Support Home > SDK Integration > Consent SDK – Handling Consent

Consent SDK – Handling Consent

DISCLAIMER: Kochava does not offer legal advice for businesses in relation to CCPA and/or GDPR compliance. Information herein is for reference only and businesses are encouraged to seek their own legal counsel regarding CCPA and/or GDPR compliance efforts and obligations.

Consent Overview

CCPA and GDPR are the two relevant consent models which exist today. For app purposes, these consent models are applicable when a user is determined to reside in or be present in the applicable region. These two models are described below, albeit at a very high level.

The purpose of this document is to help you decide which SDK-based consent solutions you may wish to implement, if any.

 

CCPA:

What is it: California Consumer Privacy Act
Applicable Region: California

CCPA is intended to prevent specifically the sale of data after a user has opted-out. This means that the sale of user data is permitted as long as the user has been given notice and has not opted-out. This is different from GDPR in that measurement may still be possible even if the user has opted-out, as measurement is not necessarily the sale of data. However, it is for your legal team to decide.

 

GDPR:

What is it: General Data Protection Regulation
Applicable Region: Europe

GDPR is far more heavy-handed than CCPA, and is intended to prevent the collection of data until a user has explicitly opted-in. This means that until a user has been prompted and consent has been granted, data collection is generally restricted.


Consent Handling

Unfortunately, CCPA and GDPR have different goals and requirements and cannot always be handled in the same manner. While it may be desirable to create a blanket solution which covers both CCPA and GDPR, this often results in a lowest-common-denominator approach where the more heavy-handed GDPR model is unnecessarily applied to all users. Ideally, an app should handle both CCPA and GDPR separately.

Below we will cover SDK implementation options for handling CCPA and/or GDPR consent models.

 

Basic Consent Handling:

This basic approach may be ideal if you are already determining whether a user is within a consent applicable region and you simply wish to halt all data collection if the user opts-out of CCPA or does not grant consent for GDPR. In that case, all that is required is starting the SDK if consent status allows, or stopping the SDK when consent status does not.

 

Example Flow – CCPA:

 

Example Flow – GDPR:

 

This approach is quick and easy to implement. However, it is also an all-or-nothing approach, which results in all measurement completely halting when the SDK is stopped. This means you will not be able to make privacy-based data decisions farther downstream or convey the status of consent for CCPA, because the data is never sent from the device in the first place.

For instructions on how to start and stop the SDK, refer to our iOS — Using the SDK or Android — Using the SDK support documentation.

 

SDK – Based Consent Handling:

Kochava SDK-based consent handling solutions are available and described below, which can help shoulder the burden when it comes to consent management. Please note that CCPA and GDPR solutions are separate and provide different functionality.

For CCPA, Kochava offers a stand-alone Consent SDK, which can help you to track CCPA consent on a per-user basis. The Consent SDK is based on implementation of the IAB U.S. Privacy String.

 

The Consent SDK WILL:

  • Determine whether or not CCPA applies to a user based on their region.
  • Track consent on an identity basis, rather than device only.
  • Maintains an audit trail of user consent history for compliance.
  • Remember the consent status of the user between launches.
  • Makes it easy to read or write the IAB U.S. Privacy String.
  • Display a consent prompt for you.

 

The Consent SDK WILL NOT:

  • Manage GDPR consent.

 

CCPA and the Kochava Tracker SDK:

The Consent SDK is not part of the Kochava Tracker SDK. The Consent SDK is a stand alone SDK which primarily helps you manage the IAB U.S. Privacy String (USP). The USP is a short textual representation of consent status which can be easily syndicated to interested parties or added to existing data. Within the app, the USP is written to local storage by any entity, which allows the app or any SDK within the app to read it. This means the Consent SDK is not required to set the USP, but does make it easier.

The Kochava Tracker SDK will automatically append measurement data with the USP if it has been set in local storage, whether the USP was set using the Consent SDK or through other means. This means the Consent SDK and Kochava Tracker SDK can be used in tandem if desired, but the Consent SDK is not required to adorn Kochava Tracker SDK data with the USP.

For SDK usage instructions, refer to our iOS Consent SDK — Using the SDK or Android Consent SDK — Using the SDK support documentation.


For GDPR, Kochava offers Intelligent Consent Manager (ICM) as a feature built into the Kochava Tracker SDK.

 

Intelligent Consent Manager WILL:

  • Determine whether or not GDPR applies to a user based on their region.
  • Inform you when to prompt or re-prompt a user for GDPR consent.
  • Remember the consent status of the user between launches.

 

Intelligent Consent Manager WILL NOT:

  • Manage CCPA consent.
  • Display a consent prompt for you.

 

Intelligent Consent Manager Requirements:

Intelligent Consent Manager is designed to act as the final arbiter of consent within the app. This includes determining when GDPR applies, when to prompt the user for consent and automatically restricting Kochava Tracker SDK activity based on current consent status. For this reason, if you are already using a 3rd party tool or otherwise to determine when GDPR applies, Intelligent Consent Manager should not be used and you should instead simply start and stop the Kochava Tracker SDK when appropriate.

For SDK usage instructions, refer to our iOS — Intelligent Consent Manager or Android — Intelligent Consent Manager



SDK Consent FAQ