General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a set of requirements designed to give people in Europe more control over their data. The requirements apply to any organization that processes the personal data of European Union (EU) residents. To learn more about Oath’s approach to privacy and data protection, we recommend visiting Oath and GDPR: Resources for our advertisers and publishers.

In order to continue using the MM SDK to serve personalized advertising (based on information such as device advertising identifiers, location, and other personal data) to EU users, publishers need consent for the use of Oath ad products. In MM SDK 6.8.x, we introduced APIs that allow publishers to:

  1. Identify users that fall under GDPR’s scope

  2. Provide information about the user’s consent permissions

Because every app’s user experience is different, MM SDK 6.8.x does not prompt or provide a mechanism to prompt users to gather consent. Once consent has been obtained for the user, the new setConsentRequired and setConsentData APIs should be set prior to making an ad request.


A user is in GDPR scope if any of the following apply:

  • The user is currently located in the EU
  • The user has registered with the app as an EU resident
  • The app is specifically targeted to EU users

Although SDK 6.8.x will perform a geo IP lookup on startup, there are situations that the SDK cannot know that a user is in scope of GDPR based on their IP address (e.g. a registered EU user traveling outside of the EU). To ensure compliance, publishers should set setConsentRequired prior to making ad requests.

setConsentRequired is a boolean that is used to inform the SDK about users that are in scope of GDPR. When setConsentRequired is true, the SDK restricts information about the user from being collected and sent over the network. If the user’s consent status changes during the application lifecycle, setConsentRequired should be updated accordingly.

// Set to true if the user falls under GDPR jurisdiction.
// Set to true if the user falls under GDPR jurisdiction.
[[MMSDK sharedInstance] setConsentRequired:YES];


For users that have consented to the use of Oath ad products for advertising personalization, the SDK provides a mechanism to pass that consent information (in the form of a specially formatted consent string) with setConsentData. It should be noted that ONE by AOL: Mobile currently supports the IAB’s GDPR Transparency and Consent Framework. Please reach out to your account manager or our Support team for the most up-to-date information on consent string formats and future support plans.

setConsentData takes key-value pairs, where the key is the consent format type and the value is the consent string itself. When setConsentData is set, the SDK will assume that the publisher has obtained consent from the user for Oath ad products. It will then begin collecting and passing personal data. Any setConsentData key-values are also passed on ad requests. When the requests hit the server, ONE Mobile will try to decode the contents of setConsentData and verify that consent has been legitimately obtained in a supported format. If consent cannot be verified, ONE Mobile will drop any personal data contained in the ad request.

For convenience, we have provided a constant for the IAB consent key. It is the responsibility of the publisher to translate the user’s consent information into the IAB consent format, which takes the form of base64-encoded string, and set it as the value for the IAB consent key using setConsentData.

// Sets the IAB Consent String. Note that the IAB Consent Key constant on Android is IAB_CONSENT_KEY
// Sets the IAB Consent String. Note that the IAB Consent Key constant on iOS is MMIABConsentKey
[[MMSDK sharedInstance] setConsentDataValue:@<PUBLISHER-PROVIDED IAB CONSENT STRING> forKey:MMIABConsentKey]