The Securities and Exchange Commission has opened an investigation into AppLovin Corporation’s data-collection practices, marking a potentially watershed moment in how regulators police the multi-billion dollar mobile advertising ecosystem. The probe centers on allegations that the Palo Alto-based company systematically violated platform partners’ service agreements to extract user identifiers for targeted advertising a practice that could reshape how the ad-tech industry balances innovation against privacy protections.
SEC probe into mobile advertising giant raises fundamental questions about data extraction practices and regulatory oversight of the ad-tech industry
AppLovin’s stock plummeted 14% on Monday of this week following Bloomberg’s disclosure of the investigation, extending losses to nearly 17% in after-hours trading. The market reaction reflects not just concern about one company’s practices, but broader anxiety about regulatory risk across an industry built on sophisticated data orchestration.
The Technical Violations at Issue
At the heart of the SEC’s investigation lies a deceptively simple question: Did AppLovin’s AXON advertising platform impermissibly harvest proprietary user identifiers from major technology platforms including Meta, Snap, TikTok, Reddit, and Google to circumvent privacy restrictions and enable cross-platform user tracking?
The allegations suggest AppLovin engaged in what privacy experts call “identifier bridging”—collecting disparate user IDs from multiple platforms and linking them together to create comprehensive user profiles. Short-seller Muddy Waters Research, in a March 2025 report, claimed this amounted to creating “PIGs” (Platform Identifier Groups): unified digital profiles constructed by stitching together user data obtained in apparent violation of platform terms of service.
The technical mechanics matter enormously for privacy professionals. If the allegations prove accurate, AppLovin may have exploited its position as an intermediary in the mobile advertising supply chain to access and correlate user identifiers that platforms like Apple and Meta explicitly restrict. This would represent a fundamental subversion of the privacy architecture these platforms erected—often under regulatory pressure—to limit cross-platform tracking.
Apple’s App Tracking Transparency framework, introduced in 2021, was designed specifically to prevent this type of covert data aggregation. Google and Meta have implemented similar restrictions. If AppLovin found technical workarounds to reassemble the comprehensive tracking profiles these policies were meant to prevent, it would vindicate privacy advocates’ warnings that self-regulatory frameworks remain fundamentally inadequate.
From Short-Seller Reports to Federal Investigation
The SEC probe did not emerge in a vacuum. AppLovin has faced a coordinated assault from short-sellers throughout 2025, with at least three separate research firms publishing reports questioning the company’s practices and business fundamentals.
In February, Fuzzy Panda Research and Culper Research issued reports criticizing AppLovin’s advertising methodologies. Muddy Waters followed in March with a more comprehensive analysis titled “AppLovin: Deep Data Analysis Shows APP is Just Another Scammy AdTech Company.” That report claimed approximately 52% of AppLovin’s e-commerce conversions represented retargeting rather than genuinely incremental demand—and alleged that the company’s ability to deliver such results rested on systematic violations of platform terms of service.
The short-seller offensive produced immediate effects. AppLovin’s stock suffered a record 20% single-day decline following the Muddy Waters report. The company subsequently conducted monitoring that revealed approximately 23% of e-commerce customers had removed AppLovin’s tracking pixel within days—suggesting commercial partners harbored concerns about the practices described.
What transformed activist short-seller allegations into federal investigation remains unclear. Bloomberg reported the probe followed a whistleblower complaint, though details remain sealed. The SEC’s Cyber and Emerging Technologies enforcement unit has taken the lead—a significant detail suggesting regulators view this as a systemic technology issue rather than routine securities fraud.
Regulatory Precedent and Industry Implications
The SEC’s involvement marks an evolution in privacy enforcement that privacy professionals should monitor closely. Traditionally, the Federal Trade Commission handles consumer privacy violations under its Section 5 authority. The SEC’s jurisdiction stems from investor protection—examining whether AppLovin misrepresented its practices to shareholders.
This jurisdictional distinction matters. If the SEC determines AppLovin materially misled investors about regulatory compliance risks or the sustainability of its business model, the commission could pursue enforcement action even absent FTC findings about consumer harm. Securities violations carry different penalties and create distinct litigation risks than privacy violations.
For the broader ad-tech industry, the investigation poses uncomfortable questions about common practices. AppLovin’s AXON platform represents cutting-edge marketing technology—using machine learning to optimize ad performance across complex digital ecosystems. Many competitors employ similar technical architectures and data orchestration methods. If regulators determine AXON’s functionality depends on impermissible data extraction, dozens of companies could face parallel scrutiny.
The investigation also tests whether platform terms of service will function as enforceable privacy frameworks. Apple, Google, and Meta have positioned their developer agreements as privacy-protective guardrails. But enforcement has remained largely within their discretion, with limited regulatory backstop. If the SEC validates that violating these agreements constitutes securities fraud when undisclosed to investors, it would dramatically raise the stakes for ad-tech companies and potentially transform private contract terms into de facto regulatory requirements.
The Privacy Professional’s Perspective
Privacy professionals should recognize several critical implications emerging from the AppLovin investigation:
First, technical compliance with platform APIs and terms of service has become a material regulatory risk, not merely a business development concern. Companies can no longer treat platform agreements as negotiable commercial terms. Systematic violations—particularly when undisclosed to investors—now attract federal enforcement attention.
Second, the investigation illustrates the convergence of privacy and securities regulation. Privacy compliance failures increasingly manifest as disclosure failures, bringing SEC authority to bear on data practices historically policed by FTC consumer protection mandates. Privacy professionals must coordinate closely with investor relations and securities counsel to ensure data practices receive appropriate disclosure and risk assessment.
Third, the technical sophistication of modern ad-tech creates profound transparency challenges. Even sophisticated privacy professionals struggle to audit whether platforms like AXON impermissibly aggregate user identifiers across platforms. The complexity itself becomes a privacy risk—creating opacity that can mask violations and prevent meaningful accountability.
Fourth, self-regulatory frameworks remain vulnerable to sophisticated circumvention. Platform privacy protections depend on good-faith compliance from ecosystem participants. When economic incentives favor evasion, technical restrictions alone prove insufficient. This suggests privacy professionals should maintain healthy skepticism about privacy-by-design claims and demand ongoing technical auditing.
What Comes Next
AppLovin has declined substantive comment, stating it “regularly engages with regulators and will disclose any material developments.” The company emphasizes no wrongdoing has been alleged—technically accurate, as investigations precede formal allegations. But the market’s swift negative reaction suggests investors recognize the investigation poses existential questions about AppLovin’s business model.
Several analysts, including Citigroup, have characterized the sell-off as overdone, noting investigations frequently conclude without enforcement action. AppLovin’s defenders point to the company’s continued strong financial performance and growth trajectory. The stock had surged more than 400% over the previous year before the recent decline, driven by AXON’s demonstrated effectiveness in generating advertising returns.
Yet effectiveness itself may prove problematic if it depends on practices platforms explicitly prohibit. AppLovin’s remarkable performance in a post-ATT environment—when many competitors struggled with Apple’s tracking restrictions—could constitute evidence of circumvention rather than innovation.
For privacy professionals, the investigation offers a crucial test case for how aggressively regulators will police ad-tech data practices in an environment of heightened privacy consciousness. The outcome could determine whether platform privacy frameworks gain regulatory teeth, or whether ad-tech companies continue navigating a gray area between commercial innovation and rule evasion.
The SEC’s involvement suggests a regulatory paradigm shift may be underway—one where privacy violations trigger not just consumer protection enforcement, but securities fraud liability. For an industry built on extracting maximum value from user data while remaining just within shifting legal and technical boundaries, that represents a fundamental change in risk calculus.
As one privacy advocate noted regarding the investigation: “For years, ad-tech companies have treated platform privacy rules as obstacles to work around rather than requirements to respect. If the SEC makes clear that gaming these systems exposes companies to securities fraud risk, it could finally create the accountability that privacy regulations alone have failed to deliver.”
Whether that accountability arrives through AppLovin’s investigation—or the precedent it sets for future enforcement—privacy professionals across the industry are watching closely.
