Ad networks that collect user data for personalization require explicit consent under GDPR Art. 6 (lawful basis for processing) and CCPA §1798.135 (opt-out of sale/sharing). An app that imports Google AdMob or Facebook Audience Network without implementing a consent management platform (CMP) is in active GDPR violation from the first European user install — personal data is being processed for ad targeting without a lawful basis. Apple's App Tracking Transparency (ATT) framework makes this enforcement mechanical: iOS 14.5+ requires a system permission prompt before any cross-app tracking, and rejection is automatic if an app uses an ad SDK without requesting ATT permission. Both Apple (apple-review-guidelines-advertising) and Google (google-play-ads-policy) also prohibit intrusive ad placements — ads during checkout or that cover interactive UI elements are explicit rejection triggers.
Low because the check auto-skips when no ad SDK is present, but when ads are found without a consent flow, it represents an active GDPR Art. 6 violation on every European user session.
If using any ad SDK, implement ATT permission (iOS) and a GDPR/CCPA consent flow before displaying ads. Non-personalized ads are a compliant fallback when consent is declined.
// Request ATT permission before initializing ad SDK (iOS 14+)
import { requestTrackingPermissionsAsync } from 'expo-tracking-transparency';
const { status } = await requestTrackingPermissionsAsync();
const trackingAuthorized = status === 'granted';
// Initialize AdMob with consent state
await mobileAds().initialize();
if (!trackingAuthorized) {
// Request non-personalized ads only
}
Place ads at natural pause points only: between screens (interstitial), below content (banner), or as explicit user-triggered rewards. Never display an ad during checkout, form submission, or authentication. Reference your ad network usage explicitly in the privacy policy and in the App Store privacy nutrition label.
mobile-store-readiness.version-management.ads-compliantlowgoogle-mobile-ads, admob, facebook-audience-network, ironSource). If ads are used, check for: ads are clearly labeled as "Ad", ads do not cover app UI excessively, no ad interruptions during critical user actions (payment, data input), ads do not auto-expand or play sound without user interaction, and ad frequency is reasonable (not more than 1 ad per 30 seconds of user interaction)."AdMob SDK imported but no ad consent flow (GDPR/CCPA) implemented" or "Full-screen ads appear during checkout — may trigger store rejection""This app displays ads from [Ad Network]. Data may be collected for personalization. See our [Privacy Policy] for details."