ironSource CCPA compliance

With the California Consumer Privacy Act (known as the CCPA) now in effect, we would like to share information on how ironSource Mobile (ironSource) complies with the CCPA, and what our partners need to do to be compliant with the CCPA when working with ironSource. This article is for informational purposes only; for legal advice, you should consult with your legal counsel.

ironSource network and the CCPA

ironSource does not sell personal information to third parties

ironSource does not engage in buying or selling of end-user information to or from third parties, such as data brokers and other data aggregators. However, as the definition of “sale” under the CCPA is very broad, ironSource will use personal information about end users designated in our system as “do not sell” only as a “service provider”, and for permitted “business purposes” such as fraud prevention and frequency capping. With respect to such end users, we will disable (by default) any external DSPs, SSPs, and other external ad providers, unless such third parties can serve contextual ads without receiving any personal information. We will still send personal information to attribution companies (e.g., Appsflyer, Singular, and Adjust) for the purpose of ensuring that the publisher and ironSource receive payment for ads served to end users, frequency capping, fraud detection and prevention.

Will ironSource network support receipt of “do not sell” requests? 

Our technical and compliance teams have released an API that allows publishers to communicate an end user specific “do not sell” request, which is available from SDK version 6.14.0. Publishers who have implemented this SDK version can choose to restrict data processing for end users located in California (based on the device’s IP address) either by selectively applying “do not sell” settings and communicating the end user’s choice to ironSource, or by applying a “do not sell” restriction to all the relevant end users of an application through the publisher dashboard. 

  • For applications uploaded to ironSource before January 1, 2020:
    Applications uploaded to ironSource before January 1, 2020 will by default apply a “do not sell” restriction to all the relevant end users of the application. This can be revised by the publisher upon implementation of SDK version 6.14.0+ and acceptance of the applicable Terms and Conditions, followed by clicking to remove the flag in the dashboard.
  • For applications uploaded to ironSource after January 1, 2020:
    For applications uploaded to ironSource after January 1st, 2020 (subject to implementation of the  applicable SDK version(s) and acceptance of the updated T&Cs), the publisher may choose to restrict data processing for end users located in California (based on the device’s IP address) either by selectively applying “do not sell” settings and communicating the end user’s choice to ironSource, or by applying a “do not sell” restriction to all the relevant end users of the application through the publisher’s dashboard.

Learn how to use the CCPA SDK functionality

Android

iOS

Unity

ironSource supports receipt of access and deletion requests

Follow the instructions to submit access and deletion requests to ironSource.  

Will ironSource surface its own “opt out” UI? 

Our experience complying with other privacy laws has shown that most of our partners prefer to have their own user choices UI. In addition, adoption of third-party UIs for users’ choices among game developers is generally low, so ironSource won’t surface our own UI at this time. However, we are monitoring trends and partner requests, so this decision may change in the future.

ironSource mediation and the CCPA

ironSource SDK introduced a client-side API to allow publishers to pass “do not sell” requests under the CCPA to ironSource mediation on behalf of their users. ironSource will share “do not sell” requests with relevant networks who support the API accordingly. 

Below is a list of SDK networks which are currently support the API: 

Additional CCPA SupportThe following networks allow to report CCPA to the network directly, and are not supported as part of the ‘do-not-sell’ API.

Network Supported adapter version
  iOS Android Unity
ironSource 6.14.0 (SDK) 6.14.0 (SDK) 6.14.0 (SDK)
AdMob 4.3.10  (SDK 6.15.0.1) 4.3.8  (SDK 6.15.0.1) 4.3.11 (SDK 6.15.0.1)
Amazon 4.3.3   (SDK 6.15.0.1) 4.3.1  (SDK 6.15.0.1) 4.3.3   (SDK 6.15.0.1)
AppLovin 4.3.9   (SDK 6.14.0) 4.3.8  (SDK 6.14.0) 4.3.10 (SDK 6.14.0)
Fyber 4.3.4  (SDK 6.15.0.1) 4.3.3  (SDK 6.15.0.1) 4.3.4   (SDK 6.15.0.1)
Tapjoy 4.1.12  (SDK 6.17.0) 4.1.12  (SDK 6.17.0) 4.1.16   (SDK 6.17.1)
UnityAds 4.3.0  (SDK 6.15.0) 4.3.0  (SDK 6.15.0) 4.3.0   (SDK 6.15.0)
Vungle 4.3.2  (SDK 6.17.0) 4.3.2  (SDK 6.17.0) 4.3.3   (SDK 6.17.1)


Additional CCPA Support

The following networks allow to report CCPA to the network directly, and are not supported as part of the ‘do-not-sell’ API.

iOS Android Unity
Facebook Audience Network
Adapter & SDK Version 4.3.17  (SDK 6.17.0) 4.3.18 (SDK 6.17.0) 4.3.24  (SDK 6.17.0)
Solution  Set the Limited Data Use flag before initializing the ironSource Mediation. 

Important! It is recommended that publishers work directly with their own legal and professional advisors to determine exactly how CCPA or any other laws/regulations may or may not apply to them. The above information is solely intended to help facilitate compliance when working with ironSource, and should not be construed as legal advice.