Unity GDPR Position and Requirements for Third-Party Partners
In Europe on May 25, 2018, the General Data Protection Regulation (GDPR) comes into effect. We encourage you to read Unity’s Statement on GDPR Readiness to see Unity’s overall position and approach to GDPR compliance.
This document outlines Unity’s GDPR-readiness requirements for third-party providers (“partners”). There are two important requirements:
If you are a partner who is integrated directly with Unity via oRTB:
Readiness to receive update to OpenRTB request spec
Upon receiving confirmation from a GDPR-affected user who indicated an opt-out, the request structure for that user’s device will send a “GDPR” flag in the regs.ext object. Strip all PII (IDFA, AAID, IP Address, etc.) as outlined below (the changing sections are highlighted):
If you do not want to receive requests from players who have opted-out of targeted advertising and therefore do not have PII associated, please contact email@example.com and we will configure your preference in our system.
If you are a partner who receives PII data from Unity from Unity’s bid request or other data products:
Readiness to receive opt-out/deletion requests via an endpoint
In order for partners to continue receiving requests for GDPR-affected users, we will need readiness compliance from partners to receive an opt-out/deletion request via an endpoint. We also need to confirm receipt through a 200 OK message.
Upon receipt, we require complete deletion of said user’s data that is received from Unity Ads. This removal should affect all systems and subsystems within the partner’s ecosystem. Please note that your Data Processing Addendum, which will be distributed next week will require this compliance measure.
The opt-out deletion request protocol is described as follows:
- Unity and the partner will communicate through HTTPs, therefore the partner needs to set up a highly available HTTPs endpoint.
- Unity will send opt-out deletion requests in HTTP POST requests.
- POST body will follow the following structure:
- In the case of a partner response with a HTTP status code 200, Unity considers that the partner has received the request and will delete the user data with the provided IDFA.
- In the case where Partners has not seen the IDFA before, the partner should still respond with an HTTP status code 200 for the opt-out deletion request. Code 200 is to acknowledge message receipt and understanding of intent for deletion.
- In the case of partner responding with a non-200 HTTP status code, Unity will retry the request for a period of time until Unity receives an HTTP status code 200.
- Any long-term failure to return a 200 HTTP status code will designate the partner as non-compliant, which will force Unity to shut off traffic or data product affected by GDPR.
Any non-compliance with this requirement will result in the partner not receiving any traffic affected by GDPR. Exceptions will only be made on a case-by-case basis for partners that solely act as processors that meet the following criteria:
- The partner does not store any data received from Unity as part of the Unity ad request and other data products that contain PII.
- A partner acting as a processor should not use said data to build behavioral profiling, model training, or any other usage other than fulfilling impressions for the current ad request.