GDPR related AddApptr SDK updates

A. General Information

As you all know, the new GDPR regulations will come into effect May 25th 2018. AddApptr has analyzed the effects of GDPR for app publishers and already communicated several times to all AddApptr customers.

However, as many ad networks come up with last minute changes and adjustments, there can be no single right way to manage GDPR right now. Throughout the upcoming weeks, there might be several SDK updates or adjustments of the terms and conditions.

AddApptr is in permanent contact with all ad networks, working closely with them to make the transition into the GDPR era as smooth as possible.

One of the basic principles of GDPR is that users have to give their consent, allowing use of their data for personalization of advertising. Please note that the question is not if users will receive ads or no ads. The question is if these ads will be personalized (for example, by knowing the IDFA of the user, and any data attached to that) or if it will be unpersonalized ads, showing the user advertising not adjusted to their interest / behavior. In most cases, personalized ads will reach much higher CPMs than unpersonalized ads.

Many ad networks are now releasing new SDKs, with a new feature called „Consent API“. Via this API, apps (and AddApptr) will pass the consent settings through to the ad networks, so that they know if to show personalized or unpersonalized ads.

To accommodate this, AddApptr will also release a new SDK with the Consent API feature very soon. Please update your apps a soon as possible, in order to be GDPR compliant, and also to minimize any risk of reduced advertising revenues.

B. How to obtain user consent

As mentioned above, it is critical to obtain user consent for displaying personalized ads. There is no clear guidance on what process to use for that step right now. The publisher is free to choose how to obtain consent. There are a few ad networks requiring a certain consent dialogue, but these are only a very small number.

In regards to ad revenues, having user consent is the best scenario, having users disagree to receiving personalized ads will lead to potentially lower ad revenues.

After many discussions with large publishers, ad networks and industry experts, we would recommend the following options / steps to be GDPR compliant as a publisher: 

1.    Some of the largest app publishers require user consent in order to be able to continue using the app. So either users give consent, or they won’t be able to use the app anymore. Some of the world’s largest apps go this way. Most of these apps are free, and make revenues via advertising, so they have a strong interest and reason to go this way.

2.    Other publishers place the consent notice in their terms and conditions and in the app store descriptions of their apps. This text should mention that if users install the app, they agree to have data used in order to display personalized ads. The text should also include a link to the publisher’s privacy policy.

3.    In order to get consent from existing users, publisher’s could include a similar text in a release notice with a new app update.

4.    Legally, it is not sure yet, if the usage of a “Consent Dialogue” to obtain user’s consent upon the first app start is required by GDPR. Only a very small number of ad networks require the usage of their own consent dialogue.

We strongly recommend, to persist the once given consent in the app and not ask the user every time again upon app start.

It is very important to offer the user a way to opt-out of a given consent. This is a requirement by GDPR. The app has to provide a way to opt-out. In order to achieve this, the app has to pass the respective information to the below mentioned AddApptr API.

Please note that AddApptr cannot give you legal advice. We are trying to communicate GDPR approaches we see from large players in the market. We will do our very best to update you as soon as we see best practices in the market. After GDPR coming into effect, it will take a while to identify industry standards though. Until then, each publisher will have to go with their on efforts to achieve GDPR compliance.

It is in the industry’s interest to build trust and make users feel comfortable with giving their consent. So let’s work together in that direction and try to communicate the implications of GDPR to the users in the right way.

Again, please make sure that in any communication to users you stress the fact that it’s not a decision between advertising and no advertising. The consent will only determine whether advertising is personalized and targeted to the user’s interests, or whether advertising will be un-personalized.

C. Please find below some further information about the Consent API:

1. Current and old AddApptr SDKs (no consent API):

normal usage (mostly personalized ads, some ad networks will deliver only unpersonalized ads to their old SDKs).

2. Using the new AddApptr SDK (with consent API)

We’ll soon provide a new version of our SDK containing the newest SDKs of many ad networks. This SDK will provide new properties for the initialization of the AATKit called „consentRequired“ and „simpleConsent“, that you should set when initializing it.

These properties will get mapped to the different consent APIs, that ad network SDKs provide.

Please find below additional information about the different settings:

2.1 consent required and obtained

When the user consent is required and you’ve got consent of the user to using personalized ads, please set consentRequired = true and simpleConsent = obtained.

Effect on ad networks:

- with consent API: personalized ads activated / GDPR consent given

- without consent API: normal usage (mostly: personalized ads)

2.2 consent required but withheld

When the user consent is required and your user disagrees on using personalized ads, please set consentRequired = true and simpleConsent = withheld.

Effect on ad networks:

- with consent API: personalized ads disabled / GDPR consent disapproved

- without consent API: these ad networks are deactivated, hence not used at all, since they usually provide personalized ads

2.3 consent not required 

When you’ve determined, that any law regarding personalized ads (e.g. GDPR) is not applicable for a certain user, please set consentRequired = false.

Effect on ad networks:

- with consent API: GDPR consent set to not applicable where possible, otherwise don’t set consent explicitly.

- without consent API: normal usage (mostly: personalized ads)

May 24, 2018

Alexander von der Geest

COO, AddApptr