Closed karnowski closed 5 years ago
Note that after review we've realized that we need to remove the ability to store consent long-term in UserDB via the iOS and Android SDKs given that we don't want to propagate server-side API keys into the mobile clients.
I've crossed out the requirements for storing consent in UserDB from this issue.
Motivation
The European Union's GDPR regulation requires companies get consent from EU residents before tracking potentially personally identifiable information (PII). That means that Adzerk customers servicing EU residents must collect and pass consent to Adzerk in one of two ways -- either on the ad request itself or stored ahead of time in Adzerk's UserDB.
If there is no consent passed on a GDPR-regulated request (i.e. coming from an EU IP address), then the request will be treated in a do-not-track fashion and no previous information (interests, demographic information, frequency capping history, etc.) can be used. As such, many Adzerk customers will be collecting consent and passing it to Adzerk.
Adzerk's iOS and Android SDK users need to be able to pass and store consent just as easily as our web API users.
Acceptance Criteria
User Stories
As an integrating developer using the Adzerk iOS SDK, I can store GDPR consent in UserDB.Additional Requirements
Out of Scope
The SDK will have no facility for asking for or storing consent. All consent will be passed to the SDK from the integrating developer.
There will be no way to execute a "forget me" request via the iOS SDK at this point. The "forget me" endpoint is a destructive operation that requires an API key authentication. We are currently recommending our customers implement a server-to-server solution for that use case.
Tech Details
consent
parameter on Decision API request: https://dev.adzerk.com/reference#requestCheck out format of the GDPR consent-storing UserDB endpoint https://dev.adzerk.com/reference#section-gdpr-consent-endpoint