← All posts

How Privacy Regulations Are Reshaping App Revenue in 2026

ATT, the failed Google Privacy Sandbox, EU DMA, and 20 state-level privacy laws are reshaping how app developers earn money. Here's what's shifted and how to adapt.

The last few years have been a slow-motion earthquake for app monetization. Apple’s App Tracking Transparency gutted ad targeting on iOS. Google tried to do the same on Android with Privacy Sandbox - then abandoned the effort. The EU’s Digital Markets Act forced both platforms to allow sideloading and alternative payment systems. And a wave of US state privacy laws added new compliance burdens that hit small developers hardest.

If you’re still running your app business the way you did in 2023, you’re leaving money on the table - or worse, you’re spending it in places where the returns have collapsed.

Data analysis on a laptop screen

ATT changed everything (and the dust has settled)

Apple introduced App Tracking Transparency in iOS 14.5 back in 2021. By now, in 2026, we have years of data on what it actually did.

The opt-in rate has stabilized around 30-40% globally, though it varies widely by category - some categories like sports apps see opt-in rates near 50%. That still means the majority of your iOS users are invisible to traditional ad attribution. Facebook, Google, and every other ad network lost the ability to precisely target and measure iOS campaigns for most users.

The concrete impact:

  • iOS ad eCPMs dropped 15-30% compared to pre-ATT levels and never fully recovered for most app categories
  • Facebook/Meta iOS campaign ROAS fell 30-40%, forcing many developers to shift budget to Android or Apple Search Ads
  • Apple Search Ads became the dominant iOS acquisition channel because it doesn’t rely on IDFA - it uses first-party App Store data
  • SKAdNetwork (SKAN) became the standard for iOS campaign measurement, handling over 40% of all iOS attribution. It’s coarse - you get delayed, aggregated data instead of real-time user-level attribution. Apple is now transitioning toward AdAttributionKit (AAK) as the long-term successor

If you’re still trying to run granular iOS retargeting campaigns or relying on detailed cohort analysis from ad networks, those approaches don’t work like they used to. The developers who adapted shifted to contextual targeting, first-party data strategies, and probabilistic modeling.

Google Privacy Sandbox: the experiment that failed

Google announced the Privacy Sandbox for Android in 2022, promising a privacy-first alternative to the advertising ID. They built new APIs - Topics API for interest-based targeting and Attribution Reporting API for aggregated conversion measurement - and began rolling them out in beta.

Then, in late 2025, Google effectively killed most of the Privacy Sandbox initiative. Adoption was too low, the ad industry hadn’t meaningfully migrated, and Google deprecated the key technologies rather than forcing a transition nobody wanted.

This followed a similar reversal on the web side. Google had planned to remove third-party cookies from Chrome for years, but reversed course in mid-2024 and announced they would keep third-party cookies. As of March 2026, third-party cookies are still fully operational in Chrome.

What this means for Android developers:

  • The Android advertising ID is still available and there’s no announced deprecation date. Android ad targeting continues to work much like it has for years
  • Android ad revenue has been largely unaffected by privacy changes, unlike iOS. This is a major reason why some developers see significantly better ad ROAS on Android
  • Don’t assume this is permanent. Google may revisit privacy restrictions in the future, and regulators could force changes. But for now, Android is the more stable advertising platform
  • The contrast with iOS is stark. Apple went all-in on privacy with ATT and accepted the revenue impact. Google tried a middle path and retreated. If you run ads on both platforms, this difference should inform your budget allocation

The EU Digital Markets Act reshuffled the deck

The DMA designated Apple and Google as “gatekeepers” and forced major changes starting in 2024. By 2026, the effects are visible:

Alternative app stores on iOS. Apple now allows third-party marketplaces in the EU. Adoption has been modest - most users still use the App Store - but some developers have moved to alternative stores to avoid the 30% commission. If you have a significant EU user base, it’s worth evaluating whether listing on an alternative marketplace makes financial sense.

Alternative payment systems. Both platforms now allow developers (in the EU) to use their own payment processing instead of the built-in IAP system. Apple still charges a layered fee structure even when you use your own payment system - a store services commission (10-17% depending on developer size and subscription year), plus a Core Technology Fee and an initial acquisition fee. The total can range from roughly 17% to 24%, so the savings aren’t as dramatic as they sound. Google’s approach is slightly more developer-friendly.

Link-out to web. Developers can now link to external websites for purchases in the EU. This is potentially the biggest deal - if you can convert users to pay on your website, you avoid platform fees entirely (minus payment processing costs of 2-3%).

The catch: the EU-only scope means you’re maintaining two different purchase flows if you have a global app. For many indie developers, the complexity isn’t worth the savings unless EU revenue is a substantial portion of your total.

US state privacy laws are multiplying

California’s CCPA was the first. By 2026, 20 US states have comprehensive privacy laws on the books, and more are coming. The requirements vary but common themes include:

  • Opt-out rights for targeted advertising - users can request you stop using their data for ad targeting
  • Data minimization - you can only collect data necessary for your stated purpose
  • Consent for sensitive data - health, financial, and location data require explicit opt-in
  • Children’s privacy - several states have laws specifically targeting apps used by minors

For small developers, the compliance burden is real. You need:

  • A privacy policy that actually reflects what your app does (not a template you copied)
  • Consent mechanisms for each jurisdiction
  • The ability to process opt-out requests
  • Records of what data you collect and why

If you’re using analytics, crash reporting, and ad SDKs, each of those is collecting data on your behalf. You’re responsible for all of it.

What this means for your revenue tracking

Here’s the thing that connects all of this to your daily operations: your revenue data is getting harder to attribute and easier to misread.

When 60-70% of your iOS users can’t be tracked, your ad platform’s revenue attribution is incomplete. When users in the EU buy through alternative payment systems, that revenue doesn’t show up in App Store Connect or Google Play Console. And while Android tracking is still intact today, the regulatory landscape could change that.

This makes unified revenue tracking more important, not less. You need a single place where you can see:

  • Revenue from App Store and Google Play (including purchases made through alternative payment systems)
  • Ad revenue from AdMob and other networks (which is now harder to attribute to specific campaigns)
  • Acquisition costs from Google Ads and Apple Search Ads (where reported ROAS is less accurate than it used to be)
  • The actual profit after all platform fees, which now vary by region and payment method

If you’re doing this manually across dashboards, you’re probably missing revenue or misattributing costs. This is exactly why we built Apps Finboard - to pull all these sources into one view so you can see what’s actually happening with your money.

How to adapt (practical steps)

1. Diversify acquisition channels. Don’t rely on a single ad platform. Apple Search Ads for iOS, Google Ads for Android, and consider content marketing, ASO, and cross-promotion as channels that don’t depend on user-level tracking.

2. Build first-party data. Email lists, push notification opt-ins, and in-app engagement data are yours and aren’t affected by platform privacy changes. Use them for retention and re-engagement.

3. Shift to contextual and broad targeting. The era of hyper-targeted lookalike audiences is fading. Broader targeting with strong creative actually performs better in a privacy-restricted environment because the algorithms have more inventory to work with.

4. Watch your actual profit, not platform-reported metrics. Ad platform dashboards will show you increasingly incomplete pictures. Track your bank account - actual revenue received minus actual costs paid - and work backwards from there.

5. Keep your ad SDKs current. Even though Google’s Privacy Sandbox was shelved, the ad ecosystem continues to evolve. Stay on the latest versions of AdMob, AppLovin, and other mediation SDKs to benefit from improved targeting and new ad formats.

6. Automate compliance where possible. Use consent management platforms (CMPs) that handle multi-state and multi-country requirements. The manual approach doesn’t scale as more jurisdictions add laws.

The privacy shift isn’t going to reverse. Every year brings more restrictions on tracking, more regulations on data use, and more user awareness about privacy. The developers who thrive are the ones who treat privacy as a feature, not a constraint - and who have clear visibility into their actual financial performance despite the noise.

Apps Finboard

Apps Finboard Team

We build Apps Finboard so indie developers can stop juggling five dashboards and actually see their profit.

Related posts

How Much Do Indie App Developers Actually Make in 2026?

Everyone talks about the app economy's billions. Here's what individual developers actually take home, based on real data - and it's not what most people expect.
← Back to blog