Support GDPR params & endpoints

[karnowski]

Motivation

The European Union's GDPR regulation requires companies get consent from EU residents before tracking potentially personally identifiable information (PII). That means that Adzerk customers servicing EU residents must collect and pass consent to Adzerk in one of two ways -- either on the ad request itself or stored ahead of time in Adzerk's UserDB.

If there is no consent passed on a GDPR-regulated request (i.e. coming from an EU IP address), then the request will be treated in a do-not-track fashion and no previous information (interests, demographic information, frequency capping history, etc.) can be used. As such, many Adzerk customers will be collecting consent and passing it to Adzerk.

Adzerk's iOS and Android SDK users need to be able to pass and store consent just as easily as our web API users.

Acceptance Criteria

User Stories

• As an integrating developer using the Adzerk iOS SDK, I can pass an optional GDPR consent flag on any ad request.
• As an integrating developer using the Adzerk iOS SDK, I can store GDPR consent in UserDB.

Additional Requirements

• SDK will not track any Userdb ID in local device storage unless returned by the server
  • The server will make the decision on if the request is GDPR-regulated or not.
  • The client can trust the server.
• It's okay to pass consent even for non-GDPR-regulated requests.
  • It's up to the SDK user to decide if they want to collect it and pass it or not

Out of Scope

• The SDK will have no facility for asking for or storing consent. All consent will be passed to the SDK from the integrating developer.

• There will be no way to execute a "forget me" request via the iOS SDK at this point. The "forget me" endpoint is a destructive operation that requires an API key authentication. We are currently recommending our customers implement a server-to-server solution for that use case.

Tech Details

• Check out format of the consent parameter on Decision API request: https://dev.adzerk.com/reference#request
• Check out format of the GDPR consent-storing UserDB endpoint https://dev.adzerk.com/reference#section-gdpr-consent-endpoint
• Note that if consent is NOT present and the server determines the request is GDPR-regulated, then no UserDB ID will be returned. We need to handle that case in the client SDK. We don't strictly need to delete anything that's already stored, but we won't have anything new to store.
• You can keep sending an old UserDB ID even without consent, as it will be ignored on the server when appropriate. This protects the use case where an Adzerk customer is switching over to collecting consent but doesn't have it by May 25th, 2018.

[karnowski]

Note that after review we've realized that we need to remove the ability to store consent long-term in UserDB via the iOS and Android SDKs given that we don't want to propagate server-side API keys into the mobile clients.

I've crossed out the requirements for storing consent in UserDB from this issue.