Fast-growing tech giant AppLovin is facing fresh regulatory heat over its handling of consumer data –including potential investigations by multiple state attorneys general, The Post has learned.
The Silicon Valley firm – a mobile advertising juggernaut worth more than $200 billion that made headlines this spring with an offer to buy TikTok – was rocked this month by a reported Securities and Exchange Commission probe over data privacy.
The SEC is investigating whether AppLovin “misled investors about its data collection and ad-targeting methods” after short-sellers alleged it had used digital “fingerprints” to improperly track users for targeted ads, according to Bloomberg.
On Wednesday, AppLovin said it shut down a product called “Array” that an ad researcher claimed downloaded apps onto user’s phones without their consent. The disclosure came days after researcher Ben Edelman, who holds a short position on AppLovin, claimed in an Oct. 13 report to have found source code that enabled forced downloads.
Edelman’s allegations remain unsubstantiated. A rep for AppLovin responded that “users must explicitly consent to download an application as a result of any of our ads,” noting that “Array was a test product.”
A rep for AppLovin responded that “users must explicitly consent to download an application as a result of any of our ads,” noting that “Array was a test product.”
Meanwhile, state regulators, including staff from the attorneys general from Delaware, Oregon and Connecticut, have reached out to multiple short sellers, seemingly as part of a preliminary investigation into AppLovin, according to sources close to the situation and emails reviewed by The Post.
The probe, which apparently began in March and continued through the summer, is focused on AppLovin’s data collection practices, according to sources familiar with the investigation.
Delaware has taken the lead on the probe, which is thought to be in its early stages, sources said. Several third-party data brokers with ties to AppLovin have received subpoenas as part of the probe, the sources added.
“We do not comment on, confirm, or deny investigations,” a spokesperson for the Delaware attorney general’s office said.
When provided a detailed list of questions for comment, AppLovin said it is “not engaged in any investigations with any state attorneys general regarding its business; nor has the Company been contacted by any state attorneys general regarding any such alleged investigation.”
“AppLovin operates an advertising platform with industry-consistent, platform policies and enforcement measures regarding, among other things, ad content,” the company added in a statement. “These platform policies and measures apply to both publishers and demand side users (i.e., advertisers), and specifically address things like explicit content and other ad content.’
In addition to any local data privacy and consumer protection laws, states have enforcement authority under the Children and Teens’ Online Privacy Protection Act, a federal law meant to shield online users 13 or younger. In 2023, a coalition of 33 states sued Meta alleging violations of COPPA.
It couldn’t be learned if the state investigators were focused on potential violations of COPPA or any other specific law in their probe.
So far, the allegations have done little to slow the meteoric rise of AppLovin, which has been fueled by interest in its AI-powered software that helps app developers find new users and sell advertising. The company, which claims to have built a better mousetrap in an ad tech sector long dominated by Meta and Google, has seen shares surge 80% this year and was recently added to the S&P 500.
Founded in 2012 by CEO Adam Foroughi, John Krystynak and Andrew Karam, AppLovin was originally centered on mobile gaming, but has increasingly refocused its business on its app monetization software.
AppLovin’s rapid rise was threatened in February by a slew of short seller reports published by firms including Fuzzy Panda Research, Muddy Waters and Culper Research. AppLovin has denied the claims in these reports.
In its bombshell analysis, Fuzzy Panda alleged that AppLovin “appears to be illegally tracking children” in violation of federal law – in part by assigning unique digital “fingerprints” to underage accounts specifically labeled “do not track” and despite Apple and Google policies prohibiting the practice.
Fuzzy Panda also published evidence that AppLovin allegedly served explicit and violent third-party animated ads despite parental controls being activated. Those included one that depicted a scantily clad woman being spanked by her boss and another showing an elderly grandmother being attacked with a cleaver.
In the report that allegedly contributed to the probe, Fuzzy Panda said it set up a dummy account for a 10-year-old boy to test AppLovin’s alleged data tracking – and found that the firm assigned a unique ID tracking the account as it played games titled “Save The Girl!” and “Mr. Bullet 3D.”
Fuzzy Panda accused AppLovin of combining those identifiers with data from third-party brokers to “enhance the fingerprint and effectively track children” in violation of federal law.
In the report, Fuzzy Panda said its analysis of an old but still-accessible software development kit used by AppLovin revealed the firm was “collecting 50 different attributes from children’s devices including (geolocation data; unique device identification; and even the exact boot-up time to millisecond” that could be used to specify which users in a household were kids.
The Post could not independently verify the analysis.
Apple explicitly bars developers from “fingerprinting” users, underage or otherwise, in its terms of service, as did Google until it tweaked the policy in February.
Culper Research alleged on Feb. 26 that it had uncovered evidence that AppLovin had “systematically deployed, then exploited incredibly dangerous app permissions that enable in-app ads themselves to force-feed silent, backdoor app installations directly onto users’ phones, with just a single click.”
Culper cited research by Edelman, who later released his own report this month in which he compiled more than 200 user complaints about alleged forced downloads linked to AppLovin’s Array product, including cases where users reportedly noticed apps downloading without a notification as they watched an ad on their phone.
Foroughi previously denied short seller allegations of wrongdoing in a Feb 26 blog post, writing that the company does not track kids’ data and is compliant with all app store rules.
“It’s disappointing that a few nefarious short-sellers are making false and misleading claims aimed at undermining our success, and driving down our stock price for their own financial gain, rather than acknowledging the sophisticated AI models our team has built to enhance advertising for our partners,” Foroughani said at the time.
When reached for comment for this story, an AppLovin rep reiterated that the short seller reports are “false and misleading” made by parties with “clear financial motivations,” and contradicted by “third party sources” as well as the company’s own statements.
The allegations against AppLovin emerged as Congress steps up its efforts to protect kids online in response to several major scandals in which underage users were exposed to harmful content or privacy violations.
Earlier this year, Senate lawmakers reintroduced an updated version of COPPA, which would bar targeted ads for people under age 17.
Other legal challenges are brewing, including a suit by a California resident who claims that AppLovin tracked her “purchasing decisions, app usage…her movements and locations” without her permission and despite her turning off location tracking software on her phone.
The complaint alleges that AppLovin continued to track her using reverse IP look-up technology and “monetized” her information to “unknown third parties.”
