  2. Verifying users consent from your applications to ensure that you're correctly processing a users data. This article will walk step-by-step through how you can check your users current consent and ensure that your systems are appropriately processing user data.

Verifying Consent for your Users

Ethyca provides an endpoint to verify the current consent status for your users:

api.ethyca.com/consent/stats/usage

Or for a certain user, using the email param:

api.ethyca.com/consent/stats/usage?email={email}

Authentication for this endpoint requires an API Key which you can request from your Ethyca Customer Success Manager.

To call the consent status API, use your API Key as the Authorization header.

For example:

> curl --location --request GET 'api.ethyca.com/consent/stats/usage' \ --header 'Authorization: Mq908yefdhoasd+L22+pTr2OSDsdkfhgUDSP8rZnDIH98yfhdhis'

The response format of the consent status API will look like:

[   {      "subjectIdentity":"[email protected]",      "processingActivityName":"Data Sales",      "consented":false,      "created":"2020-08-03T23:19:25",      "lastUpdated":"2020-08-03T23:19:25"   },   {      "subjectIdentity":"[email protected]",      "processingActivityName":"Data Sales",      "consented":false,      "created":"2020-08-10T15:54:34",      "lastUpdated":"2020-08-10T15:54:34"   }]

For format of this is outlined below:

  • subjectIdentity: Is the identifier for the user.

  • processingActivityName: The name of the processing activity for which consent has been set. Processing Activity names are created and set from the Ethyca Control Panel by you.

  • consented: A boolean for the current status of the user related to this processing activity.

  • created: Time stamp for when the given processing activity was originally created.

  • lastUpdated: Time stamp for when the users consent was last updated for the given processing activity.

Once you have retrieved the users consent status, you can use this to appropriate route event, behavior or personal information through your internal systems. The following section outlines how this is carried out for various advertising platform SDKs that may require consent to be set.

Setting Consent for your Systems

The following section walks through consent flags that may need to be configured for your various ad platforms and associated SDKs.

If you don't see an integration, SDK or 3rd party platform that you require in this document, please contact your Ethyca Customer Success Manager who can provide any additional guidance on configuration.

AdMob

AdMob as part of Google's mobile SDK provides two components to setting consent:

  1. CCPA Consent
    Google's Mobile Ads SDK allows publishers to use either Google's RDP or IABUSPricacy_String to notify current status of consent for the user.

    Detailed documentation for this is available here:
    iOS SDK
    Android SDK
    Unity SDK

  2. European (GDPR & ePrivacy) Consent
    In order to ensure that you are managing consent adequately under both GDPR and the 2011 ePrivacy Directive, you will need to setup consent for each of the partners networks directly. Below is the documentation for this for each ad network:

The following list relates specifically to ad networks that may be integrated via AdMob. If you are using any of the following networks via their own SDK, please proceed directly to the section further down this document related to the integration in question

AdColony via Google AdMob

Android

iOS

AppLovin via Google AdMob

Android

iOS

Chartboost via Google AdMob

Android

iOS

Facebook via Google AdMob

Android

iOS

Fyber via Google AdMob

Android

iOS

InMobi via Google AdMob

Android

iOS

ironSource via Google AdMob

Android

iOS

MoPub via Google AdMob

Android

iOS

myTarget via Google AdMob

Android

iOS

Tapjoy via Google AdMob

Android

iOS

Unity Ads via Google AdMob

Android

iOS

Verizon via Google AdMob

Android

iOS

Vungle via Google AdMob

Android

iOS

Amazon A9 Mobile Ads Network

Amazon has basic support for consent signals to be sent to it and also makes recommendations that you can alternately decide to not send data to Amazon if you wish as a business. Official Amazon documentation is limited on this topic however you can explore their FAQ here.

AppsFlyer

AppsFlyer provides three methods to manage privacy:

  1. Opt-Out
    In extreme cases you might want to shut down all SDK data logging for legal or privacy compliance. This is done by setting the isStopped property.

    Detailed documentation for this is available here:
    iOS SDK
    Android SDK

  2. Anonymize User Data
    AppsFlyer provides you with a way to anonymize specific user identifiers in AppsFlyer analytics. This complies with the latest privacy requirements and with Facebook data and privacy policies.

    Detailed documentation for this is available here:
    iOS SDK
    Android SDK

  3. Exclude partners from getting data (best for GDPR/CCPA)
    As is most commonly required, if you need to stop sharing user-level data with ad networks/partners when the user has changed consent, such as for GDPR and CCPA, this method is most appropriate.

    Detailed documentation for this is available here:
    iOS SDK
    Android SDK

Branch

Branch provides the ability to disable user tracking directly through each of it's SDKs as outlined below:
iOS SDK

Android SDK

Fyber

Fyber provides comprehensive support for suppressing data flows for both GDPR and CCPA using the IAB privacy string as outlined below:
iOS SDK (GDPR)

Android SDK (GDPR)

iOS SDK (CCPA)

Android SDK (CCPA)

InMobi

InMobi has a consentDictionary which can be set for attributes related to GDPR and CCPA consent, please see see Step 2 Initializing the InMobi SDK and review the section related to setting and updating the General Data Protection User consent flag below:
iOS SDK
Android SDK

MobFox

MobFox allows consent flags to be set through mediation when it is loaded through another SDK, for example MobFox loaded through AdMob (see above), however, MobFox' own documentation does no provide clarity on how it adheres to consent support.
Please see documentation here for their references.

Please note that MobFox has inadequate privacy control documentation - we are attempting to work with MobFox team to resolve this and will update this document accordingly.

MoPub

MoPub provides a publisher owned consent mechanism for GDPR that is suitable for set consent status for most common privacy jurisdiction. Please note: the publisher owned consent mechanism requires MoPub approval from your MoPub account manager to enable this.

You can learn more about MoPub consent below:

iOS SDK

Android SDK

MyTarget

MyTarget provides a custom consent boolean that can be set across iOS and Android devices to ensure appropriate management of user data.
You can read about this here.

Smaato

Smaato provides support for both GDPR and CCPA within it's nextgen SDK for both iOS and Android. This supports IAB framework standards for TCF for consent.

You can read more about these here:

iOS SDK (GDPR)

Android SDK (GDPR)

iOS SDK (CCPA)

Android SDK (CCPA)

Technical Guide

Please visit each of the below support articles if your business manages pixels in any additional locations:

Support

Please contact [email protected] if you have any questions regarding implementation.