Making sure you’re compliant post-GDPR

Dear Publishers,

In the run-up to GDPR, we want to assure you that we are committed to ensuring that our solutions will provide our partners a seamless transition into GDPR compliance. This means that on the GDPR effective date, May 25th, publishers will be able to confidently continue to use  the ironSource solution, both as a network and mediation platform, and rest assured that we process user data in accordance with the parameters set out in the GDPR.

As part of that, we would like to share more details on our product timeline and how this fits in with industry standards and practices.

When and why you need consent

The bulk of mobile in-game video advertising today is based on techniques and methodologies that are considered by GDPR as ‘legitimate interest’ and therefore does not require user consent. However, some elements of advertising do require a specific consent from users. An example would be personalized ads, i.e. ads that were targeted to users based on a profile of their interests.

In cases where consent is required, the GDPR states that this consent should be communicated to users explicitly for each advertising party. Therefore, in order to legally leverage this kind of data and serve personalized ads, each and every demand source will need to independently collect informed and unambiguous consent from users – either directly or by proxy (such as from the publisher or its mediation solution).

What will happen on May 25th?

As of today, there is a rigorous debate in the industry regarding the most compliant way to collect, store and transmit user consent. On the effective date of GDPR, publishers working with us will have two options available:

  1. Not to request consent, in which case personalized ads for users who are subject to GDPR would be excluded
  2. To request consent from users themselves and transfer the consent parameter through API to the ad networks

 

For those of you who don’t want to collect consent yetthe ironSource solution – both the network and the mediation platform – is already built to ensure compliance with the GDPR.

  • On the network level, ironSource will serve your users who are subject to GDPR with ads that are non-personalized
  • On the mediation level, ironSource is working closely with all the networks to confirm that they too have the technical solution to address serving your users who are subject to GDPR with ads that are not personalized if no consent was provided. Nonetheless, we advise every publisher to reach out to their other networks to receive additional legal assurances

 

ironSource’s back office systems are already prepared to process users data according to GDPR. Therefore all publishers who are using ironSource’s SDK will automatically be GDPR-compliant come May 25th.

For those of you who would like to take responsibility for collecting consent yourselves, we are exposing a client-side API to allow publishers to pass consent to our network or mediation on behalf of their users, and we will process this user data accordingly. 

Due to a lack of standardization, each network has approached consent collection and management differently. ironSource’s commitment to providing its publishers with a single transparent interface for all networks via it’s mediation SDK API required us to develop unique and specific integrations for every possible implementation of each network.

Following is a list of SDK networks which have adapters for ironSource mediation, and their current status vis a vis GDPR.

Network Solution Comments Reference
AdColony Consent API https://www.adcolony.com/gdpr/
Vungle Consent API If consent is not requested, Vungle defaults to displaying  consent on its own
AppLovin Consent API https://www.applovin.com/gdprfaqs/
InMobi Consent API https://support.inmobi.com/monetize/faqs/migrating-to-sdk-710-gdpr-compliant/
Chartboost Consent API https://answers.chartboost.com/en-us/articles/115001489613
UnityAds Pending https://unity3d.com/legal/gdpr
MoPub Consent API https://www.mopub.com/resources/gdpr-faq/
AdMob Consent SDK https://support.google.com/admob/answer/7666366
Tapjoy Pending
Facebook Do not require consent Facebook manages users on its own. Please advise with your Facebook representative for official information. https://www.facebook.com/business/gdpr
HyprMX Pending
MediaBrix Do not support consent Publisher should not target this network for users who are subject for GDPR
Maio Do not support consent Publisher should not target this network for users who are subject for GDPR
Fyber Pending https://www.fyber.com/legal/gdpr-faqs/
Server Side Sources Consent Macro Work In Process

Mapping of consent integrated adapters versions per network (Relevant only once using ironSource SDK V6.7.9 and above):

Network Earliest consent support adapter version
iOS Android Unity
AdMob 4.1.4 (SDK 7.28) 4.1.6 (SDK 12.0.1) 4.1.5
AppLovin 4.1.4 (SDK 5.0.1) 4.1.4 (SDK 8.0.1) 4.1.4
Chartboost 4.1.2 (SDK 7.2.0) 4.1.2 (SDK 7.2.0) 4.1.3
InMobi 4.1.3 (SDK 7.1.1) 4.1.3 (SDK 7.1.0) 4.1.2
UnityAds 4.1.1 (SDK 2.1.1) 4.1.1 (SDK 2.1.1) 4.1.1
Vungle 4.1.5 (SDK 6.2.0) ETA – TBD ETA – TBD
TapJoy 4.1.1 (SDK 11.12.2) 4.1.1 (SDK11.12.2)
4.1.1
MoPub 4.1.2 – (SDK 5.2.0) 4.1.3 – (SDK 5.2.0) ETA – TBD
AdColony 4.1.2 (SDK 3.3.4) 4.1.2 (SDK 3.3.4) 4.1.2 (SDK 3.3.4)
Facebook All versions
Maio All versions
MediaBrix All versions

A long-term solution

Publishers should keep in mind that industry bodies like the IAB Europe released their mobile in-app draft specification with some initial recommendations only on May 2nd. The larger question of how to collect consent in cases where consent is needed  is still very much a work in progress.

In addition to the two options that will be available on May 25th 2018, ironSource’s goal is to develop a consent management solution that we will provide as a third option, which is not only maximally compliant, but is also based on specifications and guidelines which the majority of the industry agrees on, and which will hold true for the long-term. This will avoid any potential legal liability risks which may arise with temporary consent solutions.

With respect to the above, ironSource’s consent management solution aims to follow the IAB specification to allow publishers the following:

  • The ability to swap between different mediation solutions without needing to re-collect consent from its users
  • The full flexibility to use ironSource’s solution as a one-stop-shop or alternatively to use external third party vendors (CMPs) to collect consent on behalf of the publisher

 

So what’s next?

  • May 3rd: ironSource established a working group to draft a consent solution based on the IAB Europe’s initial specification released on May 2nd
  • May 10th 2018: ironSource will release a new SDK version to expose an API for publishers to pass consent data to it’s mediation platform and network
  • May 17th 2018: ironSource mediation will update adapters for all ad networks who have already released an SDK that supports a consent API (this process will continue ad hoc as more networks release updated SDKs)
  • May 20th 2018: ironSource working group will complete a first draft for consent collection, and share it with publishers and networks
  • May 25th 2018: EU’s GDPR goes into effect
  • June 2nd 2018: IAB comment period closes