AppLovin SEC Investigation: Key Compliance Takeaways for Mobile Advertising Companies
Understanding the Regulatory Scrutiny of Data Collection and Targeted Advertising Practices
Executive Summary
The Securities and Exchange Commission’s reported investigation into mobile advertising company AppLovin highlights growing regulatory attention on data collection practices, targeted advertising compliance, and children’s privacy protections in the digital advertising ecosystem. For companies operating in the ad-tech space, this development serves as a critical reminder of the evolving compliance landscape and the potential consequences of inadequate privacy safeguards.
Background of the Investigation
According to Bloomberg’s reporting, the SEC has been examining whether AppLovin violated agreements related to pushing targeted advertisements to consumers. The investigation reportedly stems from a whistleblower complaint filed in 2025, alongside multiple short-seller research reports that raised concerns about the company’s data handling practices.
While neither AppLovin nor its officials have been accused of wrongdoing as of this writing, the company’s stock experienced significant volatility following the disclosure, dropping approximately 14% in regular trading and an additional 5% in extended trading. The company has also responded to the scrutiny by discontinuing certain practices.
Allegations Underlying the Investigation
Short-seller research, particularly from Fuzzy Panda Research, alleged that AppLovin engaged in several concerning practices:
Data Collection from Children: Claims that AppLovin’s SDK collected extensive personal information from children’s devices, potentially including unique device identifiers, geolocation data, and device configuration information, despite “do not track” designations.
Targeted Advertising Without Consent: Allegations that the company served highly targeted advertisements to users without obtaining proper consent, potentially violating platform policies and privacy regulations.
Inappropriate Content Delivery: Reports of sexually explicit and violent advertising content being served to minors using age-appropriate gaming applications.
Cross-Platform Data Correlation: Suggestions that AppLovin may have reverse-engineered competing platforms’ targeting data to enhance its own advertising effectiveness.
Critical Compliance Lessons
1. Children’s Privacy Remains a Regulatory Priority
The Children’s Online Privacy Protection Act (COPPA) establishes strict requirements for collecting, using, or disclosing personal information from children under 13. Further, other laws, including state comprehensive privacy laws, have a variety of requirements and other stringencies for those under 18, to the extent that we often say “under 18 is the new under 13” in conversations with clients. Companies operating in spaces frequented by minors must:
- Implement robust age-gating mechanisms
- Obtain verifiable parental consent before collecting children’s data
- Limit data collection to what is reasonably necessary for participation in the activity
- Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of children’s personal information
- Provide clear privacy notices to parents
Recent enforcement actions by the Federal Trade Commission, including substantial penalties against Epic Games ($520 million) and Google/YouTube ($170 million) for COPPA violations, demonstrate that regulatory authorities prioritize children’s privacy protection regardless of the political climate.
2. Consent Management and Tracking Technologies
Modern privacy compliance requires more than perfunctory consent mechanisms. Companies must ensure that:
- Consent requests are clear, specific, and freely given
- Users understand exactly what data will be collected and how it will be used
- Cookie banners and consent management platforms accurately reflect actual data practices
- “Do not track” signals and opt-out preferences are honored
- Device fingerprinting and similar tracking techniques comply with applicable regulations
The allegations against AppLovin suggest potential violations of both Apple and Google’s platform policies regarding user tracking and device fingerprinting. Companies must recognize that platform policy violations can result in app removal, which represents an existential threat to mobile-dependent business models.
3. Targeted Advertising Compliance
Targeted advertising involves complex legal and technical considerations across multiple regulatory frameworks. Organizations must navigate:
Platform Requirements: Both Apple’s App Tracking Transparency framework and Google’s advertising policies impose specific requirements on how apps can collect and use data for advertising purposes. Violations can result in app store removal.
State Privacy Laws: California’s CPRA, Virginia’s CDPA, and similar laws across numerous states impose requirements on businesses that sell or share personal information for targeted advertising, including:
- Prominent disclosure of data sales/sharing
- Right to opt-out mechanisms
- Limitations on use of sensitive personal information
Federal Trade Commission Authority: The FTC has broad authority to pursue “unfair or deceptive” practices, which extends to misleading privacy representations and inadequate data security.
4. Data Minimization and Purpose Limitation
The allegations that AppLovin collected extensive device data, potentially including 50+ attributes from children’s devices, illustrate the risks of excessive data collection. Modern privacy regulations increasingly mandate “data minimization,” including:
- Collecting only data that is adequate, relevant, and limited to what is necessary for specified purposes
- Clearly articulating the purpose for data collection before collection occurs
- Avoiding “just in case” data collection practices
- Regularly reviewing and deleting unnecessary data
5. Third-Party Data Sharing and Processing
Companies utilizing data processing agreements and other contractual restrictions with third-party vendors and data brokers face heightened scrutiny. Organizations must:
- Maintain clear inventories of third-party data recipients
- Execute appropriate data processing or sharing agreements
- Conduct vendor due diligence to ensure third parties maintain adequate security and privacy protections
- Provide transparency to users about third-party data sharing
6. Advertising Content Appropriateness
Beyond data collection issues, companies must implement controls to ensure advertising content is appropriate for the audience. This includes:
- Age-appropriate content filters for apps targeting or accessible to minors
- Mechanisms to review and approve advertising creative before delivery
- Systems to detect and block inappropriate content in real-time
- Clear policies and procedures for handling content violations
7. Platform Policy Compliance
For companies in the mobile ecosystem, compliance with Apple App Store and Google Play Store policies is essential for business continuity. Both platforms maintain strict policies on:
- User privacy and data use
- Prohibited content, including sexual and violent material
- Deceptive practices and user interface manipulation
- Children’s content and COPPA compliance
Historical precedent demonstrates that platform violations can result in app removal or SDK bans. In 2021, Apple temporarily banned apps using the Adjust SDK (later acquired by AppLovin) for fingerprinting practices.
8. Whistleblower Complaints and Internal Controls
The fact that this SEC investigation allegedly originated from a whistleblower complaint underscores the importance of:
- Robust internal compliance programs that identify issues before they become regulatory matters
- Regular privacy and advertising compliance audits
- Documentation demonstrating good-faith compliance efforts
Best Practices for Ad-Tech Companies
In light of these developments, companies operating in the digital advertising space should consider:
Comprehensive Privacy Impact Assessments: Particularly for new data collection practices, advertising formats, or targeting methodologies. For example, we assist clients with privacy impact assessments that identify and mitigate compliance risks before implementation.
Regular Compliance Audits: Including reviews of:
- SDK data collection practices
- Consent management implementation
- Age-gating effectiveness
- Advertising content review processes
- Third-party data sharing arrangements
Clear Privacy Documentation: Ensure privacy policies, data processing agreements, and platform disclosures accurately reflect actual data practices. Avoid boilerplate language that doesn’t match operational reality.
Age-Appropriate Design: Implement systems that treat children’s data with enhanced protections, including:
- Effective age verification mechanisms
- Data minimization for child users
- Enhanced parental controls
- Age-appropriate advertising content filters
Platform Policy Monitoring: Stay current with evolving App Store and Play Store policies, and implement internal processes to ensure ongoing compliance.
Cross-Functional Collaboration: Ensure legal, compliance, product, and engineering teams work together on privacy and advertising practices, rather than treating compliance as an afterthought.
Regulatory Outlook
The AppLovin investigation signals several important trends:
Increased SEC Scrutiny of Tech Companies: The SEC has expanded its focus beyond traditional securities matters to examine business practices that may constitute material misrepresentations to investors, including privacy and data handling claims.
Multi-Agency Coordination: Privacy enforcement increasingly involves coordination between the FTC, state attorneys general, and the SEC, creating potential for concurrent investigations and compounding penalties.
Children’s Privacy as Non-Partisan Priority: Despite varying political administrations, protecting children online remains a consistently enforced priority area.
Platform as Enforcer: Apple and Google’s role as gatekeepers provides them with significant enforcement power that may operate faster and more severely than government regulation.
Conclusion
The SEC’s alleged investigation into AppLovin’s data collection practices, while still ongoing and without formal accusations, provides important lessons for the entire ad-tech industry. Companies must recognize that privacy compliance is not merely a legal box-checking exercise but a fundamental business requirement that affects platform access, regulatory exposure, and investor confidence.
For organizations navigating these complex requirements, professional legal guidance can help identify risks, implement appropriate controls, and maintain compliance across multiple regulatory frameworks. Our firm specializes in helping advertising and marketing companies, technology platforms, and digital publishers navigate privacy, TCPA, and FTC compliance requirements.
The cost of non-compliance, whether measured in SEC investigations, FTC penalties, platform removals, or reputational damage, far exceeds the investment in proper compliance infrastructure. Companies should treat this investigation as a wake-up call to review and strengthen their own data governance, consent management, and children’s privacy practices before becoming the subject of similar scrutiny.
This article is provided for informational purposes only and does not constitute legal advice. Companies facing specific compliance questions should consult with qualified legal counsel regarding their particular circumstances.
For assistance with privacy compliance, targeted advertising regulations, children’s privacy, or related matters, contact Richt Law Firm.
