Publisher Privacy Settings

As a publisher you are responsible for complying with all regulatory laws in which you operate. The Ads SDK provides a robust Privacy API that allows you to comply with these regulations.

User Location

Upon initialization, the Ads SDK determines the user’s location. By default, this location is truncated to a one decimal point level of accuracy. You can allow the Ads SDK to send un-truncated location information by requesting consent from the user. Note that you are responsible for the consent dialog. Once consent is recieved, the user’s location is sent along with the ad request by enabling location as follows:

Enabling Location

DataPrivacy.Builder builder = new DataPrivacy.Builder();
builder.setLocationUserAuthorized(true);
VASAds.setDataPrivacy(builder.build());
val builder = DataPrivacy.Builder()
builder.locationUserAuthorized = true
VASAds.setDataPrivacy(builder.build())
VASDataPrivacyBuilder *builder = [VASDataPrivacyBuilder new];
builder.location.userAuthorized = YES;
[[VASAds sharedInstance] setDataPrivacy:[builder build]];
let builder = VASDataPrivacyBuilder()
builder.location.userAuthorized = true
VASAds.sharedInstance.dataPrivacy = builder.build()

Children’s Online Privacy Protection Act (COPPA)

Children’s Online Privacy Protection Act (COPPA) helps ensure that child-directed apps or children in general are not exposed to inapproriate ads or ad targeting. By default, the user does not fall under COPPA. It is important for the value to be set to true if the user is protected by COPPA to ensure legal compliance.

Setting COPPA

DataPrivacy.Builder builder = new DataPrivacy.Builder();
builder.setCoppaApplies(true);
VASAds.setDataPrivacy(builder.build());
val builder = DataPrivacy.Builder()
builder.coppaApplies = true
VASAds.setDataPrivacy(builder.build())
VASDataPrivacyBuilder *builder = [VASDataPrivacyBuilder new];
builder.coppa.applies = YES;
[[VASAds sharedInstance] setDataPrivacy:[builder build]];
let builder = VASDataPrivacyBuilder()
builder.coppa.applies = true
VASAds.sharedInstance.dataPrivacy = builder.build()

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) is a regulatory framework designed to give people in the European Union more control over their data. Its requirements apply to any organization that processes the personal data of European Union (EU) residents. To learn more about Yahoo’s approach to privacy and data protection, we recommend visiting Verizon Media and GDPR: Resources for our advertisers and publishers.

Setting GDPR Scope

Upon initialization, the Ads SDK determines the user’s location as determined by the user’s IP address. By default, GDPR is set to be inScope if the user’s location either can not be determined or falls within the GDPR jurisdiction. To the SDK, GDPR inScope means the user’s privacy and other identifying information is not sent in ad requests and consent from the user must be obtained in order to serve personalized ads. Starting from SDK version 1.14.0, you the publisher can also force GDPR scope regardless of the user’s location as shown below. Note that gdprScope is not intended to be read by the publisher to determine if the sdk has detected that the user falls within GDPR scope.

DataPrivacy.Builder builder = new DataPrivacy.Builder();
builder.setGdprScope(true);
VASAds.setDataPrivacy(builder.build());
val builder = DataPrivacy.Builder()
builder.gdprScope = true
VASAds.setDataPrivacy(builder.build())
VASDataPrivacyBuilder *builder = [VASDataPrivacyBuilder new];
builder.gdpr.scope = YES;
[[VASAds sharedInstance] setDataPrivacy:[builder build]];
let builder = VASDataPrivacyBuilder()
builder.gdpr.scope = true
VASAds.sharedInstance.dataPrivacy = builder.build()

Yahoo’s services are fully compliant with the IAB’s GDPR Transparency and Consent Framework and the Ads SDK supports passing the GDPR Consent String along with the ad request. You, the publisher, are responsible for obtaining the user’s consent. Once consent is obtained, you can set the consent string as shown below.

Please note that the Yahoo SSP will verify the format and validity of any EU Consent strings prior to processing any personal data. If consent cannot be verified, the SSP will drop any personal data contained in the request.

DataPrivacy.Builder builder = new DataPrivacy.Builder();
builder.setGdprConsent("<GDPR CONSENT>");
VASAds.setDataPrivacy(builder.build());
val builder = DataPrivacy.Builder()
builder.gdprConsent = "<GDPR CONSENT>"
VASAds.setDataPrivacy(builder.build())
VASDataPrivacyBuilder *builder = [VASDataPrivacyBuilder new];
builder.gdpr.consent = @"<GDPR CONSENT>";
[[VASAds sharedInstance] setDataPrivacy:[builder build]];
let builder = VASDataPrivacyBuilder()
builder.gdpr.consent = "<GDPR CONSENT>"
VASAds.sharedInstance.dataPrivacy = builder.build()

Setting GDPR Contractual Agreement / Legitimate Interest

For publishers that fall under Contractual Agreement with Yahoo that allows them to process a user’s personal data regardless of GDPR consent status, the SDK allows for a Contractual Agreement or Legitimate Interest flag.

DataPrivacy.Builder builder = new DataPrivacy.Builder();
builder.setGdprContractualAgreement(true);
VASAds.setDataPrivacy(builder.build());
val builder = DataPrivacy.Builder()
builder.gdprContractualAgreement = true
VASAds.setDataPrivacy(builder.build())
VASDataPrivacyBuilder *builder = [VASDataPrivacyBuilder new];
builder.gdpr.contractualAgreement = YES;
[[VASAds sharedInstance] setDataPrivacy:[builder build]];
let builder = VASDataPrivacyBuilder()
builder.gdpr.contractualAgreement = true
VASAds.sharedInstance.dataPrivacy = builder.build()

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) introduces data privacy rights for California consumers. To learn more about Yahoo’s approach in regards to CCPA, we recommend this article on Yahoo’s Privacy Center.

Setting CCPA

Publishers have two options for complying with the regulation:

  1. Using the DAA’s Opt-Out tool. You can learn more about this tool here.

  2. Obtaining consent from the user and setting the US Privacy consent string in the SDK. Once you have got the user’s consent, you can set the consent string as follows.

DataPrivacy.Builder builder = new DataPrivacy.Builder();
builder.setPrivacy("<CCPA CONSENT>");
VASAds.setDataPrivacy(builder.build());
val builder = DataPrivacy.Builder()
builder.ccpaPrivacy = "<CCPA CONSENT>"
VASAds.setDataPrivacy(builder.build())
VASDataPrivacyBuilder *builder = [VASDataPrivacyBuilder new];
builder.ccpa.privacy = @"<CCPA CONSENT>";
[[VASAds sharedInstance] setDataPrivacy:[builder build]];
let builder = VASDataPrivacyBuilder()
builder.ccpa.privacy = "<CCPA CONSENT>"
VASAds.sharedInstance.dataPrivacy = builder.build()

Setting and Updating Privacy Settings

Even though these Privacy settings can be set and changed at any time, it is recommended they be initially set after SDK initialization and prior to ad retrieval. Any changes to the settings will impact subsequent ad requests. Any ads that are retrieved prior to a change (including ads that may have been cached) are not impacted by changed settings and may not be in immediate compliance with the user’s status.

Updating Privacy Settings

If you want to do an update (instead of an overwrite) of the DataPrivacy settings at anytime during the life of the app, you can do so by passing the current DataPrivacy object into the builder before you make changes.

DataPrivacy.Builder builder = new DataPrivacy.Builder(VASAds.getDataPrivacy());
// make changes to builder
VASAds.setDataPrivacy(builder.build());
val builder = DataPrivacy.Builder(VASAds.getDataPrivacy())
// make changes to builder
VASAds.setDataPrivacy(builder.build())
VASDataPrivacyBuilder *builder = [[VASDataPrivacyBuilder alloc] initWithDataPrivacy:VASAds.sharedInstance.dataPrivacy];
// make changes to builder
[[VASAds sharedInstance] setDataPrivacy:[builder build]];
let builder = VASDataPrivacyBuilder(dataPrivacy: VASAds.sharedInstance.dataPrivacy)
// make changes to builder
VASAds.sharedInstance.dataPrivacy = builder.build()