Data safety form

[markus.w...@gmail.com]

I'm still not completely sure how to fill out that form. My app uses AdMob only. Here are my thoughts, any feedback from the AdMob team or other users would be welcome.

2. Data collection and security:

  * Does your app collect or share any of the required user data types?

    YES

  * Is all of the user data collected by your app encrypted in transit?

    YES

  * Do you provide a way for users to request that their data is deleted?

    Probably NO, since I have no idea how I could possibly forward such a request to Google, although European law would require me to answer YES.

    And ideas on how to handle such requests?

  * Is your app currently certified by an authorized lab, according to the Mobile Application Security Assessment (MASA) framework?

    I guess NO?

3. Data types:

  select the following:

  * Location / Approximate location (official doc [1] -> "IP address")

  * App activity / App interactions ([1] -> "User product interactions")
  * App info and performance / Crash logs ([1] -> "Diagnostic information")

  * App info and performance / Diagnostics ([1] -> "Diagnostic information")

  * Device or other IDs / Device or other IDs ([1] -> "Device and Account identifiers")

[1] https://developers.google.com/admob/android/play-data-disclosure

Did I miss something here?

4. Data usage and handling:

4.1 Approximate location

4.2 Crash logs

4.3 Diagnostics

4.4 App interactions

4.5 Device or other IDs

I gave identical answers under these five topics.

Collected or shared? I assume it's Collected, correct?

  * Is this data processed ephemerally?

    NO, to be on the safe side

    Is this correct?

  * Is this data required for your app, or can users choose whether it's collected?

    YES, required

  * Why is this user data collected?

    "Analytics"

    "Advertising or marketing"

    is this complete and correct?

I could also the data_safety_export.csv based on the information above if anyone is interested.

Again, any feedback on completeness and errors would be welcome.

Regards,

Markus

[Mobile Ads SDK Forum Advisor]

Hi Markus,

Thank you for reaching out to us. Below are the details that you may want to to change.

Do you provide a way for users to request that their data is deleted?

- There is no end-to-end method that Google provides to delete a user's data across all ad networks. It is up to you as the publisher to implement that behavior after they have let you know through a consent management platform like our UMP SDK that they would like to revoke their consent.

Is your app currently certified by an authorized lab, according to the Mobile Application Security Assessment (MASA) framework?

- It depends on whether you got your app tested by an authorized lab or not. The answer would be "No" if your app was not certified by an authorized lab and "Yes" if you app has been certified.

Is this data processed ephemerally
- No

More information can be found here. 

Regards,

Teejay Wennie Mobile Ads SDK Team

 

ref:_00D1U1174p._5004Q2bllKI:ref

[markus.w...@gmail.com]

Hi Teejay,

Thank you for your answers.

Do you provide a way for users to request that their data is deleted?

- There is no end-to-end method that Google provides to delete a user's data across all ad networks. It is up to you as the publisher to implement that behavior after they have let you know through a consent management platform like our UMP SDK that they would like to revoke their consent.

Well, sorry if I don't understand, but if you don't provide a way to delete the data, how would I go about implementing that? If there is no end-to-end method surely there has to be another method, right? After all Google should also be bound by European law if it operates in Europe.

So let's say I go for a very simple approach and provide my email address in the app and a user contacts me and demands that their data gets deleted. Could I forward that request to Google? If so, how? Could I send them a link where they can request deletion themselves? If so, which one?

Also, isn't revoking the consent and requesting deletion of the data two different things? IMO revoking consent would prevent further data from being collected but it would not affect data that has already been collected. My app provides a mechanism to revoke consent, but this question is about deleting the data.

Back to the data safety form. You did not explicitly respond to the data types I have selected and why the data is collected, can I assume the information I entered is correct and nothing is missing?

Regards,

Markus

[Mobile Ads SDK Forum Advisor]

Hi Markus,

I work with Teejay. I raised your comments to my team, specifically about server side data deletion. We will get back to you as soon as possible.

Regards,

Aryeh Mobile Ads SDK Team

 

ref:_00D1U1174p._5004Q2bllKI:ref

[Mobile Ads SDK Forum Advisor]

Hi Markus,

My name is Chris and I'll be assisting with your case. To clarify from earlier, while there is no end-to-end way to delete all of a user's data, Google does provide you with the tools to delete all Google-controlled data. In other words, Google provides the tools to deal with the data it has, but to deal with data from other networks (i.e. end-to-end) you would need to deal with each network individually.

With that being said, in order to delete user data as it pertains to Google in compliance with European law, you would need to use your Consent Management Platform to have the user revoke consent (i.e. user revokes consent using the UMP SDK that we provide). When this is done, any user data becomes disassociated from the user and deleted. This will fulfill your requirements as stated by European law as it pertains to Google. If a user emails you asking to delete their data, you would need to revoke consent on their behalf or provide them with instructions to revoke consent. It is important to note in this case that as far as Google data is concerned, revoking consent == deleting data.

Regarding your form, the only remaining question I see you had was with regards to ephemeral processing. This is not something I can directly assist with as I do not have knowledge of how your application processes or stores user data outside of what ad networks are doing.

Regards,

Chris

ref:_00D1U1174p._5004Q2bllKI:ref

[Tanuj]

Hello Chris,

You said that the users should revoke consent using the UMP SDK to delete the data associated with them. But I use a Consent Management Platform other than the UMP.

1) How should I go about deleting the user data in this case?

2) After the user uninstalls the app, is the data associated with the user anonymized/deleted automatically? If so, when is it anonymized/deleted? If not, how to delete user data upon receiving a data deletion request?

3) Is it possible to get a copy of the user's data if they ask for it?

[Mobile Ads SDK Forum Advisor]

Hi Tanuj,

Thank you for getting back to us.

I would like to emphasize that our team can only provide assistance with the technical issues/concerns related to the Mobile Ads SDK. Since you are using a Consent Management Platform other than the UMP, you can reach out to the appropriate Platform for further assistance. 

If you have any queries related to Mobile Ads SDK, please feel free to get back to us.

This message is in relation to case "ref:!00D1U01174p.!5004Q02bllKI:ref"

Thanks,
 

Mobile Ads SDK Team

[Tanuj]

Hi,

Let me rephrase the 1st question for you.

1) You said that any user data(pertaining to AdMob) becomes disassociated from the user and deleted when the user revokes consent using the UMP. Does this apply if the user revokes consent using a CMP other than the UMP? If not, is there a way to signal the deletion of the user's data through the Mobile Ads SDK?

You did not respond to the 2nd and 3rd questions. They are related to the handling of user data(pertaining to AdMob). Are they within the scope of this forum or should I ask them in the Help Center?

[Mobile Ads SDK Forum Advisor]

Hi Tanuj, 

Thank you for getting back to us.

I will check with our team regarding your query and one of my team members will reach out to you once we have an update on this. Meanwhile, your patience is highly appreciated. 

[tanuj reddy]

I am still waiting for your response. 

[Tanuj]

Any update yet? It's been 2 weeks.

[Mobile Ads SDK Forum Advisor]

Hi Tanuj,

We cannot give guidance on another CMP and we recommend reaching out to that provider for more specific information. In regards to data deletion, there is no end-to-end method that the Google Mobile Ads SDK provides to delete a user's data across all ad networks.

Thanks,
Justin

ref:!00D1U01174p.!5004Q02bllKI:ref

[Tanuj]

It took you three weeks to give the same answer I got before, seriously?

Let me simplify the questions for you.

Suppose a user installs an app that uses AdMob for advertising. AdMob collects user data such as IP addresses, device IDs, and other information listed here. Now, my questions are:

1) Earlier in this conversation, one of the forum advisors said that when a user withdraws their consent using the UMP SDK, all user data relating to AdMob is disassociated and deleted. But what happens if the user revokes consent using a different CMP? For instance, if they use another CMP to revoke consent, will the GoogleMobileAds SDK or AdMob detect this and erase all user data related to AdMob?

2) When the user uninstalls the app, is the data associated with the user automatically anonymized or deleted? If yes, when does this happen? If not, how can the user request that their data be deleted? When I say data, I mean data collected by AdMob.
3) Can the user request a copy of their data collected by AdMob?

[Mobile Ads SDK Forum Advisor]

Hello,

For the first one it depends on the CMP so we cannot give guidance for that question. We recommend confirming with the CMP that they write consent information to local storage using the IAB spec.

For questions 2 and 3 those are more product specific questions, as a next step we recommend reaching out to the Product Support Team as they are more equipped to address your concern. 

[Tanuj]

Hi,

Thanks for your response.

I use one of the Google-certified CMPs with TCF CMP ID - 10. Yes, they write consent information to local storage.

So, Will AdMob delete or anonymize the data collected from users if they revoke consent?

[Mobile Ads SDK Forum Advisor]

Hi Tanuj,

If there is no consent, the AdMob ad request contains no identifier data. For deleting data, as a next step we recommend reaching out to the Product Support Team as they are more equipped to address your concern.