User opt-in/opt-out in the AppsFlyer SDK

At a glance: As a client (app owner) you use the AppsFlyer SDK to send attribution data to AppsFlyer. But, sometimes, you need to stop or limit data being sent to us due to app-user requests, opt-in/opt-out, and privacy regulations like GDPR and CCPA. 


Questions about AppsFlyer privacy: The privacy relationship between you and AppsFlyer is governed by the AppsFlyer Services Privacy Policy  For any questions relating to this Services Privacy Policy or to contact our data protection officer please send us a mail to: privacy@appsflyer.comFor the purposes of Article 27 of the General Data Protection Regulation, the representative within the EU of AppsFlyer is AppsFlyer Germany GmbH Kurfürstendamm 11, c/o WeWork, 10719 Berlin, Germany (contact; +49-30-3119-9129)

Opt-in and opt-out scenarios

  • The AppsFlyer SDK embedded in apps can be set to:
    • Opt-out: stop or limit data collection.
    • Opt-in: after opting-out resume data collection.
  • The app developer and marketer taking into consideration the regulatory and business requirements implement opt-in/opt-out as detailed in this article.
  • Use opt-out to:
    • Comply with regulations like GDPR and CCPA  that prohibit or restrict data collection.
    • Complete opt-out: stop collecting any attribution data.
    • Partial opt-out: send some data or anonymize the data sent.
    • Selective opt-out: based on specific regulations or age of the app user
  • Use opt-in to change the opt-out status to opt-in. 

Opting-out users

Opt-out can take place at a number of different levels depending on regulatory and user requirements. 

  • Follow the appropriate flow using an opt-out scenario as detailed. Do this to ensure compliance with opt-out requests and in order to continue collecting attribution data where appropriate.
  • In scenarios where opt-out is activated, the AppsFlyer ID is hashed. 
  • For ease of reading, the Android method names are used in this article:
    • Start tracking method names:
      • Android SDK: startTracking
      • iOS SDK: trackAppLaunch()
    • Stop tracking method names: 
      • Android SDK: stopTracking
      • iOS SDK: AppsFlyerTracker.shared().isStopTracking = true


Opt-out at installation


When: Upon the first launch (Example, COPPA compliance)

What: The app requires the user's agreement to perform event recording during all sessions. If the user consents to recording (example, user above a certain age) the app calls the SDK startTracking method. Otherwise, the startTracking method should not be called


Don't use stopTracking if startTracking was never called.

How: The startTracking method should always be called at the session start of opted-in users, but shouldn't be called for opted-out users. In addition, in-app events cannot be sent for users who have never opted-in, as they are regarded as coming from unknown users and go to organic.

Therefore, for apps, we recommend that enable Installation opt-out, has a permanent flag parameter that shows if startTracking was called beforehand or not. This flag should ALWAYS be checked before calling startTracking or sendEvent methods are called.

Data sent to AppsFlyer: No data is sent. If the user subsequently opts-in attribution and session data are sent from the time startTracking is called. 


com.carefulapp requires users to register upon installing. The form includes a check-box: "I'm over age 13". Dev the developer added a flag called is_tracking, which becomes true only for registrations that have this box checked, and then activates startTracking.

Code sample example here.

Prevent data sharing with 3rd parties

WhenEvery time the SDK is initialized

What: A user may request to opt-out of sharing their data with 3rd parties. By activating this option in the AppsFlyer SDK BEFORE the first startTracking call, the following applies to the whole session:

  • Users from SRNs are attributed as Organic, and their data is not shared with integrated partners.
  • Users from click ad networks (non-SRNs) are attributed correctly in AppsFlyer, but not shared with the ad networks via postbacks, APIs, raw data reports, or any other method.


To prevent event data sharing via:

  • SDK (Android, iOS—starting with SDK V5.4.1):
    • Prevent ALL media sources from receiving the event: Use setSharingFilterForAllPartners SDK method.
    • Prevent one or more specified media sources from receiving the event: Use setSharingFilter SDK method.
  • S2S API:

Data sent to AppsFlyer: Data is sent and stored in AppsFlyer, but never shared with AppsFlyer's integrated partners.

 Example is a travel app for California's multiple theme parks. To be CCPA compliant, if a California resident submits an opt-out request, the app notifies AppsFlyer not to share the user event data with 3rd parties.   

Disable IDFA collection

AppsFlyer SDK collects the user IDFA by default, for attribution purposes. IDFA collection is essential to attribute installs to Facebook Ads, Twitter, Google Ads, and other media sources, which rely on device ID matching.

However, If needed, it is possible to disable the default IDFA collection.

To disable IDFA collection:


  1. In Xcode, click on your project on the left-hand side.
  2. Select Build Settings from the upper menu (see screenshot).
  3. Select All.
  4. In the right-hand search field, search for other linker flags.


  5. Double click on the list of dependencies to the right of Other Linker Flags, both debug and release.
  6. Remove AdSupport from the list of frameworks.



Session opt-out

When: Upon every app launch

What: All app sessions require the user's agreement to perform event and data recording during a session

How: For the Session opt-out scenario the first SDK call comes after the user agrees or refuses that data be sent from their device.

If the user agrees to send data then startTracking method should be called.
If the user refuses that data be sent then stopTracking method should be called.

Data sent to AppsFlyer will depend on the opt-out status of each session as follows: 

  • Opt-out session: No data is sent. 
  • Opt-in session: All session data is sent. Note: The first time the user opts-in install attribution data is sent. 


com.adultsplay is a casual gaming app for adults over 18 years old. It doesn't require users to register, but it does require their confirmation of age with every new launch. Sessions, where the users confirm they're over 18, get the full gaming experience and are recorded, while otherwise no recording is carried out.

Dev the developer added a flag called is_tracking, which becomes true only for sessions that confirm age 18. If this flag is true, startTracking method is called. Otherwise, the stopTracking method is called.

One-time opt-out


When: Anytime (GDPR)

What: The app owner collects attribution and post-install data. The user requests to stop further collection of data, Example In compliance with a GDP request GDPR.

How: Don't call startTracking and then directly call stopTracking!

Instead, on the first launch use the startTracking method with the requestListener. Upon successful completion, in the callback function call stopTracking.

On all the following sessions don't call startTracking.

Data sent to AppsFlyer: Install and session data is sent to AppsFlyer. No data is sent to AppsFlyer after the stopTracking method is called. 


com.watchmegrow is a plant growth viewing app, where users watch growing plants and mobile ads. The app owner wants to keep all in-app activities data secret.

On the first launch, Dev the developer calls startTracking method with the requestListener. When receiving a successful completion, calls stopTracking from the callback function and sets a persistent parameter is_first_launch to false. On following launches, Dev checks if is_first_launch is false, and then skips startTracking.


Code sample example here

Record install and anonymize

When: Upon the first launch

What: The app owner collects all attribution data, but wants to collect all further information, such as in-app events or sessions data, as unattributed organic data. Post-installation, all device IDs are anonymized when sent to AppsFlyer from the SDK.

How: Don't call startTracking and then directly call stopTracking!

Instead, on the first launch use the startTracking method with the requestListener. Upon successful completion, in the callback function call setDeviceTrackingDisabled(true).

Data sent to AppsFlyer:

  • On install: Complete attribution data is sent to AppsFlyer
  • After install: Session data including in-app events are sent to AppsFlyer. User identification information is anonymized or hashed on receipt by AppsFlyer. 


The app owner of the com.munistic app believes all users are born equal and prefers to see all their post-install actions as organic only.

On the first launch, Dev the developer calls startTracking method with the requestListener. When receiving a successful completion, calls setDeviceTrackingDisabled(true) from the callback function.

Code sample example here.

Opting-out of retargeting campaigns

Consider excluding opted-out users from retargeting campaigns. These users are likely to complain about being retargeted having opted out.

When manually running retargeting campaigns, targeted at active users, make sure to remove the opted-out users from the lists sent to media sources lists.

Alternately, if you're using AppsFlyer Audiences (to automatically build your audience lists and send them to selected media sources), then opted-out users are excluded from the media device lists sent to media sources by AppsFlyer.

stopTracking API and deep linking

Using the stopTracking API stops all external communication by the AppsFlyer SDK embedded in the app.

Therefore, after calling stopTracking, shortened links are no longer decoded by the AppsFlyer SDK. This means that any shortened link does not generate the call to onAppOpenAttribution, and deep linking isn't performed correctly.

If your app has a relatively high percentage of opted-out users and you plan some retargeting campaigns for your users, use long links, and avoid using shortened links.

Restarting the SDK function

When an opted-out user agrees to opt-in call the startTracking method to restart the SDK and begin recording attribution data.

Was this article helpful?