GDPR IAB support

This guide outlines the steps required to support the GDPR IAB TCF v2 message as part of the UMP SDK. It is intended to be paired with Get started which gives an overview of how to get your app running with the UMP SDK and the basics of setting up your message. The following guidance is specific to the GDPR IAB TCF v2 message.

Prerequisites

Complete the Get started guide.
Create a GDPR message for apps.

Consent revocation

GDPR requires consent revocation to allow users to withdraw their consent choices at any time. See Privacy options to implement a way for users to withdraw their consent choices.

Tag for under age of consent

Set setTagForUnderAgeOfConsent (TFUA) to indicate whether a user is under the age of consent. Consent is not requested from the user when TFUA is set to true. Mixed audience apps should set this parameter for child users to ensure consent is not requested.

Java

ConsentRequestParameters params = new ConsentRequestParameters
    .Builder()
    // Indicate the user is under age of consent.
    .setTagForUnderAgeOfConsent(true)
    .build();

consentInformation = UserMessagingPlatform.getConsentInformation(this);
consentInformation.requestConsentInfoUpdate(
    this,
    params,
    (OnConsentInfoUpdateSuccessListener) () -> {
      // ...
    },
    (OnConsentInfoUpdateFailureListener) requestConsentError -> {
      // ...
    });

Kotlin

val params = ConsentRequestParameters
    .Builder()
    // Indicate the user is under age of consent.
    .setTagForUnderAgeOfConsent(true)
    .build()

consentInformation = UserMessagingPlatform.getConsentInformation(this)
consentInformation.requestConsentInfoUpdate(
    this,
    params,
    ConsentInformation.OnConsentInfoUpdateSuccessListener {
      // ...
    },
    ConsentInformation.OnConsentInfoUpdateFailureListener {
      requestConsentError ->
      // ...
    })

Mediation

Follow the steps in Add ad partners to published GDPR messages to add your mediation partners to the ad partners list. Failure to do so can lead to partners failing to serve ads on your app.

Mediation partners might also have additional tools to help with GDPR compliance. See a specific partner's integration guide for more details.

How to read consent choices

After GDPR consent has been collected, you can read consent choices from local storage following the TCF v2 spec. The IABTCF_PurposeConsents key indicates consent for each of the TCF purposes.

The following code snippet shows how to check consent for Purpose 1:

Java

SharedPreferences sharedPref = PreferenceManager.getDefaultSharedPreferences(context);
// Example value: "1111111111"
String purposeConsents = sharedPref.getString("IABTCF_PurposeConsents", "");
// Purposes are zero-indexed. Index 0 contains information about Purpose 1.
if (!purposeConsents.isEmpty()) {
  String purposeOneString = purposeConsents.charAt(0);
  boolean hasConsentForPurposeOne = purposeOneString.equals("1");
}

Kotlin

val sharedPref = PreferenceManager.getDefaultSharedPreferences(context)
// Example value: "1111111111"
val purposesConsents = sharedPref.getString("IABTCF_PurposeConsents", "")
// Purposes are zero-indexed. Index 0 contains information about Purpose 1.
if (!purposeConsents.isEmpty()) {
  val purposeOneString = purposeConsents.first()
  val hasConsentForPurposeOne = purposeOneString == "1"
}

Frequently asked questions

What happens if I take no action to meet the Consent Management Platform Requirements for serving ads in the EEA and UK?

Beginning January 16, 2024, if a partner doesn't adopt a Google-certified CMP, only Limited Ads will be eligible to serve on EEA and UK traffic.

Enforcement will begin January 16, 2024 on a small percentage of EEA and UK traffic and will ramp up until Google enforces across all EEA and UK traffic by the end of February 2024. Have a certified CMP in place by January 16, 2024 to ensure your monetization is not impacted.

What happens if I implement a CMP and users don't consent?

Limited Ads serving applies if there is no consent for IAB TCF Purpose 1 in accordance with the EU user consent policy.

See Ad serving modes for more information.

How can I check if the user consented?

Consent is not represented by a single bit, but rather a set of purposes and vendors as defined in the IAB TCF specification. See Consent Policies: Personalized & Non-Personalized Ads for Google Ads personalization criteria.

Additionally, ad techs on Google's Ad technology providers (ATP) list that are not registered in the TCF vendor list use Google's Additional Consent technical specification for consent collection. Google publishes the list of ad technology providers not registered with the IAB and their IDs at the following location: https://storage.googleapis.com/tcfac/additional-consent-providers.csv.

To debug an individual ad request, use the Advanced ad unit debugging feature in ad inspector to export an ad request string. Then look for the following query parameters:

Query parameter	Meaning
`gdpr`	Whether GDPR applies for this ad request.
`gdpr_consent`	The TC String. The IAB provides a web tool where you can manually decode the value.
`addtl_consent`	The AC string from Google's Additional Consent technical specification.

To read consent choices programmatically, see How to read consent choices for more information.

Do I need to use Google's UMP SDK to meet the CMP requirement?

No, you can use any CMP from the List Google-certified CMP to serve ads.

How can I show the consent form again using the UMP SDK even if the user has already consented?

If a user has already made a consent decision, Google's consent management solution won't request to gather new consent until the TC string is expired or otherwise becomes invalid.

GDPR requires consent modification to allow users to withdraw their consent choices at any time. See privacy options to implement a way for users to withdraw their consent choices. To show a consent form again, call showPrivacyOptionsForm().

Does the consent form populate the user's previous selection?

The consent message visually displays the default consent choices and selections every time the message is displayed. However, the user's consent choices are saved to local storage after the user makes a consent decision.

I integrated a Google-certified CMP, but I'm not seeing any ad requests get made to mediation partners even from users who consented. Why is this happening?

Under TCF, Google checks that ad technology providers and other programmatic demand sources don't violate Google policy and have at least one legal basis for processing data prior to including them in the mediation waterfall. Navigate to the mediation section for more information.

Some mediation partners in Google's Ad Tech Providers (ATP) list are not registered in the TCF vendor list. These partners instead use Google's Additional Consent technical specification for consent collection. Google publishes the list of ad technology providers not registered with the IAB and their IDs at the following location: https://storage.googleapis.com/tcfac/additional-consent-providers.csv

The UMP SDK supports storing the ACString, enabling you to Add ad partners to published GDPR messages without needing to understand whether partners are TCF-registered. When using a third-party CMP, you should do the following:

Confirm that the third-party CMP supports storing the ACString.
Include each mediation partner in the list of ad technology providers that the third-party CMP uses to gather consent.

Can I change how my app functions if users don't consent? Is this allowed by policy?

Publishers can read the IAB TCF string in their apps. See How to read consent choices for information on reading consent choices programmatically. Publishers should review their obligations under relevant regulations with legal counsel.

When I select Manage Options and consent to all purposes, I'm not seeing any ads? Why is this happening?

In addition to collecting purposes consent you also need to collect vendor consent. Both purposes consent and vendor consent are required for any vendor, such as Google, to serve appropriate ads.

What is the best practice for showing both the iOS ATT alert and GDPR consent to the same user?

We recommend showing the GDPR consent message first and the iOS ATT alert second if the user consented to GDPR. This is already handled by the UMP SDK if you configure both messages in the Ad Manager UI. See Which message your users will see for more information.

If you are not showing the ATT alert using the UMP SDK, we recommend you read consent choices once GDPR consent is collected to determine whether to show the iOS ATT alert.

How does AC String version 2 impact waterfall mediation for EEA and UK traffic?

We check that ad technology providers and other programmatic demand sources don't violate Google policy and have at least one legal basis for processing data prior to including them in the mediation waterfall.

Changes for Additional Consent v2 include an update to support vendors disclosed in the CMP. Disclosed vendors are eligible to participate in the mediation waterfall.

How do I implement the AC String version 2 for users who already consented to version 1?

Check the IABTCF_AddtlConsent key in local storage per Google's Additional Consent technical specification to determine whether a user has consented to AC String version 2 and if you need to show the consent form again.

Java

SharedPreferences sharedPref = PreferenceManager.getDefaultSharedPreferences(context);
// Example value: "2~1.35.41.101~dv.9.21.81"
String additionalConsent = sharedPref.getString("IABTCF_AddtlConsent", "");
// Index 0 contains information about the specification version number.
if (!additionalConsent.isEmpty()) {
  String specACVersion = additionalConsent.charAt(0);
  boolean isACVersion2 = purposeOneString.equals("2");
}

Kotlin

val sharedPref = PreferenceManager.getDefaultSharedPreferences(context)
// Example value: "2~1.35.41.101~dv.9.21.81"
val additionalConsent = sharedPref.getString("IABTCF_AddtlConsent", "")
// Index 0 contains information about the specification version number.
if (!additionalConsent.isEmpty()) {
  val specACVersion = additionalConsent.first()
  val isACVersion2 = specACVersion == "2"
}

What is the ad serving behavior for a user who sees the consent form in the EEA and UK, and then travels outside the EEA and UK?

The Google Mobile Ads SDK respects the user's consent decision to apply the appropriate ad serving mode even once they leave the EEA and UK.