Disclousure: I run Consent Monitor - the easiest way to collect GDPR-required consent in your iOS apps.
“I don’t collect any personally-identifiable information from my users, but I do display ads in my app. Do I need to worry about GDPR?”
TL;DR Yes.
If you show ads in your iOS or Android app through a third-party ad network, such as Admob, you still need to get consent from the user.
If all you are doing is showing ads in your app, you may not have any actual code that collects personally-identifiable information from your users. But the ad network SDK that you plugged into your app certainly does!
Ad networks use a device identifier to show personalized ads in your app. On iOS, the ad networks collect the “IDFA” (advertising identifier) from your users. On Android they collect the “Advertising ID”. Some ad networks also collect the user’s GPS location to further personalize ads. This is personally-identifiable data, and you need the user’s consent to collect such data.
GDPR, also states that if you share collected data with third-parties, you must tell the user about it. So, when you request consent from the user to collect the advertising identifier, you must also inform them that you will be sharing that data with the ad network (specified by name), for purposes of displaying personalized ads.
Some ad network SDKs allow you to specify whether they should be collecting personally-identifiable data. Without collecting such data, the ad network will still be able to display ads to your user, but the ads won’t be personalized; they’ll be more generic.
If your ad network allows for this, you can be more granular with your consent approach.
For example, since GDPR applies only to members of the European Union, if you can determine that the current user is not a member of the EU, you can allow the ad network to collect the advertising identifier and display personalized ads. But in cases where you determine the current user to be a member of the EU, you can request consent to collect the advertising identifier. If the user gives permission, you can then tell the ad network that it can collect the advertising identifier and show personalized ads. If consent is denied, you can still have the ad network show non-personalized ads.
But figuring out if the person using your app is a member of the EU is not trivial. Most apps might be better off covering all bases and requesting proper consent from all users.
On a final note, under GDPR, only people above the age of consent (16 in most countries, 13 in some) can give valid consent to have their data collected.
This means that any consent you collect from an app user who is under the age of consent is not valid.
Indeed, some ad network SDKs allow you to set a flag if the current user is under the age of consent. If that flag is set, the ad network automatically assumes that consent is not given. In such cases the ad network does not collect any personally-identifiable data, and displays generic ads only.