GDPR - current State of monetization plugins.

Solar2D Monetization (in-app purchases, ads, etc.)
#1

Since I don’t find any aggregated data on the state of all the monetization plugins with regard to GDPR, I figured I would start this thread. 

Plugins that have a mechanism to send the consent flag and will continue to display ads if consent is “no”:

  • Appodeal
  • Applovin (also can be set as false on the control panel just for EU persons)
  • Vungle
  • inMobi
  • StartApp
  • AdColony

Plugins with consent flag that show ads with the consent flag set to “no” but still require consent to show ads to EU

  • Admob

Plugins that don’t record any data and don’t track.

  • SuperAwesome (GDPR-K compliant)

Plugins that have a mechanism to send the consent flag but will not display ads if consent is “no”:

  • Chartboost

Plugins that ask for consent and don’t require that the consent flag be sent:

  • Unity

Plugins that will not show ads to EU persons and therefore are compliant.

  • kiip

Plugins that are being removed:

  • AppNext
  • Loopme
  • AdBuddiz
  • Revmob
#2

Chartboost?

#3

Well I don’t have the Chartboost plugin and I haven’t had a chance to ask, but according to Chartboost passing the flag results in no ads being displayed: Not sure what the benefit of this would be compared to asking for consent and not initializing the plugin if you don’t get it.

How to Restrict Personal Data Collection

Ad requests to Chartboost with restrictDataCollection=YES** removes**the IP address and device information from processing. With restrictDataCollection enabled, the user will not receive an ad. 

Ad requests with restrictDataCollection=NO** will process**that user’s IP address and device information. Chartboost will serve an ad using contextual and behavioral targeting. 

By default, ad requests to Chartboost serve personalized ads, with ad selection based on the user’s previously collected data unless otherwise specified. .

#4

I can’t speak to Chartboost’s behavior, but it has been updated to support a consent flag.

Rob

#5

Apologize if this has been answered before.

For the Admob plugin, does the consent pop-up only happen in the set of EU countries or is it a general pop-up for all countries?

Do we have an ETA on the Admob Consent SDK, and would it be worth waiting to update apps with that instead?

#6

Plugins that have a mechanism to send the consent flag and will continue to display ads if consent is “no”:

  • Appodeal
  • Applovin
  • Vungle
  • inMobi
  • StartApp
  • AdColony

Hi agramonte,

Thanks for the upfront research. You seemed experienced with ad plugins.I am particularly interested in the list above because i make kids apps and i want to serve safe ads without asking/passing consent.

  1. If i initialize the Appodeal plugin with hasUserConsent set to false (or similar methods for other networks) - does it mean I can serve ads in my app if there is a fill?

  2. Can hasUserConsent and childDirectedTreatment parameter be used together?

Ben

#7

Ben. From what I have read the GDPR restrictions for serving ads to kids is even more stringent. The only ad provider that does not require consent for kids games and apps is Superawesome. They are the only ones that explicitly mention the extra restriction for kids games / apps (GDPR-K). They anonymize the IP address and they use a custom id that they generate from a random number. They only use this id to track the frequency of ads and nothing more. They erase this id frequently (i forget but I think it is weekly). 

That being said, I am not an expert. Just a programmer that is reading the GDPR releases and sending support tickets to companies when it does not make sense to me. Appodeal might respond for their plugin in these forums.

#8

Hi agramonte,

You’re spot on with Superawesome.

I am trying to find out and confirm what hasUserConsent set to false means to ad networks. I do not believe GDPR is designed to block developers from serving ads to their users (it is our rightful means to monetize for our work) but rather to get consent from users when networks collect and use PII to serve personalized, interest based ads that are more valuable in terms of eCPM.

You’re right, the best way is to direct these questions to the networks. I’ve posted to Appodeal.

Ben

#9

Hi agramonte,

Been doing some extra reading today on Appodeal’s site. According to this article:

"The updated 2.4.1 version of the Parallel Bidding SDK can be initialized whether or not an end-user provides their consent. Publishers will still be responsible for collecting this consent and passing it to our SDK.

 

In case an end-user doesn’t agree on processing their personal data, Appodeal SDK 2.4.1 will notify all ad demand partners so they won’t collect any information from this user and our ad demand partners will just show non-targeted and less relevant ads to such users. If consent is given, they will personalize an end-user ad experience in accordance with shared information."

 

My initial thought is supported, you can still serve ads without the need to ask for consent, however you’re looking at lower eCPM returns.

 

Ben.

#10

Yes and that is sufficient for GDPR. The GDPR-K has a “no data policy” for anybody under the age of 16 (in Germany) and with consent required from the parent if you are not doing that. COPPA requirements are slightly different. Your original question was if you send the flag for GDPR and the old flag for childdirectedtreatment would you be compliant for GDPR kids. I am not sure that text from appodeal answers that question.

#11

The whole issue is about collection, disclosing, storing and manipulating of personal information that are used for analytics, targeting personalized ads, building profile models without consent, which undermines people’s basic rights to privacy.

The issue is not advertising to app users and kids. Consent is not required to serve Superawesome ads (I have emailed them to confirm this) because they serve ONLY contextual ads.

Which directly means we can serve contextual ads from any networks to our users if no PII is collected and used to serve said ads.

Why most ad networks are so persistent with getting consent from users? I believe it is because their competitiveness in the ad market depend on serving the best personalized ad, which in terms drives eCPM rates and their bottom-line - and right now consent is a boulder they need to overcome.

I believe my research has led me to the conclusion that hasUserConsent and childDirectedTreatment , when used properly will allow me to serve safe contextual ads in my kids app, still we need a lawyer to confirm this.

Ben

#12

I agree mostly with your statement. I believe some ad networks capture what is considered personal information as a matter of fact while serving ads (regardless if those ads are personalized or not).

For example, Admob captures information regardless of the flag and therefore they require consent even if the flag is sent. Kidoz records the ip and the idfa (from Apple). They need consent because those ids break the GDPR-K requirements. Superawesome does neither.

I think your assumption that hasUserConsent and childDirectedTreatment cover you is incorrect. Again I am not a lawyer but just looking at whether they use personalized ads is not enough for GDPR-K. You have to look at what data the capture and record as a matter of fact even if they don’t send personalized ads.

#13

Got replies from Superawesome and Appodeal.

  1. Superawesome, you don’t need consent to serve ads. They are end-to-end 100% compliant to GDPR-K and COPPA.

  2. Appodeal, you need to do two things:

  • properly set hasUserConsent and childDirectedTreatment in your app

  • in the web dashboard select filter mature content & COPPA.

You won’t need to deselect ad networks that are not compliant, with the settings above, it is passed down in their backend.

#14

Chartboost?

#15

Well I don’t have the Chartboost plugin and I haven’t had a chance to ask, but according to Chartboost passing the flag results in no ads being displayed: Not sure what the benefit of this would be compared to asking for consent and not initializing the plugin if you don’t get it.

How to Restrict Personal Data Collection

Ad requests to Chartboost with restrictDataCollection=YES** removes**the IP address and device information from processing. With restrictDataCollection enabled, the user will not receive an ad. 

Ad requests with restrictDataCollection=NO** will process**that user’s IP address and device information. Chartboost will serve an ad using contextual and behavioral targeting. 

By default, ad requests to Chartboost serve personalized ads, with ad selection based on the user’s previously collected data unless otherwise specified. .

#16

I can’t speak to Chartboost’s behavior, but it has been updated to support a consent flag.

Rob

#17

Apologize if this has been answered before.

For the Admob plugin, does the consent pop-up only happen in the set of EU countries or is it a general pop-up for all countries?

Do we have an ETA on the Admob Consent SDK, and would it be worth waiting to update apps with that instead?

#18

Plugins that have a mechanism to send the consent flag and will continue to display ads if consent is “no”:

  • Appodeal
  • Applovin
  • Vungle
  • inMobi
  • StartApp
  • AdColony

Hi agramonte,

Thanks for the upfront research. You seemed experienced with ad plugins.I am particularly interested in the list above because i make kids apps and i want to serve safe ads without asking/passing consent.

  1. If i initialize the Appodeal plugin with hasUserConsent set to false (or similar methods for other networks) - does it mean I can serve ads in my app if there is a fill?

  2. Can hasUserConsent and childDirectedTreatment parameter be used together?

Ben

#19

Ben. From what I have read the GDPR restrictions for serving ads to kids is even more stringent. The only ad provider that does not require consent for kids games and apps is Superawesome. They are the only ones that explicitly mention the extra restriction for kids games / apps (GDPR-K). They anonymize the IP address and they use a custom id that they generate from a random number. They only use this id to track the frequency of ads and nothing more. They erase this id frequently (i forget but I think it is weekly). 

That being said, I am not an expert. Just a programmer that is reading the GDPR releases and sending support tickets to companies when it does not make sense to me. Appodeal might respond for their plugin in these forums.

#20

Hi agramonte,

You’re spot on with Superawesome.

I am trying to find out and confirm what hasUserConsent set to false means to ad networks. I do not believe GDPR is designed to block developers from serving ads to their users (it is our rightful means to monetize for our work) but rather to get consent from users when networks collect and use PII to serve personalized, interest based ads that are more valuable in terms of eCPM.

You’re right, the best way is to direct these questions to the networks. I’ve posted to Appodeal.

Ben