`1` indicates yes. This attribute is always passed when set to `1`. |
| `regs.ext.gdpr` | int | "regs": {
"ext": {
"gdpr": 1
}
} | Upon confirming opt-out from a GDPR-affected user, the request structure for that user’s device sends a flag in the `regs.ext` object with the integer value `1`.
Unity also strips all personally identifiable information (IDFA, AAID, IP address, etc.) from the request.
This attribute is always passed when available. For more information on the spec, please reach out to your Unity account manager. |
| `regs.ext.us_privacy` | string | "regs": {
"ext": {
"us_privacy":"1YN-"
}
} | Flag indicating consent for requests subject to [CCPA regulations](https://oag.ca.gov/privacy/ccpa). The string format must adhere to the IAB's [U.S. privacy string spec](https://iabtechlab.com/wp-content/uploads/2019/11/U.S.-Privacy-String-v1.0-IAB-Tech-Lab.pdf).
This attribute is always passed when applicable to affected regions. |
### user object extension
An object class containing the requesting app’s user consent flag for data collection.
| **Attribute** | **Type** | **Example** | **Description** |
| ------------- | -------- | ----------- | --------------- |
| `user.ext.consent` | string | "user": {
"ext": {
"consent": "1"
}
} | Flag indicating if the end user has consented to data collection.
- `"0"` indicates no.
- `"1"` indicates yes.
|
## Endpoint deletion for user opt-out
In order to continue receiving requests for users subject to GDPR, Unity requires readiness compliance from partners to handle opt-out/deletion requests via an endpoint. Unity also must confirm receipt through a 200 OK message (see section on **Protocol**, below).
Upon receiving an opt-out/deletion request, the partner must complete deletion of said user’s data that was received from Unity Ads. This removal should affect all systems and subsystems within the partner’s ecosystem. Please note that your Data Processing Addendum will require this compliance measure.
### Protocol
The opt-out deletion request protocol is described as follows:
* Unity and the partner communicate through HTTPs, and therefore the partner must set up an accessible HTTPs endpoint.
* Unity sends opt-out/deletion requests in HTTP `POST` requests.
* The `POST` body follows this structure:
{
"id": "xxx", // version 1 uuid identifies the request
"idfa": "xxxxxx", // IDFA of the user
"opt-out": true, // boolean flag indicating the user opt out
"ts": "1524785925" // unix timestamp
}
* A `200` HTTP status code response indicates that the partner has received the request and will delete the user data with the provided IDFA.
* If the partner has not yet seen the IDFA, they should still respond with a `200` HTTP status code to acknowledge receipt of the message and intent to delete data.
* If Unity receives a non-`200` HTTP status code, it will retry the request until it receives acknowledgement.
* Any long-term failure to return a `200` HTTP status code will result in the partner’s designation as non-compliant, at which point Unity will discontinue transmitting any data subject to GDPR.
Any non-compliance with this requirement will result in the partner not receiving any traffic subject to GDPR. Exceptions from partners using the endpoint solution will only be made on a case-by-case basis.
### Example of expressed consent
```
{
"user": {
"ext": {
"consent": "1"
}
},
"regs": {
"ext": {
"gdpr": 1
}
}
}
```
### Example of user opt-out
```
{
"user": {
"ext": {
"consent": "0"
}
},
"regs": {
"ext": {
"gdpr": 1,
"us_privacy":"1YN-"
}
}
}
```