Apply China Personal Information Protection Law (PIPL) solution

Background

In late 2021, China passed the Personal Information Protection Laws (PIPL) which regulates the collection, use, and transfer of user personal data. To provide customers with additional flexibility while using AppsFlyer and to support PIPL compliance, follow the step-by-step instructions described in this article.
The AppsFlyer PIPL solution is based on 3 principles:

• Prevent the SDK from collecting device IDs.
• Mask and hash IPs of SDK events, S2S events, and clicks and impressions.
• Enable auditing all app events on a relay server in China.

Apply PIPL solution in AppsFlyer

The following section describes the actions you have to take to apply the AppsFlyer PIPL solution.

To apply PIPL solution:

1. Stop collecting device IDs by the SDK. Make sure to not send AppsFlyer the device IDs for both engagements and events.
   • For Android:
     • Set setDisableAdvertisingIdentifiers to true
     • Set setCollectIMEI to false
     • Set setCollectAndroidID to false
   • For iOS:
     • Set disableAdvertisingIdentifier to true
     • Set disableIDFVCollection to true

   Note that configuring these methods affects identifier collection not only in China. To disable identifiers specifically for the Chinese market, you must implement custom logic.

2. Mask and hash clicks and impressions by using dedicated Chinese domains to pass these events to AppsFlyer.
   • Use the following Chinese domains for OneLink and attribution links:
     • For single platform clicks - hclicks.aflink.com, don't use click signing. Make sure to exclude the app link.
     • For single platform impressions - himpressions.aflink.com
     • For OneLink clicks - {subdomain}.onelnk.com
   • Send your CSM a list of relevant app IDs and OneLink subdomains.
   • If you’re using smart banners:
     • Send AppsFlyer the website key.
     • Use only {subdomain}.onelnk.com.
     • Note! Since PIPL requires masking and hashing of IP addresses, smart banners based on geolocation rules will not function as expected.
3. Mask and hash SDK and S2S events and transfer them through a relay server in China
   • SDK Events:
     Set the domain for SDK events to hevents.appsflyer-cn.com. Android instructions. iOS instructions.
     Using this domain ensures that the IP of all SDK events is masked and hashed.
   • S2S Events:
     For S2S events, use the api2.hevents.appsflyer-cn.com domain to mask and hash IP events as follows:
     • The IP should be converted to binary, then the last 2 digits should be masked.
     • The masked binary IP should be converted to text and then hashed by the sha256 algorithm.

Solution limitations

This section describes certain limitations the PIPL solution imposes.

• The S2S solution for OneLink API for short links creation isn’t supported.
• All device IDs, for all engagements, must be hashed.