Taking AdTech & Marketing Compliance Lessons from AppLovin Investigation

Earlier this month, the U.S. Securities and Exchange Commission (SEC) reported that it, and several state attorneys general, were investigating the mobile technology company AppLovin over its data-collection practices. 

This case study offers valuable lessons for adtech vendors, marketing companies and compliance officers: regulatory risk is real, and the adtech sector is being watched.  Digital advertising is an increasingly regulated environment. The AppLovin probe underscores the critical need for transparency, robust data privacy protocols and a clear understanding of both technical and legal risks when managing consumer data. 

AppLovin’s AI Adoption & Alleged Data Privacy Violations

AppLovin is a mobile technology company providing tools for app developers to market, monetize and analyze their apps. The AppLovin platform connects app publishers with advertisers using AI technology to help businesses reach potential customers, and optimize ad performance. 

AppLovin stock soared to new heights last year after it implemented new AI technology to improve targeted ad campaigns. But that high was shortlived. In early 2025, several short-seller firms such as Fuzzy Panda Research, Culper Research and Muddy Waters Research made public claims that AppLovin, among other things, engaged in backdoor app installations, inflated user-acquisition metrics, harvested sensitive user data (including from children) via device fingerprinting or hidden identifiers, and failed to provide required disclosures on how its AI/targeting platforms functioned. Muddy Waters Research published a report characterizing AppLovin as “systematically” violating app stores’ terms of service and “impermissibly extracting proprietary IDs from Meta, Snap, TikTok, Reddit, Google and others,” and using the IDs to impermissibly funnel highly targeted ads to users without their consent. 

These disclosures triggered dramatic investor reactions, and significant loss in market cap. 

Thereafter, the SEC investigation began. Now, AppLovin’s data-collection and ad-targeting practices are being audited to determine whether AppLovin violated service agreements with platform partners, and whether consent, data-usage and platform-policy compliance were properly maintained. Now, states such as Delaware, Oregon and Connecticut have commenced tag-along investigations on these same allegations. 

Data Privacy, Platform Compliance & AI Governance Concerns Converge

To be sure, the SEC has not yet accused AppLovin of wrongdoing. But this case illustrates that AdTech isn’t just about clicks and installs. AdTech combines a layered landscape of data-consent governance (especially when tracking or profiling users), platform-ecosystem compliance (app stores, ad exchanges, partner agreements), algorithmic governance (AI/targeting), and corporate/investor governance (disclosures and risk management, especially when claims of “AI-driven growth” or other unique claims are made). A failure in one dimension (e.g., user privacy) can cascade into platform-noncompliance, contract exposure and securities/investor governance issues.

Takeaways & Compliance Reminders 

By learning from high-profile investigations like AppLovin’s, startups in the sector can refine their compliance strategies, foster user trust, and minimize risk as regulatory expectations continue to evolve. ​AdTech and marketing companies should heed several essential compliance rules:

• Review every data flow and ad targeting mechanism for compliance: Document all consent flows and make these auditable. For every step of the data flow (collection > ingestion > processing > targeting > reporting) ask: “Do we have valid consent?” and “Do partner-platforms permit our approach?”

• Review and strictly adhere to platform agreements. Ensure that current processes do not violate terms of any ad exchanges, app store, SDKs or mediation layers. Companies cannot employ tactics expressly banned in platform agreement. For example, device fingerprinting is expressly banned by Apple, and enforcement actions can result in serious business risks if the violation is discovered. 

• Be transparent in privacy disclosures: Emphasize clear, plain-language privacy disclosures, especially around AI-driven ad targeting. This will prevent the collection of “dirty data” that cannot be linked to any valid consent. 

• Obtain explicit consent. Always obtain clear, informed consent from users before any data collection or app installation activity. Hidden tracking or ambiguous permission models are increasingly likely to be flagged as violations to data privacy laws.

• Children’s privacy is paramount. Many states and federal agencies are newly vigilant about children’s online privacy. Violations of laws (including COPPA, and the Children and Teens’ Privacy Protection Act) carry severe reputational and legal consequences.

• Transparency with partners and investors is key. Misleading statements regarding data collection practices and platform capabilities can result in securities fraud investigations, and shareholder lawsuits. Do not promise clicks, installs, or conversions that are not supported by data, and maintain data for possible audits. All public communications must accurately reflect real business operations and technology mechanisms.

• File and maintain privacy & security policies: Be ready for regulatory and partner audits. Maintain consent logs, retention and deletion procedures and schedules, algorithm iterations, and test cases.

• Institutionalize AI governance: Document algorithms, inputs, outputs and bias checks, and evaluate for unintended harms (especially if data relates to minors or vulnerable groups). Claims about the capabilities of AI-powered platforms must be substantiated by actual performance, not just marketing. Allegations against AppLovin included accusations that its AI "smokescreen" masked privacy-risky operations. Companies need to disclose not just what their algorithms do, but how they comply with evolving legal standards and data protection norms.

• Stay up to date with the law: Regulators are adopting increasingly sophisticated methods for detecting improper marketing practices, and what is OK today, may be prohibited tomorrow. It is important to keep apprised of both data privacy and AI governance changes, as the two fields are becoming increasingly intertwined in AdTech. Some key laws to follow are COPPA, the EU’s AI Act, and state data-privacy law changes. Additionally, companies should monitor app stores for updates to SDK terms and conditions for continued use to remain in compliance.

• Engage with local counsel: This area is changing rapidly and it may not make sense to try to track privacy laws internally. Retaining an attorney will ease the burden.  

Conclusion

Adtech firms do not operate in a gray area, and partner platforms expect strong policing of compliance. Investor, board and regulatory attention is growing for adtech firms that claim to have superior targeting without providing transparency on what that means. Building internal governance early can win a competitive advantage. 

The AppLoving probe offers a playbook for startups: embed controls early, respect platform and privacy rules, be transparent, and employ good governance practices. As the ad-marketing ecosystem evolves, startups that build compliance and governance into their architecture will be better positioned to scale responsibly, and avoid regulatory and reputational risk.