GDPR IAB support

This guide outlines the steps required to support the GDPR IAB TCF v2 message as part of the UMP SDK. It is intended to be paired with Get started which gives an overview of how to get your app running with the UMP SDK and the basics of setting up your message. The following guidance is specific to the GDPR IAB TCF v2 message.

Prerequisites

Delay app measurement

By default, the Google Mobile Ads SDK initializes app measurement and begins sending user-level event data to Google immediately when the app starts. This initialization behavior ensures that you can enable AdMob user metrics without making additional code changes.

However, if your app requires user consent before these events can be sent, you can delay app measurement until you explicitly initialize the Mobile Ads SDK or load an ad.

To delay app measurement, add the following <meta-data> tag in your AndroidManifest.xml.

<manifest>
     <application>
        <!-- Delay app measurement until MobileAds.initialize() is called. -->
        <meta-data
            android:name="com.google.android.gms.ads.DELAY_APP_MEASUREMENT_INIT"
            android:value="true"/>
    </application>
</manifest>

GDPR requires consent revocation to allow users to withdraw their consent choices at any time. See Privacy options to implement a way for users to withdraw their consent choices.

Set setTagForUnderAgeOfConsent to indicate whether a user is under the age of consent. Users under the age of consent won't be presented with a GDPR message form.

Java

ConsentRequestParameters params = new ConsentRequestParameters
    .Builder()
    // Indicate the user is under age of consent.
    .setTagForUnderAgeOfConsent(true)
    .build();

consentInformation = UserMessagingPlatform.getConsentInformation(this);
consentInformation.requestConsentInfoUpdate(
    this,
    params,
    (OnConsentInfoUpdateSuccessListener) () -> {
      // ...
    },
    (OnConsentInfoUpdateFailureListener) requestConsentError -> {
      // ...
    });

Kotlin

val params = ConsentRequestParameters
    .Builder()
    // Indicate the user is under age of consent.
    .setTagForUnderAgeOfConsent(true)
    .build()

consentInformation = UserMessagingPlatform.getConsentInformation(this)
consentInformation.requestConsentInfoUpdate(
    this,
    params,
    ConsentInformation.OnConsentInfoUpdateSuccessListener {
      // ...
    },
    ConsentInformation.OnConsentInfoUpdateFailureListener {
      requestConsentError ->
      // ...
    })

Mediation

Follow the steps in Add ad partners to published GDPR messages to add your mediation partners to the ad partners list. Failure to do so can lead to partners failing to serve ads on your app.

Mediation partners might also have additional tools to help with GDPR compliance. See a specific partner's integration guide for more details.

After GDPR consent has been collected, you can read consent choices from local storage following the TCF v2 spec. The IABTCF_PurposeConsents key indicates consent for each of the TCF purposes.

The following code snippet shows how to check consent for Purpose 1:

Java

SharedPreferences sharedPref = PreferenceManager.getDefaultSharedPreferences(context);
// Example value: "1111111111"
String purposeConsents = sharedPref.getString("IABTCF_PurposeConsents", "");
// Purposes are zero-indexed. Index 0 contains information about Purpose 1.
if (!purposeConsents.isEmpty()) {
  String purposeOneString = purposeConsents.charAt(0);
  boolean hasConsentForPurposeOne = purposeOneString.equals("1");
}

Kotlin

val sharedPref = PreferenceManager.getDefaultSharedPreferences(context)
// Example value: "1111111111"
val purposesConsents = sharedPref.getString("IABTCF_PurposeConsents", "")
// Purposes are zero-indexed. Index 0 contains information about Purpose 1.
if (!purposeConsents.isEmpty()) {
  val purposeOneString = purposeConsents.first()
  val hasConsentForPurposeOne = purposeOneString == "1"
}

Frequently asked questions

What happens if I take no action to meet the Consent Management Platform Requirements for serving ads in the EEA and UK?

Beginning January 16, 2024, if a partner doesn't adopt a Google-certified CMP, only Limited Ads will be eligible to serve on EEA and UK traffic.

Enforcement will begin January 16, 2024 on a small percentage of EEA and UK traffic and will ramp up until Google enforces across all EEA and UK traffic by the end of February 2024. Have a certified CMP in place by January 16, 2024 to ensure your monetization is not impacted.

What happens if I implement a CMP and users don't consent?

Limited Ads serving applies if there is no consent for IAB TCF Purpose 1 in accordance with the EU user consent policy.

See Ad serving modes for more information.

How can I check if the user consented?

Consent is not represented by a single bit, but rather a set of purposes and vendors as defined in the IAB TCF specification. See Consent Policies: Personalized & Non-Personalized Ads for Google Ads personalization criteria.

Additionally, ad techs on Google's Ad technology providers (ATP) list that are not registered in the TCF vendor list use Google's Additional Consent technical specification for consent collection. Google publishes the list of ad technology providers not registered with the IAB and their IDs at the following location: https://storage.googleapis.com/tcfac/additional-consent-providers.csv.

To debug an individual ad request, use the Advanced ad unit debugging feature in ad inspector to export an ad request string. Then look for the following query parameters:

Query parameter Meaning
gdpr Whether GDPR applies for this ad request.
gdpr_consent The TC String. The IAB provides a web tool where you can manually decode the value.
addtl_consent The AC string from Google's Additional Consent technical specification.

To read consent choices programmatically, see How to read consent choices for more information.

Do I need to use Google's UMP SDK to meet the CMP requirement?

No, you can use any CMP from the List of Google-certified CMP to serve ads.

How can I show the consent form again using the UMP SDK even if the user has already consented?

If a user has already made a consent decision, Google's consent management solution won't request to gather new consent until the TC string is expired or otherwise becomes invalid.

GDPR requires consent modification to allow users to withdraw their consent choices at any time. See privacy options to implement a way for users to withdraw their consent choices. To show a consent form again, call showPrivacyOptionsForm().

I integrated a Google-certified CMP, but I'm not seeing any ad requests get made to mediation partners even from users who consented. Why is this happening?

Under TCF, Google checks that ad technology providers and other programmatic demand sources don't violate Google policy and have at least one legal basis for processing data prior to including them in the mediation waterfall. Navigate to the mediation section for more information.

Some mediation partners in Google's Ad Tech Providers (ATP) list are not registered in the TCF vendor list. These partners instead use Google's Additional Consent technical specification for consent collection. Google publishes the list of ad technology providers not registered with the IAB and their IDs at the following location: https://storage.googleapis.com/tcfac/additional-consent-providers.csv

The UMP SDK supports storing the ACString, enabling you to Add ad partners to published GDPR messages without needing to understand whether partners are TCF-registered. When using a third-party CMP, you should do the following:

  1. Confirm that the third-party CMP supports storing the ACString.
  2. Include each mediation partner in the list of ad technology providers that the third-party CMP uses to gather consent.
Can I change how my app functions if users don't consent? Is this allowed by policy?

Publishers can read the IAB TCF string in their apps. See How to read consent choices for information on reading consent choices programmatically. Publishers should review their obligations under relevant regulations with legal counsel.

When I select Manage Options and consent to all purposes, I'm not seeing any ads? Why is this happening?

In addition to collecting purposes consent you also need to collect vendor consent. Both purposes consent and vendor consent are required for any vendor, such as Google, to serve appropriate ads.

What is the best practice for showing both the iOS ATT alert and GDPR consent to the same user?

We recommend showing the GDPR consent message first and the iOS ATT alert second if the user consented to GDPR. This is already handled by the UMP SDK if you configure both messages in the AdMob UI. See Which message your users will see for more information.

If you are not showing the ATT alert using the UMP SDK, we recommend you read consent choices once GDPR consent is collected to determine whether to show the iOS ATT alert.

How do I fix the error "The TC string last updated date was more than 13 months ago"?

Consent must be reobtained from the user. You should call requestConsentInfoUpdate() at the start of every app session. If the TC string is expired, the UMP SDK indicates that consent must be reobtained by setting ConsentInformation.ConsentStatus to ConsentStatus.REQUIRED. If you haven't already, implement a request to load and present a new UMP form in your app.

It's possible for the TC string to expire mid-session, resulting in a small amount of 3.3 errors. And if on the next app session you start loading ads at the same time as you check requestConsentInfoUpdate(), those requests could also give 3.3 errors until requestConsentInfoUpdate() completes; however, this should be a tiny fraction of overall 3.3 errors (less than 0.1%). that are expected.