Monetization: The Privacy Risks and Rewards of In-App Purchases and IBA

Oct 9, 2023 by BBB National Programs

Every day, teens download apps for free and, in doing so, participate in a hidden advertising ecosystem that collects data from them. Alongside this ecosystem, users have the choice to buy upgrades to these apps in the form of in-app purchases, which can be correlated with the same behavioral data that powers advertising. Though these monetization models have caused the mobile app economy to flourish, they sometimes come at the cost of user privacy. 

BBB National Programs’ TeenAge Privacy Program (TAPP) published a white paper in 2020 on this topic called Risky Business: The Current State of Teen Privacy in the Android App Marketplace. The study identifies privacy risks across 1,100+ teen-directed apps and breaks down the complex relationship between data privacy, advertising, and in-app purchases. In 2022, the Children's Advertising Review Unit (CARU) began monitoring the marketplace for compliance with its revised Advertising Guidelines, which now include in-app advertising and purchases, and in 2023, CARU published Metaverse Guardrails to expand those guidelines to this emerging interactive landscape. 

 

How to Make Money Off Apps

In the mobile app ecosystem, app publishers frequently rely on advertising in the form of contextual advertising or interest-based advertising (IBA, also known as targeted advertising) to monetize their products. 

In the 2020 white paper Risky Business, the teen app dataset showed almost 83% of apps used advertising to monetize, compared to 51% of apps directed to general audiences. That research also demonstrated that teen-directed game apps were over three times more likely to integrate in-app purchases than game apps directed to a general audience.

 

How does IBA work? 

Generally speaking, IBA is the process by which users are served with ads based on their interests as inferred from their behaviors. Think about this process as one long chain. On one end of the chain sit advertisers. On the other end of the chain sit end users. And in the middle sit third-party adtech companies and mobile app publishers. 

In the mobile app environment, this process is facilitated by software development kits (SDKs), pieces of software that allow third-party software libraries, including advertisement libraries, to be integrated into apps. 

As users engage with their favorite apps, some third-party libraries collect unique advertising identifiers from smartphones by adtech companies. App developers who integrate the libraries into their apps help adtech companies collect behavioral data from users as they engage with apps, and adtech companies work in concert with one another and with advertisers to ensure that users receive ads targeted to their interests. 

One example is a user being served with an interest-based ad in real time as they engage with their favorite app. This is an automated, high-velocity process that happens in a fraction of a second. 

Seem harmless? It can be. But imagine that a teen is using a dating app and has her preferences set to prefer males and females. In some cases, third-party adtech companies, invisible to the user, will collect this gender preference data alongside the user’s unique device identifier to help target her with inappropriate or suggestive ads. Adtech companies can also correlate unique device identifiers with location data, app engagement, and other data points to build a full profile of that individual user. 

 

What’s contextual advertising?

To be clear, many apps don’t rely on IBA but instead use contextual advertising to monetize. Contextual advertising relies on the content of the app to infer a user’s interest, rather than behavioral data collected over time. 

If a teen is playing a flight simulator app and gets an ad for another flight simulator app, chances are that’s contextual advertising. Compared to IBA, contextual advertising requires very little data collection to facilitate. 

 

Monetization Tricks of the Trade 

Besides advertising, publishers may integrate the ability to purchase items, features, and upgrades into their apps. For example, an in-app purchase is something like a sword or armor that gives a user more power in a game, a key that unlocks more features in an app, or virtual currency that can be used for other in-app purchases. 

In the Risky Business teen dataset, 78% of apps contained in-app purchases, compared with less than 50% of apps directed to general audiences.

With these monetization models and digital tactics at their disposal, mobile app companies can use data collected from their users to maximize their revenue from both ads and in-app purchases. 

For example, many mobile app publishers cater to “whales” – users who are known to make a lot of in-app purchases – by continually releasing new and niche content behind small paywalls to keep those users engaged with the app for a long period of time. Companies also optimize their ad models to reel in “fish” – users who experience IBA as they use their favorite apps and make incremental purchases from time to time based on this advertising. 

“Fish” may become “whales” over time due to the addicting nature of freemium app models. Some companies count on requiring in-app purchases to reach higher levels or providing in-game rewards for watching ads causing users to spend a lot more time in their apps. Teens are especially susceptible to these monetization tactics because of their age, and since app developers are paid for ad engagement, they often achieve great profitability at the users’ expense.

 

Putting the Pieces Together

The traditional prohibitions on data collection and advertising imposed by the Children’s Online Privacy Protection Act (COPPA) that apply to children under 13 don’t apply to teenagers. Consequently, companies are free to mine teens for their data as they engage with mobile apps. Using this data, adtech companies can make powerful inferences about teen behavior, and app publishers can engineer user experiences to encourage teens to engage in profitable behavior. 

For example, dark patterns – manipulative design tactics, push notifications, and addictive gaming experiences that characterize freemium models – can be paired with data collected from their app usage to create customized digital traps. And sensitive data about a teen’s behavior – such as precise location – can be shared and combined with other types of data to serve them IBA. 

To make all of this concrete, here’s a possible scenario. 

Say a teen user downloads a new, popular social media app. After downloading, the app asks for permission to use his location, and the teen user grants the permission request. Unbeknownst to the teen, as he’s using the app, he’s now sharing his device identifier, event data (a log of certain actions he takes on his device), and location data to both the app publisher and third-party adtech companies. The teen puts the app away at lunch, and he receives a targeted push notification an hour later that prompts him to engage with the app. When he opens the app, he is presented with a screen that he cannot easily close encouraging him to make an in-app purchase. When he makes an in-app purchase, not only is the app publisher aware of this event, the platform where he downloaded the app gains this knowledge since it facilitates the credit card purchase. Later, the teen goes for a walk, and while he’s using the app, he receives a targeted ad based on his location encouraging him to buy a coffee at a nearby shop. He clicks the ad to learn more about a potential discount.

In sum, as the result of the teen downloading and using the app for a few brief moments throughout the day, a number of different entities swiftly obtained data about him. Data that the teen or his parents might consider sensitive has now been seen, used, and stored in the records of app publishers, adtech companies, and advertisers.  

 

A Question of Data Ethics

The mobile app ecosystem has brought a lot of value to our shared digital economy. But important questions about privacy, user design, and data ethics are raised as a result of how this ecosystem functions. Users of all ages should keep this environment in mind as they engage with free-to-play games, dating apps, or useful utility apps, and be aware of the privacy tradeoffs involved when they decide to download a new app. Teen users and their parents should be especially sensitive of these issues given teens’ unique habits, preferences, and developmental state and their deep engagement with the digital world.

Companies are already required to meet certain obligations concerning interest-based advertising, as set forth by the Digital Advertising Alliance. In addition, the TAPP Roadmap helps companies that engage with teens online to do so in a way that respects their privacy and seeks to minimize harms, while acknowledging the appropriate digital advertising and in-app purchase considerations.

Suggested Articles

Blog

Renewal Season: 5 Tips to Ensure a Smooth Data Privacy Framework Process

U.S. companies in the Data Privacy Framework Program (DPF) program recertify each year with the Department of Commerce to assess and account for how they handle and process personal data that originates in the EU, U.K., and/or Switzerland. Here are 5 tips for making it a smooth process.
Read more
Blog

The Evolution of CARU: Laying the Foundation in the 70s and 80s

For the last 50 years, companies marketing to children have held each other to a high ethical standard. The Children’s Advertising Review Unit (CARU) was established in 1974 as the U.S. mechanism of independent self-regulation for protecting children from deceptive or inappropriate advertising. Spanning decades, CARU’s early cases reflect the evolution of the children’s advertising and marketing space.
Read more
Blog

Think of the Children: A Comparison of APRA and COPPA 2.0

It is vital that the business community at large parse through the differing approaches of COPPA 2.0 and APRA to children's privacy and understand where these bills would overlap or contradict each other. To help, the Children’s Advertising Review Unit (CARU) privacy team is breaking them down.
Read more
Blog

Unlocking Global Data Privacy Interoperability with CBPRs

In our digitally connected world, safeguarding personal data is essential. To help accomplish that goal, the new Global Cross Border Privacy Rules (CBPR) System launched this week by the Department of Commerce, offering a much-needed framework for a new era of international data protection.
Read more