Ads comply with platform guidelines

ab-001955 · mobile-store-readiness.version-management.ads-compliant

Severity: lowactive

Why it matters

Ad networks that collect user data for personalization require explicit consent under GDPR Art. 6 (lawful basis for processing) and CCPA §1798.135 (opt-out of sale/sharing). An app that imports Google AdMob or Facebook Audience Network without implementing a consent management platform (CMP) is in active GDPR violation from the first European user install — personal data is being processed for ad targeting without a lawful basis. Apple's App Tracking Transparency (ATT) framework makes this enforcement mechanical: iOS 14.5+ requires a system permission prompt before any cross-app tracking, and rejection is automatic if an app uses an ad SDK without requesting ATT permission. Both Apple (apple-review-guidelines-advertising) and Google (google-play-ads-policy) also prohibit intrusive ad placements — ads during checkout or that cover interactive UI elements are explicit rejection triggers.

Severity rationale

Low because the check auto-skips when no ad SDK is present, but when ads are found without a consent flow, it represents an active GDPR Art. 6 violation on every European user session.

Remediation

If using any ad SDK, implement ATT permission (iOS) and a GDPR/CCPA consent flow before displaying ads. Non-personalized ads are a compliant fallback when consent is declined.

// Request ATT permission before initializing ad SDK (iOS 14+)
import { requestTrackingPermissionsAsync } from 'expo-tracking-transparency';

const { status } = await requestTrackingPermissionsAsync();
const trackingAuthorized = status === 'granted';

// Initialize AdMob with consent state
await mobileAds().initialize();
if (!trackingAuthorized) {
  // Request non-personalized ads only
}

Place ads at natural pause points only: between screens (interstitial), below content (banner), or as explicit user-triggered rewards. Never display an ad during checkout, form submission, or authentication. Reference your ad network usage explicitly in the privacy policy and in the App Store privacy nutrition label.

Detection

ID: ads-compliant
Severity: low
What to look for: Search source code for ad library imports (e.g., google-mobile-ads, admob, facebook-audience-network, ironSource). If ads are used, check for: ads are clearly labeled as "Ad", ads do not cover app UI excessively, no ad interruptions during critical user actions (payment, data input), ads do not auto-expand or play sound without user interaction, and ad frequency is reasonable (not more than 1 ad per 30 seconds of user interaction).
Pass criteria: Count all ad library imports found across the codebase. No ads found in app (0 ad library imports), OR if ads are present: ads are properly labeled, do not impede core functionality, use standard ad formats (banner, interstitial, rewarded), and comply with platform policies. At least 1 consent flow (GDPR/CCPA) must exist if ads are present.
Fail criteria: Ad library found but no privacy policy mentions it, ads appear to be placed intrusively (during checkout, login), ads auto-play sound/video without user consent, or ad behavior appears to violate store policies.
Skip (N/A) when: App does not use advertisements (0 ad library imports found in package.json dependencies).
Detail on fail: "AdMob SDK imported but no ad consent flow (GDPR/CCPA) implemented" or "Full-screen ads appear during checkout — may trigger store rejection"
Remediation: Monetize responsibly while complying with store policies. Implement ads properly:
1. If using ads, choose reputable ad networks:
  - Google AdMob: https://admob.google.com/
  - Facebook Audience Network: https://www.facebook.com/an/
  - ironSource: https://www.ironsource.com/
2. Place ads non-intrusively:
  - Banner ads: bottom/top of screen (not covering main UI)
  - Interstitial: between screens or natural pause points (not during critical actions)
  - Rewarded: offer user choice to watch ad for reward
3. Implement consent flow for GDPR/CCPA compliance:
  - Request user consent before displaying personalized ads
  - Provide opt-out mechanism
4. Test ads in development:
  - Use test device IDs to avoid invalid traffic flagging
  - Verify ads don't cover critical UI
  - Confirm ad frequency is reasonable
5. Add privacy policy disclosure:
```
"This app displays ads from [Ad Network]. Data may be collected for personalization. See our [Privacy Policy] for details."
```
6. Review platform policies:
  - Apple: https://developer.apple.com/app-store/review/guidelines/#advertising
  - Google: https://play.google.com/about/developer-content-policy/#advertising

External references

gdpr · Art. 6 — GDPR — Lawfulness of processing (consent basis for ad tracking)
ccpa · §1798.135 — CCPA — Opt-out of sale of personal information
external · apple-review-guidelines-advertising — App Store Review Guidelines — Advertising
external · google-play-ads-policy — Google Play Developer Content Policy — Ads

Taxons

regulatory-conformance privacy-consent

History

2026-04-18·v1.0.0·Initial import from mobile-store-readiness·automated

Why it matters

Remediation

If using any ad SDK, implement ATT permission (iOS) and a GDPR/CCPA consent flow before displaying ads. Non-personalized ads are a compliant fallback when consent is declined.

// Request ATT permission before initializing ad SDK (iOS 14+)
import { requestTrackingPermissionsAsync } from 'expo-tracking-transparency';

const { status } = await requestTrackingPermissionsAsync();
const trackingAuthorized = status === 'granted';

// Initialize AdMob with consent state
await mobileAds().initialize();
if (!trackingAuthorized) {
  // Request non-personalized ads only
}

Detection

ID: ads-compliant
Severity: low
What to look for: Search source code for ad library imports (e.g., google-mobile-ads, admob, facebook-audience-network, ironSource). If ads are used, check for: ads are clearly labeled as "Ad", ads do not cover app UI excessively, no ad interruptions during critical user actions (payment, data input), ads do not auto-expand or play sound without user interaction, and ad frequency is reasonable (not more than 1 ad per 30 seconds of user interaction).
Pass criteria: Count all ad library imports found across the codebase. No ads found in app (0 ad library imports), OR if ads are present: ads are properly labeled, do not impede core functionality, use standard ad formats (banner, interstitial, rewarded), and comply with platform policies. At least 1 consent flow (GDPR/CCPA) must exist if ads are present.
Fail criteria: Ad library found but no privacy policy mentions it, ads appear to be placed intrusively (during checkout, login), ads auto-play sound/video without user consent, or ad behavior appears to violate store policies.
Skip (N/A) when: App does not use advertisements (0 ad library imports found in package.json dependencies).
Detail on fail: "AdMob SDK imported but no ad consent flow (GDPR/CCPA) implemented" or "Full-screen ads appear during checkout — may trigger store rejection"
Remediation: Monetize responsibly while complying with store policies. Implement ads properly:
1. If using ads, choose reputable ad networks:
  - Google AdMob: https://admob.google.com/
  - Facebook Audience Network: https://www.facebook.com/an/
  - ironSource: https://www.ironsource.com/
2. Place ads non-intrusively:
  - Banner ads: bottom/top of screen (not covering main UI)
  - Interstitial: between screens or natural pause points (not during critical actions)
  - Rewarded: offer user choice to watch ad for reward
3. Implement consent flow for GDPR/CCPA compliance:
  - Request user consent before displaying personalized ads
  - Provide opt-out mechanism
4. Test ads in development:
  - Use test device IDs to avoid invalid traffic flagging
  - Verify ads don't cover critical UI
  - Confirm ad frequency is reasonable
5. Add privacy policy disclosure:
```
"This app displays ads from [Ad Network]. Data may be collected for personalization. See our [Privacy Policy] for details."
```
6. Review platform policies:
  - Apple: https://developer.apple.com/app-store/review/guidelines/#advertising
  - Google: https://play.google.com/about/developer-content-policy/#advertising

External references

gdpr · Art. 6 — GDPR — Lawfulness of processing (consent basis for ad tracking)

ccpa · §1798.135 — CCPA — Opt-out of sale of personal information

external · apple-review-guidelines-advertising — App Store Review Guidelines — Advertising

external · google-play-ads-policy — Google Play Developer Content Policy — Ads