Best Practices

Adtech Privacy Risk: Increasing Regulation and Enforcement

Vidhee Shukla

April 14, 2025

IN THIS ARTICLE

🎉 Link Copied

AdTech privacy violations are one of the biggest sources of regulatory fines in the U.S. With new laws targeting data brokers, precise geolocation tracking, and sensitive health data, companies must rethink how they handle data-sharing with marketing partners.

At the Bridge Privacy Summit 2025, Robert Bateman led a discussion with privacy and AdTech experts on the biggest privacy enforcement trends, technical challenges, and risk mitigation strategies.

The panel featured:

Andrea Wheeler - Senior Privacy Operations Manager, Quantcast
Rowena Lam - Sr. Director of Product, Privacy, and Data, IAB
Daniel Goldberg - Partner, Privacy & Security Attorney, FKKS
Raashee Gupta Erry - Advisor & Consultant, Lucid Privacy

What Types of Data Sharing Risks Are Most Concerning?

New privacy laws have expanded what qualifies as sensitive data and regulators are enforcing these rules aggressively. Andrea outlined three areas of high-risk data sharing that her team is focused on:

Precise Geolocation Tracking

Andrea:

"The first has to do with precise geolocation—either using it to track or target individuals or to collect personal information in association with precise geolocations. There are 16-plus state laws that classify it as sensitive category information that requires explicit opt-in to collect or use it. There’s a lot of scrutiny, there's enforcement around it."

Health Data Under New State Laws

Andrea:

"Health data is also classified as sensitive category data under these new state laws and requires explicit opt-in. But there’s even more attention on health data in some of the new laws, particularly the Washington My Health My Data Act. There’s a lot of enforcement around it. There’s now a private right of action available in Washington, which really ratchets up the risk."

‍

Data Broker Laws Expanding Definitions

Daniel:

"The data broker laws, the regulations are quite broad. What classifies as a data broker does not necessarily require selling data for money. It can be sharing data in exchange for valuable consideration, which can be access to certain features or special pricing."

Where Is U.S. Privacy Enforcement Headed in 2025?

Enforcement is following the same trends as legislation, with regulators focusing on health data, location tracking, and minors. Daniel explained where enforcement is already happening and what’s coming next.

Health & Location Data in AdTech

Daniel:

"The areas that we have seen enforcement brought, in particular by the FTC, have been around health data, precise location data in the context of advertising technology - often the identifiers collected through SDKs."

Expanding Age-Based Privacy Laws

Daniel:

"Children’s privacy is a huge focus. COPPA defines children’s data as under 13, but we've seen subsequent laws define teens as a new category - 13 to 15, and even up to 17 in New Jersey. You have to be getting opt-in consent to engage in targeted advertising to those demographics."

Data Broker Crackdowns Are Just Beginning

Daniel:

"The California Privacy Protection Agency has already brought six actions against companies for failure to register as data brokers. That’s just the tip of the iceberg. We’ve already seen actions by Texas, and I predict we're going to see a lot more this year."

Why Are Marketing Tools So Hard to Retrofit for Privacy Compliance?

Many AdTech platforms weren’t built with privacy in mind, making compliance a major technical challenge. Rowena broke down why companies struggle to make marketing tools privacy-friendly.

Legacy Systems Lack Granular Controls

Rowena:

"The biggest hurdle is that these systems were not originally built to have granular controls in place. In many cases, it’s really just an on-and-off switch, there’s no way to purpose-limit the use of different data."

The Need for Standardized Compliance Mechanisms

Rowena:

"For small to medium organizations, this can be a really heavy lift. That’s where technical standards can help. There are so many different marketing tools and platforms out there. Imagine how painful it is to implement distinct integrations for each one just to comply with privacy laws."

How Can Companies Monitor and Prevent Data Sharing Risks?

Raashee outlined a three-step approach to managing privacy risks in AdTech partnerships:

1. Understand What’s Happening in Real Time

"Advertising, as we all know, has a leaky funnel. If there's not an awareness or clear understanding of what tags and pixels collect, that’s a problem. Companies need to understand what’s happening on their website - what type of tags, cookies, pixels are being placed - and have a pulse on that."

2. Implement Ongoing Monitoring

"It’s not one-and-done. You need a monitoring plan- whether it's a scanner or a manual process. Your business changes, new tags show up, and marketing teams evolve their programs. There’s a need for continuous monitoring."

3. Curate Your Vendor List

"A lot of companies have hundreds of AdTech vendors. That’s not a good idea. You need to apply the 80/20 rule - most of the value probably comes from 20% of your partners. Vendor due diligence is critical."

Does Every AdTech Company Need a Privacy Impact Assessment (PIA)?

With privacy laws tightening, some companies wonder if every AdTech practice needs a Privacy Impact Assessment (PIA). Daniel shared his perspective.

PIAs Are Recommended, but Not Always Required

Daniel:

"When we use the term ‘AdTech,’ that covers the entire industry - measurement, data matching, licensing. Not every AdTech function is high risk. If you're engaging in data matching or licensing, yes, you should do a PIA. But targeted advertising alone might not always require one."

Companies Should Document Their Assessments

Daniel:

"Regulators will expect documentation. If an enforcer comes to you, you need to say: 'We reviewed it. Here’s a copy of the contract. Here’s what we did.' If you don’t have that, you’re vulnerable."

How Can Privacy & Marketing Teams Work Together?

Privacy and marketing teams often have opposing goals - one wants maximum data collection, the other wants minimal risk. Andrea and Rowena shared how companies can bridge this gap.

Integrate Privacy Early into Business & Product Development

Andrea:
"The best approach is to get in front of any product and business development plans. Be seen as a partner, not a blocker. The worst-case scenario is finding out a team has built something, they’re ready to launch, and then you tell them it’s not compliant."

Create a Strong Privacy Foundation Across Teams

Rowena:
"In my mind, there’s a privacy triangle: business teams, product and engineering teams, and legal teams. These three need to be in constant communication to build the strongest privacy-safe products and features."

What’s Coming Next in Privacy Enforcement?

Regulators may be shifting focus from federal to state enforcement. Andrea and Daniel shared their closing predictions.

Andrea:
"There’s less risk from the FTC and higher risk from state regulators, who are stepping in where the FTC may be stepping back."

Daniel:
"In California, regulators feel the law has been here for a while now. What we’ve seen in enforcement so far is not indicative of what’s yet to come."