CCPA

The Didomi mobile SDK supports the California Consumer Privacy Act (CCPA). This support is currently in beta version.

Requirements and limitations

  • CCPA support is available since Android SDK version 1.68.0 and iOS SDK version 1.77.0.

  • To use CCPA, you must use remote Didomi configuration. Local configuration files and custom remote files are not supported. See how to setup your SDK on Android and iOS.

  • CCPA is only available for mobile devices for the moment. Android TV and tvOS are not supported.

  • Currently, only English language is supported.

Create CCPA configuration

As CCPA support is still in beta, it is not possible to configure it from the console for the moment. If you wish to support CCPA in your app, please contact support@didomi.io. The customer support will setup a configuration for you using the following elements:

  • Color code in hexadecimal (for buttons and links)

  • Font

  • Logo

  • Privacy policy link

  • Organization name

  • Text to put in 1st layer (notice banner)

  • Text to put in 2nd layer (preferences screen), except this text that needs to stay: The California Consumer Privacy Act provides you with the option to opt-out from the selling of your data to third parties. You can apply granular choices to the following.

  • List of vendors and purposes you want to handle (may be the same as GDPR). For the moment, vendors used in CCPA notices are all custom vendors with legitimate interest purposes.

  • Notice ID used by your app. See next section to understand how it will behave.

Behavior

Determining the regulation to use

When a notice is configured for CCPA, SDK will receive different configurations according to the location from where the request is issued. So for example, a user located in France or in Spain will receive the GDPR regulation notice, while a user located in California will receive the CCPA regulation notice.

When a user is not located in a country subject to GDPR or CCPA, they will not receive any notice, unless app.gdprAppliesGlobally is set to true, in which case they will receive GDPR notice as well. For the moment, we recommend activating gdprAppliesGlobally when supporting CCPA regulation.

The user location is determined by our back-end using the request IP address. To test different locations, you can use a VPN (remember to clear app data before switching locations, otherwise a 1-hour cache will apply)

Displaying the notice

The CCPA notice is displayed following the same rules described in Customize the notice, with a few differences.

  • Notice position: CCPA notice can only be displayed as a banner.

  • Only 2 buttons are present: "Agree & Close" and "Do not sell my data". "Do not sell my data" allows users to open the preferences screen and deny consent from there. This text can not be changed.

Displaying the preferences screen

The CCPA preferences are displayed following the same rules described in Customize the preferences popup, with a few differences.

  • Purposes are not displayed at first. The only option is "Sell my data". User has to opt out to disallow data processing.

  • By selecting "Sell my data" item, the list of purposes will be presented to the user. From there it is possible to disable purposes individually.

US Privacy String

When using CCPA, Didomi supports the IAB CCPA Framework. Once user submits consent choices, the US Privacy String will be generated and stored in application Shared Preferences (Android) or User Defaults (iOS) under the key IABUSPrivacy_String , following the IAB specifications.

Get User Status

When using CCPA regulation, user choices can be retrieved using the getUserStatus method.

  • The applied regulation is indicated in the regulation field. It can be gdpr, ccpa or none.

  • consentString field will contain the US Privacy String instead of the GDPR Consent String.

  • For the moment, vendors used in CCPA notices are all custom vendors with legitimate interest purposes. To retrieve a specific vendor in the lists, remember to add the prefix c:.

  • As we only manipulate legitimate interest purposes, consent information like purposes.consent.enabled, vendors.consent.enabled... will always be empty. But purposes.global.enabled, vendors.global.enabled, will contain the accurate information.

Last updated