There is a bug in most mobile apps that no crash reporter will ever catch. It lives in your initialisation sequence.
The problem
Most third-party SDKs initialise at app launch, inside Application.onCreate() on Android or didFinishLaunchingWithOptions on iOS. Analytics and advertising SDKs typically begin collecting device identifiers and session data as soon as they initialise.
That means data collection often starts before your consent screen has even rendered. Under GDPR, processing personal data of EU users without a legal basis is a breach, and for ad and analytics SDKs that legal basis is opt-in consent. The order of operations is the compliance issue.
The fix
Restructure your start-up sequence so a consent layer sits between app launch and SDK activation:
- App launches with no data-collecting SDKs initialised
- Consent interface loads and captures the user's choice
- A timestamped consent record is stored
- Each SDK initialises only if its consent category was accepted
- The stored preference is respected on every future session
Withdrawal matters too. When a user revokes consent, the affected SDKs must stop collecting data, so your gating logic needs to handle runtime changes, and consent state must persist across sessions.
Do not forget the dependency graveyard
Check your Podfile, build.gradle, or Package.swift for SDKs added during old experiments or campaigns. Anything still shipping in the binary that is not covered by your privacy policy and consent categories is a liability. An SDK you forgot about is still collecting data.
The business side
Apple's App Tracking Transparency requires user permission before IDFA access, and Google Play requires disclosure of data collected by SDKs in your app. Getting the consent order wrong risks store review problems on top of regulatory exposure.
For the full picture, including SDK due diligence questions and audit steps, this mobile application SDK privacy guide covers the whole workflow.
Meta description (150 chars):
Most SDKs initialise before consent screens render. How to restructure your app start-up sequence so every SDK activates only after consent.
Top comments (0)