Consent Management Platforms (CMPs) play a critical role in managing user consent for processing their personal data and ensuring adherence to privacy regulations in the case of websites and mobile apps. In 2024, Google introduced key changes in this field, helping mobile app owners adapt more effectively to evolving regulations and meet user expectations.
What is a Consent Management Platform
A Consent Management Platform handles the audience’s permissions to use their data for personalized advertising on websites or mobile apps. In other words, CMP is a software system designed to comply with regulations such as CCPA (California Consumer Privacy Act), GDPR (General Data Protection Regulation – an EU regulation), ePrivacy Directive (an EU directive), and equivalent UK laws.
Why app developers should implement a CMP
- Since January 16, 2024, all mobile app developers utilizing Google Ad Manager and AdMob solutions have been mandated to integrate CMPs certified by the company and integrated with the latest iteration of TCF (the IAB Transparency and Consent Framework). Initially required for serving personalized ads in the European Economic Area and the United Kingdom, this requirement was extended to encompass users from Switzerland as of July 31, 2024;
- Failing to meet TCF standards that support publishers in aligning with data protection laws may create obstacles in adhering to privacy regulations, potentially resulting in legal issues and reduced revenue from non-personalized advertising;
- Ad mediation platforms like AppLovin MAX and Unity LevelPlay also require compliance with regulations governing the showing of personalized ads;
- Additionally, ensuring the safety of user data leads to greater user trust.
Google UMP and list of the company-certified CMPs
Google has created a Consent Management Platform (CMP) specifically for app developers using Google AdMob and Google Ad Manager, known as the User Messaging Platform (UMP). Developers can access specialized tutorials for Android, iOS, and Unity-based apps if they wish to implement that option. Alternatively, they can opt for one of the Google-certified CMPs listed on a dedicated page. Notably, Google continues to certify CMPs, so it’s essential to regularly check their website for the most up-to-date list. Publishers with their own CMP can request certification, or if you’re already working with a CMP, you can inquire if they plan to pursue certification.
Although UMP is a reliable and free Consent Management Platform from Google, external CMPs often offer more flexibility and control over the presentation of consent requests, allowing for greater customization of its appearance and content. While Google UMP enables some degree of customization, other CMP solutions often provide more options, such as editing the graphic design of the consent box.
Popular mediation platforms, in most cases, already support integrating Google UMP and other CMPs, ensuring compatibility with mediation-integrated networks.
CMP for developers using ironSource SDK
- Publishers that wish to use the ironSource SDK must set flags to indicate whether users in GDPR-compliant regions have granted consent before starting that SDK, in addition to gathering consent as required;
- ironSource SDK (LevelPlay mediation) offers a tool (client-side API) to help developers who are not using the Transparency and Consent Framework (TCF) pass users’ GDPR consent data. You can find more information specific to Unity, iOS, and Android-based apps if you wish to investigate further;
- For developers that utilize TCF, there are the following possibilities:
- they can implement Google’s UMP or other certified CMPs by Google. However, they need to configure things correctly as per specific documentation and ensure that Google’s Additional Consent includes these networks: ironSource (“ironSource Mobile”), Unity, Vungle, AppLovin, and Chartboost. If you are using an older version than ironSource SDK 7.7.0, you will also need to take some additional steps;
- in the case of other CMPs, you must follow the specific guidelines they provided to set up your non-registered TCF networks. Later, once you have read all the vital information and have gathered the required consent data, you need to pass this information to LevelPlay with the help of setConsent API. Finally, as long as a vendor is registered in the TCF, they will receive the consent details without any extra workload.
CMP for developers using AppLovin MAX SDK
- Regarding the AppLovin MAX SDK, developers can use the built-in option or any other CMP of their preference. If they choose the latter, they must complete the consent management process before initializing the MAX SDK, verifying that the CMP they opt for is compatible with all the mediated networks they integrate;
- The SDK (version 12.0.0 and higher) automatically works with Google’s User Messaging Platform (UMP). Developers usually have to customize which ad partners appear in the consent message, ensuring all relevant partners are listed to avoid losing ad revenue. Additional information can be found in AppLovin’s dedicated guide;
- If you are a publisher utilizing iOS 17.4 (SDK 12.0.0 Release), you may encounter an issue where the App Tracking Transparency (ATT) prompt incorrectly indicates that a user has declined tracking. Upgrading to SDK version 12.3.0 or later resolves this problem;
- Developers can test how their app works with GDPR rules with a special debug mode in the SDK – it’s called “Mediation Debugger”.
Privacy frameworks like TCF 2.2 are becoming more widely adopted as regions outside Europe and the United States enact their data protection laws. This shift toward privacy-focused certifications demonstrates the industry’s proactive efforts to tackle privacy issues, adhere to regulatory requirements, and satisfy consumer demands. Notably, this trend is also increasingly evident within mobile applications.
