Privacy laws compliancy

Smart is committed to ensuring that our services comply with the European Union’s General Data Protection Regulation (GDPR) and other regulatory frameworks. The publishers must make sure that an appropriate legal basis has been granted to collect and process the users’ personal data. To help the publishers provide the appropriate datapoints.

This page explains you how to comply with some of these legislations.

  1. Global Privacy Platform (GPP)
    1. Consent Management Provider (CMP)
    2. User and App Identifiers
    3. Location retrieval
  2. TCFv2 (GDPR EU)
    1. Consent Management Provider (CMP)
    2. Passing user's consent to Smart Instream SDK
    3. User and App Identifiers
    4. Note about TCF v1.1 support
  3. CCPA (California)
    1. Passing CCPA consent string to Smart Instream SDK
  4. iOS App Privacy Details
  5. Automatic location retrieval

Global Privacy Platform (GPP)

The Global Privacy Platform (GPP) is an IAB specification helping all stakeholders in digital advertising to support regional privacy regulations more easily. GPP streamlines the transmission of privacy and consent signals from sites and apps across jurisdictions to ad tech providers. You will find more information in our Help Center.

Since v7.21.0, the Smart Instream SDK handles both TCFEU2 and USP1 frameworks via GPP, and rely on them to handle User ID sharing and location retrieval. You will find more information below.

Consent Management Provider (CMP)

The first step to apply any consent framework handled by GPP is to collect the user's consent about the use of his personal data.

This can be done through a Consent Management Provider (CMP). A CMP is a technology interface (usually an SDK for Apps environment) permitting apps developers to provide transparency and obtain consent where necessary for themselves and/or on behalf of their chosen third parties and to transmit informations about which vendors and which purposes a user has consented to with vendors.

We recommend you integrate any CMP of your choice as long as it is compliant with IAB's framework and specifications since Smart Instream SDK will retrieve consent based on these specifications:

User and App Identifiers

As we are doing with TCFv2 compliancy since Smart Instream SDK 7.15.0, some identifiers won’t be sent in the ad call when Smart is not given the user’s consent retrieved by GPP. The identifiers are the UID, the IFA, the IFV, and the DNTID. This happens if any of the juridiction handled under GPP do not give the consent. As the Smart Instream SDK currently handles TCFEU2 and USP1 via GPP, if any of those reject the consent, the identifiers won't be sent.

Location retrieval

Since Smart Instream SDK 7.21.0, the location is not sent in the ad call when Smart is not given the user's consent retrieved by GPP. This happens if any of the juridiction handled under GPP do not give the consent. As the Smart Instream SDK currently handles TCFEU2 and USP1 via GPP, if any of those reject the consent, the identifiers won't be sent.

You will find more information about automatic location retrieval here.

TCFv2 (GDPR EU)

Under the GDPR, you must make certain disclosures to your users in the European Economic Area (EEA) and obtain their consent to use, where legally required, their personal data (such as AdID) to serve ads or process some analytics.

Interactive Adverstising Bureau (IAB) provides some tools to help you in this process. You might want to read more about how GDPR applies for advertising on iabeurope.eu/transparency-consent-framework.

Like for GPP CMP, we recommend you integrate any CMP of your choice as long as it is compliant with IAB's framework and specifications since Smart Instream SDK will retrieve consent based on these specifications:

Since the in-app environment is cookie-less, the TCF specifies the user’s shared preferences as the storage location for CMP data. From there, Smart Instream SDK retrieves the consent signals and pass them to the ad request. The GDPR consent string have to be stored in the SharedPreferences on Android and in the NSUserDefaults on iOS, both by using the key IABTCF_TCString. Our SDK will get the consent string directly from the SharedPreferences/NSUserDefaults with the official IAB key.

By using a CMP (compliant with the IAB specifications) you will have nothing to do. On the other hand, if you are using any other CMP that do not respect the IAB specifications, you will have to set the consent string in the SharedPreferences/NSUserDefaults manually.

By using the code below, you will set the consent string manually:


SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(getContext());
SharedPreferences.Editor editor = prefs.edit();
editor.putString("IABTCF_TCString", "yourCMPComputedConsentStringBase64format");
editor.apply();
      

NSString *myConsentString = @"yourCMPComputedConsentStringBase64format";
[[NSUserDefaults standardUserDefaults] setObject:myConsentString forKey:@"IABTCF_TCString"];
[[NSUserDefaults standardUserDefaults] synchronize];

Some third party mediation SDKs are not IAB compliant and do not rely on the consent string. Those SDK use, most of the time, a binary consent for the advertising purpose.

If you are using one or more of those SDK through Smart mediation, you can set this binary consent for all adapters at once by settings the String "1" (if the consent is granted), or "0" (if the consent is denied) in the SharedPreferences/NSUserDefaults for the key Smart_advertisingConsentStatus. 


SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(getContext());
SharedPreferences.Editor editor = prefs.edit();
editor.putString("Smart_advertisingConsentStatus", "1" or "0");
editor.apply();
      

NSString *advertisingBinaryConsentString = @"1" or @"0";
[[NSUserDefaults standardUserDefaults] setObject:myConsentString forKey:@"Smart_advertisingConsentStatus"];
[[NSUserDefaults standardUserDefaults] synchronize];

User and App identifiers

Since 7.15.0, the following identifiers won’t be sent in the ad call when Smart is not given the user’s consent: the UID, the IFA, the IFV, and the DNTID. This happens when gdprApplies=1 and there is no consent-string or when there is non-consent for the purposes Smart requires. You will find more information in our Help Center.

Note about TCF v1.1 support

The latest versions of do not support TCF v1 anymore.

CCPA (California)

The California Consumer Privacy Act (CCPA) is a privacy law applying to all residents of California (United States). It has been voted in 2018 and became effective in January 2020.

You can find more information about this law and how to comply with it in the dedicated IAB website.

As for GDPR, the IAB CCPA framework defines a consent string that will be obtained by a CMP and forwarded to all third parties by the SDK.

The CCPA consent string have to be stored in the SharedPreferences on Android and in the NSUserDefaults on iOS, both by using the key IABUSPrivacy_String. Our SDK will get the consent string directly from the SharedPreferences/ NSUserDefaults with the official IAB key.

By using a CMP (compliant with the IAB specifications) you will have nothing to do. On the other hand, if you are using any other CMP that do not respect the IAB specifications, you will have to set the consent string in the SharedPreferences/ NSUserDefaults manually.

By using the code below, you will set the consent string manually:


SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(getContext());
SharedPreferences.Editor editor = prefs.edit();
editor.putString("IABUSPrivacy_String", "1---");
editor.apply();
      

NSString *myConsentString = @"1---";
[[NSUserDefaults standardUserDefaults] setObject:myConsentString forKey:@"IABUSPrivacy_String"];
[[NSUserDefaults standardUserDefaults] synchronize];

iOS App Privacy details

Apple now requires you to disclose user data that your app is collecting, and the purpose of this collection. You will need to provide these information when submitting a new app or and app update starting December 8th, 2020.

Since the Smart Instream SDK collects some user data, you MUST declare in addition to the data collected by your app!

You can find more information about the data collected by the Smart Instream SDK and how to answer Apple's questions on dedicated page:


Automatic location retrieval

The Smart Instream SDK can automatically retrieve the user's location if it has already been collected by your app. This can be useful to increase your app advertising revenue.

Note that if your application is compliant with GPP, the location won't be sent in the ad call if the user does not give his consent. However, if your application is not GPP compliant, it is your responsability to ensure that you have proper user consent before using this automatic location feature and that your are compliant with the local laws and regulation.

You can find more information on how to enable automatic location retrieval in the integration documentation: