Summary: Privacy and compliance in digital advertising mean navigating regulatory frameworks such as the GDPR and CCPA or dealing with iOS 14.5+ or the death of the cookie, while producers need to create privacy-first marketing strategies that provide effective marketing and privacy for users and remain compliant.
Estimated Reading Time: 25 Minutes | Update: July 2025
What is Data Privacy in Digital Advertising?
Briefly: Data privacy in digital advertising will also include legal, ethical, and some technical constructs to protect users’ data while enabling targeted advertising, which includes transparent data collection, regulations, user consent management, and so-called privacy-preserving ad tech.
Key components of privacy:
- Regulatory compliance: Following the GDPR and CCPA, etc.
- Consent management: Transparent collection and management of user consent
- Data minimization: Only collecting data for specific purposes
- User rights: Access, deletion, and portability
- Technical safeguards: Security measures and privacy-preserving technologies
The Landscape of Privacy: Major Policies and Changes
Maintaining any compliant digital advertising strategy requires an understanding of evolving privacy regulations.
Core Privacy Regulations
EU GDPR (General Data Protection Regulation)
Scope: Data processing of persons residing in the EU, wherever it occurs Enforcement Date: May 25, 2018
Major Requirements:
- Lawful Basis: A clear legal basis must exist for data processing
- Consent: Freely given, specific, informed consent must be obtained
- Rights of Data Subject: To access, rectify, erase, and portability
- Privacy by Design: Data systems must be designed with privacy as an integral part
- Data Protection Officer: Appointment of DPO when applicable
- Fines: Up to €20 million or 4% of annual global turnover
- Advertising Impact: Consent requirements, limitation on tracking, data minimization
US CCPA (California Consumer Privacy Act)
Scope: Residents of California and businesses satisfying the thresholds
Enforcement Date: January 1, 2020 (amended in 2023 by CPRA)
Key Requirements:
- Disclosure Rights: The entities that collect and sell personal information.
- Opt-Out Rights: Right to refuse sell of his or her personal information
- Non-Discrimination: Cannot discriminate against those exercising their privilege of privacy
- Deletion Rights: Right to have personal data deleted
- Do Not Sell: Clear opt-out mechanism
- Penalties: Up to $7,500 per violation when committed intentionally
- Advertising Impact: Contains opt-out requirements, disclosure obligations, and consent mechanisms
CA PIPEDA, Personal Information Protection and Electronic Documents Act
Scope: Canadian organization dealing with the collection of personal information
Effective Date: 2001, with amendments continuing to this day
Key Principles:
- Accountability: Organizations are responsible for personal information
- Identifying Purposes: Purposes should be identified at least in broad terms
- Consent: Knowledge of and consent to the collection and use
- Limiting Collection: Should collect information only as needed
- Accuracy: Should keep personal information up to date
Advertising Impact: Consent requirements, purpose limitation, data accuracy
Regional Privacy Laws
- Brazil LGPD: Lei Geral de Proteção de Dados
- China PIPL: Personal Information Protection Law
- India PDPB: Personal Data Protection
- Singapore PDPA is the Personal Data Protection Act.
- Data Protection Law in the UAE refers to the Federal Data Protection Law.
Common Themes: Consent, data minimization, user rights, and cross-border restrictions.
Platform Privacy Changes and Their Impact
The major platform privacy changes fundamentally alter all aspects of digital advertising related to digital advertising tracking and targeting.
iOS 14.5+ ATT (App Tracking Transparency)
Implementation: April 2021
Key Changes:
- Permission Needed: Mandatory user opt-in for cross-app tracking
- IDFA Limitations: Usage limited to Identifier of Advertisers (IDFA)
- Attribution Windows: View-through attribution is limited to 24 hours; click-through, 7 days
- Conversion Limits: A Maximum of 8 conversion events can be configured per campaign
- Opt-In Rates: One in five American users globally
Bypassing Methods:
SKAdNetwork for iOS attribution, first-party data collection, probabilistic modelling, aggregated attribution, contextual targeting, and interest-based targeting
Third Party Cookie Deprecation:
Timeline: Chrome: Intended to be in 2024, but has now been delayed to 2025
Browser Status:
Safari: The cookie is already restricted under ITP.
Firefox: Third-party cookies are blocked by Enhanced Tracking Protection.
Chrome: With the development of the Privacy Sandbox, it will be phased out gradually.
Edge: Cookie restrictions and tracking prevention features are in place.
Advertising Impact:
Limits cross-site tracking capabilities
Limits retargeting and audience building
Attribution measurement becomes difficult
Frequency capping becomes difficult
Replacement Technologies:
Topics API-for-interest-based-advertising
FLEDGE-for-remarketing-and-custom-audiences
Attribution Reporting API for conversion measurement
Trust Tokens-for-fraud-prevention
Google Privacy Sandbox
Use Case: Third-party cookie replacement while providing ad capabilities.
Key APIs include:
Topics API – Interest-based advertising without cross-site tracking
FLEDGE – Remarketing/Custom audience solutions
Attribution Reporting – Allows marketers to measure conversions while remaining private
Trust Tokens – A usability that would fight fraud vs passive tracking
Privacy principles:
On-device processing and local data storage
Aggregated and anonymized reporting
User rights and transparency
Differential privacy techniques
Testing status: Origin trials with a planned gradual rollout until 2025
Android Privacy Changes
Android Privacy Sandbox – A Privacy sandbox on Android that has the same principles as Chrome’s privacy sandbox.
Key Changes:
Limited Advertising ID – More user choice over ad personalization
Topics on Android – Interest-based advertising without cross-app tracking
FLEDGE on Android – Remaking on device
Attribution Reporting – Privacy Preserving Measurement Solutions
Timeline: Gradual rollout from 2024 until 2025
Affected Developers: Changes SDKs, new APIs, new measurement approaches
Data Privacy & Compliance FAQ
What is the difference between explicit consent and legitimate interest under GDPR?
Explicit consent calls for unambiguous permission from the data subject for the data processing. Legitimate interest permits the processing when necessary for legitimate business purposes, on the condition that such interests are not overridden by the rights of the data subject to privacy. Therefore, the legitimate interest demands a balancing test and easy opt-out possibilities for users.
How much time, on average, do you keep data on your users for advertising?
Retention periods depend on jurisdiction and purpose. The GDPR stipulates data minimization and purpose limitation-advertising data will generally be retained for between 12 and 24 months unless users have some sort of relationship of continuous service with the controller. CCPA provides a similar allowance for data to be kept for purposes disclosed by the business. However, in all cases, data retention policies should be in line with the respective declared purposes.
Do privacy laws apply to B2B advertising and marketing?
They do; privacy regulations govern the processing of personal data relating to any individual, hence, even in a B2B context. Business e-mail addresses, names, or job titles are personal data. However, some regulations do contain specific provisions regarding B2B communications, particularly concerning existing business relationships.
What is supposed to take place if we face a data breach involving advertising data?
Under the GDPR, notification to authorities must happen within 72 hours after a breach, and notification to affected individuals must occur without unreasonable delay when there is a high risk. CCPA only requires notification to the California Attorney General. Be sure to have your incident response plans in place, document the breaches, examine cyber insurance, and remember that noncompliance could lead to serious fines.
Consent Management and User Rights
Good consent management finds a balance between legal compliance and user experience plus commercial interests.
Consent Management Framework Consent-Gathering Best Practices GDPR Requirements:
Freely Given: There can be no coercion, bundling, or detriment for refusing
Specific: Separate consents for different purposes
Informed: Provide the data subject with all information about data use
Unambiguous: Give consent by a clear affirmative act and not by silence or pre-ticked boxes. References to pre-ticked check boxes are specifically forbidden
Implementation:
Granular consent options for various uses of data
Clear, concise explanation of how data will be used
Easy withdrawal process
Maintain records in case of audits
Consent Management Platforms (CMPs) Core Features:
Consent Collection: Easy and accessible interfaces for obtaining consent
Preference Centres: Control over certain specific uses of your data
Consent Signals: To enable the movement of consent status to your advertising partners
Compliance Monitoring: Regular auditing & reports
Technical Integrations:
IAB Transparency & Consent Framework’s (TCF) 2.0
Google Additional Consent mode
Custom consent APIs and webhooks
Real-time consent updates
User Rights Management Data Subject Rights (GDPR):
Right of Access: Access to copies of their own personal data
Right to Rectification: Data is accurate
Right to Erasure: Delete data (“right to be forgotten”)
Right to Portability: Provide personal data in a machine-readable structured format
Right to Object: Opt out of the processing of personal data for direct marketing purposes
Consumer Rights (CCPA):
Right to know what types of personal information are being collected
Right to delete all personal information
Right to opt out of the sale of their personal information
Right not to be discriminated against for exercising these rights
Technical Implementation Consent Signals:
TCF 2.0: IAB framework for passing consent
Google Consent Mode: Google’s consent signalling system
US Privacy String: CCPA compliance signalling
Custom Signals: Custom consent management
Integration Points:
Web analytics and measurement platforms
Ad tech stack
Customer data platforms
Email and CRM systems
Privacy-First Advertising Strategies
Advertising in an era of privacy first offers a completely new way of thinking about its existence, such that it tolls the rights of the end user, while still ensuring the efficacy of your campaign.
Privacy-Preserving Advertising Approaches First-Party Data Strategy
Strategy: Build direct relationships with customers and own data assets
Implementation:
Customer Registration – incentivize account creation and account logins
Progressive profiling – collect data with interactions
Value Exchange – provide value for exchanging data
Zero-party data – collect customer preferences directly
Benefits: All data control, best data quality, collective ownership of customer data, and compliance with privacy regulations
Challenges: Limited scale, acquisition costs of users, and complexity of data collection.
What is Contextual Advertising?
It refers to showing advertisements to people based on the content of the web page rather than user behaviour.
Methods of targeting:
Keyword Targeting: – Matching the ad with the page content keywords.
Topic Classification: – Selecting content categorized by content categories and themes.
Sentiment Analysis: – So that ads fit with content type, tonality, and emotion.
Semantic Analysis: – To understand the meaning and context of content.
Benefits: Privacy-friendly, ensures fit with the brand, and can deploy now.
Liabilities: Minimal personalization is possible, and ads are generally very expensive.
Privacy Preserving Technologies
Technologies: Sophisticated methodologies from privacy-preserving data publishing and knowledge discovery sub-disciplines to facilitate advertising with privacy-preserving technologies.
Methods:
Differential Privacy: Adds statistical noise to the original data while protecting everyone in it.
Federated Learning: Trains machine learning via the end user’s device/neither the data nor any centralized information from other sites is ever exposed or released.
Secure Multi-Party Computation: Protocols exist that allow parties to collectively and collaboratively analyse their data, without revealing their private inputs ultimately.
Homomorphic Encryption: Permits the data to remain encrypted while computations can take place on the encrypted/enciphered data.
Application: Audience insight, attribution, and look-alike modelling.
Current Status: Emerging adoption, technical development.
Cohort-Based Targeting:
Concept: Target groups of similar users rather than individuals.
Implementation:
Topics API: Considered by Google as its philosophy toward interest-based cohorts
FLEDGE: On-device activities and remarketing
Custom Cohorts: Groups of users created by first-party data
Lookalike Cohorts: Identification of audiences who resemble an existing one
Benefits: Privacy to the user, legal compatibility, and scalability
Trade-offs: Reduction of accuracy, dependence on platform adoption
Data Governance and Management
The framework of data governance includes mechanisms to ensure compliant data handling across the advertising ecosystem.
Data Governance Framework
Data Audit and Classification
Data Mapping:
Understand data sources: Identify where you are collecting personal data
Understand what data you are collecting: Classify data by sensitivity and risk
Understand processing purpose: You should keep a record of every purpose of processing personal data
Understand data flows: You should depict the data patterns that describe the data flows and sharing
Classification examples:
Personal identifiers (e.g., email, phone, name)
Behavioural data (e.g., browsing history, purchase history)
Demographic data (e.g., age, location)
Special category data (e.g., health, religion, political views)
Policies and Documentation Documentation Fulfilling Requirement:
Privacy Policy: Clear and complete user-facing policy
Records of processing: Your own internal records of processing activities
Vendor contracts/agreements: Contracts/agreements of vendors that detail data processing
Records of consent: Records documenting that consent is valid
Policy Elements:
Purpose of Data Collection and Its Legal Basis in Compliance
Sharing of Data and Transfer to Third Parties
Users’ Rights and Ways to Exercise Them
Retention of Data and Deletion Methods
Vendor Management and Partner Relationships Due Diligence Process:
Privacy Assessment: Evaluation of the partner’s privacy practices
Data Processing Agreements: Legal frameworks for sharing data
Security Assessment: Evaluation of the data protection measures
Compliance Review: Verifying partner compliance on an ongoing basis
Contractual Requirements:
Purpose limitation and restrictions on the use of data
Notification of sub-processors and approval
Notifications relating to data breaches
Audit rights and compliance monitoring
Security and Technical Measures Technical Measures:
Encryption: Data protection in transit and at rest
Access Controls: Roles and authentication
Data Minimization: Only data necessary should be collected and processed
Pseudonymization: Disassociate the identity from identifiable information
Organizational Measures:
Training of the staff and awareness programs
Privacy impacts assessment
Incident response procedure
Compliance audits and reviews are regularly
Cross-Border Data Transfers
International data transfers have to be done through legal mechanisms and safeguards in place to ensure the maintenance of the protection of privacy.
Transfer Mechanisms EU Transfer Mechanisms Adequacy Decisions:
Countries considered to provide adequate protection
Current list includes the UK, Canada, Japan, and South Korea
A Data Privacy Framework of the US-EU is in the process of replacing the Privacy Shield
No further safeguards needed
Standard Contractual Clauses (SCCs):
Contractual clauses adopted by EU Commission
Transfer Impact Assessments required
Further safeguards may be needed
Most commonly used transfer mechanism
Binding Corporate Rules (BCRs):
Internal rules on privacy for multinational companies
Approval by regulators is required
Difficult to implement but flexible to operate
Best suited for bigger organisations
Transfer Impact Assessments (TIAs) The assessment requirement involves:
Local law oversight: Study the entire legal framework of the country of destination
Governmental access: Review surveillance and data access laws
Remedy-check: Whether any remedy is available
Additional Safeguards: Installed additional protective measures
Common Safeguards:
Enhanced encryption and pseudonymization
Data minimization and purpose limitation
Regular compliance monitoring and audits
Contractual safeguards and transparency
Regional view: China PIPL:
Data localization particularly for critical data
Security assessments required for cross-border transfers
Requirement for filing of standard contracts
Certification for the protection of personal information
Russia Data Localization:
Personal data concerning Russian citizens must be stored in Russia
Processing can be carried out outside but with local storage
Heavy penalties for non-compliance
Limited exceptions for particular purposes
Industry Self-Regulation and Standards
Industry organizations provide various frameworks and standards in addition to the legal provisions for privacy protection.
Key Industry Initiatives
IAB Transparency & Consent Framework (TCF)
Purpose: Standardizing the collection of consent and agreeing on communication with vendors
Components:
Global Vendor List: registered advertising technology vendors
Consent String: encoding of the user’s consent preferences
Purposes and Features: standardized data use categories
Policy Requirements: compliance obligations of vendors
Advantages: standardization throughout industry; lower implementation cost and time
Drawbacks: EU and EEA-centric; vendor dependence; complex
Global Privacy Platform (GPP)
Purpose: One standard across jurisdictions via signals for privacy
Scope:
GDPR (EU/UK/EEA)
CCPA/CPRA (California)
State privacy laws (Virginia, Colorado, Connecticut)
Future regulation compatibility
Technical Specification:
Unified consent string format
API specifications for consent management
Section-based architecture for different laws
Backwards compatibility with existing systems
Partnership for Responsible Addressable Media (PRAM)
Focus: Standards for privacy-protecting addressable advertising
Principles:
Transparency: Ensure full disclosure about data practices
Consumer Control: Provide meaningful choice and control to the consumer
Data Minimization: Collected data must be confined to only what is necessary
Accountability: To exercise responsible behaviour while handling data
Members: Major agencies, brands, and technology providers
Trustworthy Accountability Group (TAG)
To fight fraud, malware, and privacy violations
Certification programs:
Anti-fraud: Prevention of invalid traffic
Brand Safety: Filtering and protection against unfitting content
Anti-Malware: Prevention against security threats
Privacy: Protection of data and ensuring compliance
Benefits: Credibility among industry members, validation of compliance, reduction of risks
Privacy Compliance Implementation
Practical steps for ensuring privacy compliance in digital advertising operations.
Execution Roadmap
Phase I: Assessment and Planning (Months 1 & 2)
Current State Analysis
Data Audit: An inventory of all personal data collection and processing
Legal Mapping: Identify which privacy law(s) will apply
Gap Analysis: Compare current state to legal expectations, identify gaps
Risk Assessment: Assess risk of non-compliance and/or responsibility for compliance
Stakeholder Engagement: engage with legal, IT, marketing, and business parties
Phase II: Infrastructure Building (Months 3 & 4)
Building Blocks
Consent Management: Implementation of CMP and issuing of consent to consumers
Privacy Policy Republish: Review and publish updated privacy policies
Data Processing Agreement: Refresh agreements with vendors
Technical Implementation of Privacy Controls: about privacy controls
Training Programs: training staff on privacy requirements
Phase III: Operationalization (Months 5-6)
Integration:
Campaign Process: put privacy checks into the campaign process
Data Subject Rights: implement processes for actioning rights requests
Incident Response: put processes into place for breach notification
Review and Monitoring: Put processes in place to review compliance on an ongoing basis
Documentation: create processing records and document consent
Phase IV: Continuous Optimization (Ongoing)
Continuous Improvement
Audits: Audit compliance activities from time to time
Regulation Watch: Monitoring for changes to laws, keeping compliance posture in place
Optimization: Time-to-market for optimising privacy vs advertising efficiency.
Best Practice Updates: Keep current and integrate any changes from the industry
Future of Privacy in Digital Advertising
The privacy landscape remains in flux with new updates in regulations, technologies, and practices.
Emerging Trends and Developments
Regulatory Evolution
US Federal Privacy Law: Possibility of national privacy legislation
State Law Expansion: More states in the US are joining privacy laws
Global Harmonization: Increasingly harmonizing privacy principles
Enforcement Intensification: Growing larger fines and being aggressive in enforcing
Technology Innovation
Privacy-Enhancing Technologies: Involving top cryptographic solutions
Decentralized Identity: Identity control and data sharing by the user
Artificial Intelligence: AI powering privacy protection and compliance
Blockchain Applications: Transparent, providing verifiable practices on data
Industry Standards
Global Privacy Framework: Signal standards for worldwide privacy
Interoperability: Carrying privacy preferences from one platform to another
Accountability Measures: Increasing measures of self-regulation within the industry
Certification Programs: Programs that certify privacy compliance
Consumer Expectations
Demand for Transparency: More visibility into data practices
Control Preference: More granular privacy controls
Value Exchange: Clear, direct benefits in exchange for data sharing
Trust Requirement: Higher standards for trust in the brands
DESSY’s Privacy-First Advertising Solutions
DESSY’s advertising technologies, which favor data privacy, provide the marketer with clever ways for publicity while respecting consumer choices and regulatory frameworks.
Built-In Compliance Features
Consent management, privacy controls, and compliance features are built in for ease in running a campaign with maximum comfort of meeting all privacy requirements, including but not limited to GDPR, CCPA, etc..
Privacy-Preserving Targeting
Targeting that relies on advanced context and first-party data activation is a new use of technology. This type of advertising can be quite effective without violating people’s privacy.
Privacy Preserving Analytics
These measurement and attribution solutions also work with privacy compliance that allows for insight generation for campaigns while also respecting user privacy rights and the compliance legislation it requires.
Expertise in Regional Privacy
The ability to operate within and comply with the privacy laws and regulations in target markets across Europe, the Middle East, and Southeast Asia regions.
Adaptive Privacy Management
The privacy of data can be managed and delivered at a detailed level, and companies can alter their data policies to satisfy all their business requirements and user choices.
Documentation That Supports Compliance
Automated documentation of compliance, reporting, investigation, and audit trails may serve as the kind of relief an organization needs to bear the regulatory pressure.
Navigating Privacy Compliance with DESSY
Privacy compliance and user trust go hand in hand with striking the balance among successful advertising campaigns-that DESSY does with its full suite of compliance tools and privacy-first platform.
Integrated solution for consent management and privacy compliance Targeting and measurement technologies designed to protect privacy Analytic and attribution solutions that comply Regional privacy expertise across Europe, the Middle East & SEA Flexible privacy controls and customization options Automated compliance documentation and reporting
