
Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.
Thank you!
Please check your email to view the guide.

AdTech privacy violations are one of the biggest sources of regulatory fines in the U.S. With new laws targeting data brokers, precise geolocation tracking, and sensitive health data, companies must rethink how they handle data-sharing with marketing partners.
At the Bridge Privacy Summit 2025, Robert Bateman led a discussion with privacy and AdTech experts on the biggest privacy enforcement trends, technical challenges, and risk mitigation strategies.
The panel featured:
New privacy laws have expanded what qualifies as sensitive data and regulators are enforcing these rules aggressively. Andrea outlined three areas of high-risk data sharing that her team is focused on:
Andrea:
"The first has to do with precise geolocation—either using it to track or target individuals or to collect personal information in association with precise geolocations. There are 16-plus state laws that classify it as sensitive category information that requires explicit opt-in to collect or use it. There’s a lot of scrutiny, there's enforcement around it."
Andrea:
"Health data is also classified as sensitive category data under these new state laws and requires explicit opt-in. But there’s even more attention on health data in some of the new laws, particularly the Washington My Health My Data Act. There’s a lot of enforcement around it. There’s now a private right of action available in Washington, which really ratchets up the risk."
Daniel:
"The data broker laws, the regulations are quite broad. What classifies as a data broker does not necessarily require selling data for money. It can be sharing data in exchange for valuable consideration, which can be access to certain features or special pricing."
Enforcement is following the same trends as legislation, with regulators focusing on health data, location tracking, and minors. Daniel explained where enforcement is already happening and what’s coming next.
Daniel:
"The areas that we have seen enforcement brought, in particular by the FTC, have been around health data, precise location data in the context of advertising technology - often the identifiers collected through SDKs."
Daniel:
"Children’s privacy is a huge focus. COPPA defines children’s data as under 13, but we've seen subsequent laws define teens as a new category - 13 to 15, and even up to 17 in New Jersey. You have to be getting opt-in consent to engage in targeted advertising to those demographics."
Daniel:
"The California Privacy Protection Agency has already brought six actions against companies for failure to register as data brokers. That’s just the tip of the iceberg. We’ve already seen actions by Texas, and I predict we're going to see a lot more this year."
Many AdTech platforms weren’t built with privacy in mind, making compliance a major technical challenge. Rowena broke down why companies struggle to make marketing tools privacy-friendly.
Rowena:
"The biggest hurdle is that these systems were not originally built to have granular controls in place. In many cases, it’s really just an on-and-off switch, there’s no way to purpose-limit the use of different data."
Rowena:
"For small to medium organizations, this can be a really heavy lift. That’s where technical standards can help. There are so many different marketing tools and platforms out there. Imagine how painful it is to implement distinct integrations for each one just to comply with privacy laws."
Raashee outlined a three-step approach to managing privacy risks in AdTech partnerships:
"Advertising, as we all know, has a leaky funnel. If there's not an awareness or clear understanding of what tags and pixels collect, that’s a problem. Companies need to understand what’s happening on their website - what type of tags, cookies, pixels are being placed - and have a pulse on that."
"It’s not one-and-done. You need a monitoring plan- whether it's a scanner or a manual process. Your business changes, new tags show up, and marketing teams evolve their programs. There’s a need for continuous monitoring."
"A lot of companies have hundreds of AdTech vendors. That’s not a good idea. You need to apply the 80/20 rule - most of the value probably comes from 20% of your partners. Vendor due diligence is critical."
With privacy laws tightening, some companies wonder if every AdTech practice needs a Privacy Impact Assessment (PIA). Daniel shared his perspective.
Daniel:
"When we use the term ‘AdTech,’ that covers the entire industry - measurement, data matching, licensing. Not every AdTech function is high risk. If you're engaging in data matching or licensing, yes, you should do a PIA. But targeted advertising alone might not always require one."
Daniel:
"Regulators will expect documentation. If an enforcer comes to you, you need to say: 'We reviewed it. Here’s a copy of the contract. Here’s what we did.' If you don’t have that, you’re vulnerable."
Privacy and marketing teams often have opposing goals - one wants maximum data collection, the other wants minimal risk. Andrea and Rowena shared how companies can bridge this gap.
Andrea:
"The best approach is to get in front of any product and business development plans. Be seen as a partner, not a blocker. The worst-case scenario is finding out a team has built something, they’re ready to launch, and then you tell them it’s not compliant."
Rowena:
"In my mind, there’s a privacy triangle: business teams, product and engineering teams, and legal teams. These three need to be in constant communication to build the strongest privacy-safe products and features."
Regulators may be shifting focus from federal to state enforcement. Andrea and Daniel shared their closing predictions.
Andrea:
"There’s less risk from the FTC and higher risk from state regulators, who are stepping in where the FTC may be stepping back."
Daniel:
"In California, regulators feel the law has been here for a while now. What we’ve seen in enforcement so far is not indicative of what’s yet to come."
📺 Watch on YouTube
🎙️ Listen on The Privacy Corner Podcast