Privacy

Consent, Age-Related Flags, and Data APIs

When you use the AppLovin SDK, you are responsible for complying with applicable privacy regulations. If you collect and/or transmit personally identifiable information, you are responsible for protecting and managing that data.

You are fully responsible for correctly collecting consent values and age-related flags and for passing those to AppLovin. This is true whether you use your own consent mechanism or a third-party API. MAX provides APIs with which you pass applicable consent and age-related flags to AppLovin.

Best practices:

• Solicit your own legal advice. Nothing in this document should be construed as legal advice.
• Read and understand AppLovin Policies for Publishers, AppLovin’s Privacy Policy, and integration guides offered by AppLovin.
• List AppLovin in your privacy policy as a third-party that collects data. Include a link to AppLovin in your privacy policy.

This framework helps facilitate compliance with:

• The General Data Protection Regulation (“GDPR”)
• Certain multi-state privacy requirements
• Children’s data restrictions under GDPR, COPPA, and App Store policies

However, consent and privacy requirements may extend beyond these. You should apply them accordingly.

Consent and Age-Related Flags in GDPR and Other Regions

When you use the AppLovin SDK, AppLovin requires you to correctly set certain consent values and age-related flags and to send those to AppLovin. You are fully responsible for correctly collecting and sending these values and flags. This is true whether you use your own consent mechanism or a third-party API.

Some of these flags indicate whether users from certain locations provided opt-in consent to collect and use their personal data for interest-based advertising. These locations include the European Union, European Economic Area, United Kingdom, and Switzerland.

Another flag indicates whether a user is in an age-restricted category. Another flag indicates whether users from certain states opted out of sale of their information.

When you initialize the AppLovin SDK, the SDK records the values that you set in the “Privacy States” fields to the log. These fields are “Age Restricted User”, “Has User Consent”, and “Do Not Sell”. Because the AppLovin SDK records the values of these fields when the SDK initializes, you must set these values before you initialize the AppLovin SDK. This ensures that the fields are set correctly. Refer to the Mediation Debugger or to the section marked “Privacy States” in the logs to verify that you correctly set these values.

If the user consents to interest-based advertising, set the user consent flag accordingly, initialize the AppLovin SDK, and start requesting ads. After you set the consent value for a particular user, AppLovin will continue to respect that value for the lifetime of your application or until the user revokes consent to interest-based advertising.

Privacy.setHasUserConsent(true);

If the user does not consent to interest-based advertising, set the user consent flag accordingly. Then start requesting ads through the AppLovin SDK. After you set the consent value for a user, AppLovin respects that value for the lifetime of your application or until the user consents to interest-based advertising.

Privacy.setHasUserConsent(false);

You must verify that you set the consent flag correctly. If you set the consent flag correctly, the “Has User Consent” value shown in the logs (under “Privacy States”) is either “true” or “false”. You can also check the value of the consent flag in the Mediation Debugger. As described above, after you set the consent value, AppLovin respects that value for the lifetime of your application or until the consent value changes.

AppLovin MAX helps you handle consent values on behalf of supported mediation partners. MAX shares these consent values via adapters. To do this, you must use GDPR-supported network SDKs. Consult with your network partner to determine which of their SDK versions support GDPR.

AppLovin MAX does not support your handling of consent values on behalf of Meta, Inc. You must work directly with Meta to determine what support Meta provides for GDPR compliance.

For more details regarding age-related flags, see the section below entitled “Prohibition on Ads to, and Personal Information from, Children and Apps Exclusively Designed for, or Directed to, Children”.

TCF v2 Consent

Note

As of AppLovin MAX SDK version 12.0.0, if you use Google’s CMP (UMP), MAX handles CMP integration. It also ensures that the consent status is established correctly when you initialize the SDK. See “Google UMP Automation” for more details. However, if you use a different CMP, you must perform this integration yourself. You must also ensure that the CMP establishes consent status correctly before you initialize the SDK.

Important

If you access Google demand through MAX, it is critical that you review the Google CMP requirements before you start the integration process.

If you implement a CMP that complies with IAB TCF v2 (Transparency & Consent Framework) for your user consent flow, MAX sends the TCF v2 strings to networks in the following ways:

For Amazon, BidMachine (Android), Google, inMobi, Ogury, Smaato, and Verve

These SDKs read the TCF v2 consent strings from NSUserDefaults or SharedPreferences. You do not have to do any additional configuration to make this happen.

For BidMachine (iOS), DT Exchange (versions 8.2.7.0+), and MobileFuse

MAX SDK sends the TCF v2 consent strings to each network via adapters. You can find compatible adapter and SDK versions on the individual network adapter changelogs. Contact the network partner for more information.

For DT Exchange (versions before 8.2.7.0)

MAX SDK checks the consent status in the TCF v2 consent string. It then passes the consent state to the network via the adapter.

For AppLovin, Chartboost, IronSource, Liftoff Monetize, LINE, and Unity Ads

If you use Google UMP as your CMP, the MAX SDK leverages Google UMP’s Additional Consent (AC) Mode. MAX sends the consent states to each network via the adapter, in the AC string. If you do not use Google UMP as your CMP, contact your CMP provider to learn how to send the consent state to these networks.

For Meta Audience Network

If you use Google UMP as your CMP, you can read the consent state by following their Additional Consent Mode guide. Then you can forward the consent state to their SDK. For specific instructions, see “Meta Audience Network Data Processing Options”. If you do not use Google UMP as your CMP, contact your CMP provider to learn how to send the consent state to Meta Audience Network.

For custom networks and networks that are not compliant with TCF v2

These networks are in the final waterfall. However MAX does not pass any consent flags to them via the adapter.

Prohibition on Ads to, and Personal Information from, Children and Apps Exclusively Designed for, or Exclusively Directed to, Children

You must indicate whether a user is in an age-restricted category (i.e., under the age of 16, or as otherwise defined by applicable laws). This is required so that you can comply with COPPA, GDPR, other age-related requirements, and the Apple App Store and Google Play Store policies. If you know that the user is in an age-restricted category, set the age-restricted user flag this way:

Privacy.setIsAgeRestrictedUser(true);
AppLovinMAX.initialize(…);

If you know that the user is not in an age-restricted category, set the age-restricted user flag this way:

Privacy.setIsAgeRestrictedUser(false);
AppLovinMAX.initialize(…);

As explained in AppLovin’s Terms of Use Agreement and Policies for Publishers, AppLovin does not knowingly collect personal information from children or serve ads to children. Apps exclusively designed for children, or apps exclusively directed to children—for example, iOS Apps in the “Kids” category—may not use the AppLovin SDK.

AppLovin encourages you to verify that you correctly set these age-related flags. You can do this in the Mediation Debugger. You can also do this by reviewing the section marked “Privacy States” in the logs.

Multi-State Consumer Privacy Laws

State laws in the United States may require you to display a “Do Not Sell or Share My Personal Information” link to users in those states, or to provide other options through which those users can opt out of interest-based advertising. Such users can opt out of both interest-based advertising and the sale or sharing of their personal information for the purpose of interest-based advertising. You must set a flag for users from those states that indicates whether those users opt out in this way. If a user does not opt out in these ways, set the do-not-sell flag this way:

Privacy.setDoNotSell(false);

If a user does opt out of interest-based advertising, set the do-not-sell flag this way:

Privacy.setDoNotSell(true);

AppLovin MAX helps you handle opt-out values on behalf of some mediation partners. MAX shares these values via adapters. This only works if you use supported network SDKs. Consult with your network partner to determine the correct SDK versions.

There are some networks for which MAX does not support your handling of opt-out values. For these, you must work directly with the network partner.

Meta Audience Network Data Processing Options for Users in California

To learn how to implement Meta Audience Network’s “Limited Data Use” flag, read the Meta for Developers documentation.

Google Play Families Policy (Android)

This section concerns updates to the Google Play Families Policy. This may change how you use the AppLovin SDK. You can find complete details on Google Play’s Policy Center.

Who does this policy apply to?

According to Google, if you serve ads in your app and your target audience includes only children, then you must use only Families Self-Certified Ads SDKs.

If the target audience for your app includes both children and older users, then you must comply with Google Play Families Policy. You must also ensure that those ads that are shown to children come exclusively from Families Self-Certified Ads SDKs.

What does this mean for your use of the AppLovin SDK and MAX?

As explained in AppLovin’s Terms of Use, you cannot use AppLovin Services in apps exclusively designed for, or exclusively directed to, children. AppLovin does not knowingly collect personal information from children or serve advertisements to children.

In mixed-audience apps or “everyone” apps—apps whose users may include children—you must include and honor all age-related flags. This is explained in AppLovin Policies for Publishers. If you flag a user as an age-restricted user, AppLovin will not collect personal information from that user, nor will it serve advertisements to that user.

Google requires that ads shown to children come exclusively from Families Self-Certified Ads SDKs. For this reason, ad network SDKs that do not self-certify compliance with Google Play policies (including the Families Self-Certified Ads SDK requirements) are not eligible to participate in MAX auctions.

Requirements

If your app is designed primarily for children under the age of 13:

Google Play requires that you participate in the Designed for Families program. You must also comply with Google Play’s Families Policy Requirements.

You cannot use AppLovin Services in apps exclusively directed to children. See AppLovin’s Terms of Use.

If your app is designed for everyone, including children:

You must adhere to Google Play’s Families Policy Requirements.

You must review the age data of your users and you must identify any age-restricted users in your AppLovin SDK integration. For integration instructions, see “Prohibition on Ads to, and Personal Information from, Children and Apps Exclusively Designed for, or Directed to, Children” above.

If your app is not designed for children:

You still must meet the requirements outlined in the Google Play Developer Program Policies and Developer Distribution Agreement.

For more information about the Families Policy, including tips on how to determine the target audience for your app, review Google Play’s Policy Center.