Chapter 08: Privacy in Programmatic Advertising

The engine of programmatic advertising runs on data. From audience targeting to measurement and attribution, data fuels all the critical processes in programmatic advertising. However, collecting and using data has become challenging due to the rise of privacy laws and policies.

In this chapter, we will trace the history of privacy in digital advertising, from the humble cookie to the global regulatory frameworks that govern the industry today. We will dissect the key privacy laws, compare their requirements, and examine their profound impact on every player in the AdTech supply chain.

Key takeaways

• Data has always powered the growth of AdTech and programmatic advertising, but concerns around user tracking and personal data collection have made privacy one of the industry’s defining challenges.
• The evolution of privacy regulation — particularly the EU’s GDPR and laws such as the CCPA in the US — fundamentally changed how companies collect, process, and use advertising data.
• Browser and platform changes from companies such as Apple, Google, and Mozilla have reduced the effectiveness of third-party cookies and mobile identifiers, accelerating the industry’s shift toward privacy-first advertising.
• The decline of third-party tracking has increased the importance of first-party data, contextual advertising, universal IDs, consent management, privacy-enhancing technologies (PETs), and data clean rooms.
• The future of AdTech and programmatic advertising will depend on balancing effective advertising, user privacy, transparency, and trust while adapting to evolving regulations, technologies, and consumer expectations.

Data is the new oil

As we have explored in previous chapters, data is what enables the precise targeting, real-time decisioning, and detailed measurement that make the ecosystem so powerful. So much so that data is often labelled as the “new oil” due to the value it can provide companies, especially those in the programmatic advertising industry.
However, the collection and use of this data – particularly data about individuals – has been the subject of intense debate and scrutiny for over two decades.

Over the years, privacy has fundamentally reshaped the technologies, processes, and business models of the industry.
The tension between personalisation and privacy has triggered a wave of landmark regulations, forced seismic policy shifts from the world’s largest technology companies, and given rise to a new generation of privacy-enhancing technologies (PETs).

The history of privacy in AdTech & programmatic advertising

The history of privacy in digital advertising is a story of technological innovation consistently outrunning regulatory and consumer understanding. Each new capability that allowed for more precise targeting also created new questions about data collection and consent.

The early days (1994-1999): The birth of the tracker

As we noted in Chapter 01, the web cookie was invented in 1994 to help websites remember users during a session. Its purpose was functional, not commercial.

However, companies like DoubleClick quickly realised that third-party cookies could be used to follow users from one site to another, creating a rudimentary history of their browsing habits.
This marked the birth of cross-site tracking and the very beginning of the online privacy debate.
Early concerns were niche, mostly confined to tech-savvy users and privacy advocates, but the seeds of the future conflict were sown.

The AdTech boom (2000-2010): Data at scale

The 2000s saw the rise of ad networks, ad exchanges, and eventually, real-time bidding (RTB).
As detailed in Chapter 02, these platforms were designed to aggregate vast amounts of inventory and audience data to make ad buying more efficient.

This was the era of the data management platform (DMP), a piece of technology built specifically to ingest, segment, and activate large-scale audience data, often from third-party sources.
The sheer volume of data being collected and traded began to attract wider attention, with regulators and journalists starting to question the lack of transparency in the rapidly growing programmatic ecosystem.

The mobile and social era (2010-2017): New identifiers, new concerns

The explosion of smartphones and social media introduced new, more persistent identifiers, such as Apple’s IDFA and Google’s GAID, as discussed in Chapter 04.

These mobile advertising IDs were tied to a device rather than a browser, allowing for even more accurate tracking within apps.

At the same time, social media platforms started creating rich, authenticated profiles of user interests, relationships, and behaviours.
This unprecedented level of data collection, combined with high-profile data breaches, brought the issue of digital privacy into the mainstream public consciousness.

The rise of regulation (2018-present)

The growing public and political pressure culminated in the enforcement of the General Data Protection Regulation (GDPR) in Europe on May 25, 2018. This landmark law fundamentally changed the rules for any company handling the data of EU residents and citizens.

It marked the end of the industry’s self-regulation era and ushered in a new age of compliance, user consent, and significant financial penalties for violations.

The key privacy events in programmatic advertising from 1994 to the present (2026)

The introduction of privacy laws

The shift toward a regulated digital advertising landscape did not happen overnight. It was the result of a legislative evolution that spanned more than a decade, with European regulators leading the charge.

The European Union’s ePrivacy directive

Long before the GDPR, the ePrivacy Directive, colloquially known as the “cookie law,” was the EU’s first major attempt to regulate online tracking.

Adopted in 2002 and amended in 2009, its most significant provision required websites to obtain user consent before storing or accessing information on a user’s device.

This directive is the reason users across Europe began seeing “cookie banners” asking for their consent to use cookies.

While its enforcement was inconsistent across member states, it established the foundational principle of user consent for tracking and laid the legislative groundwork for the more comprehensive GDPR.

The EU’s GDPR

The European Union’s General Data Protection Regulation (GDPR) is arguably the most important data privacy regulation in the world.
Enforced from May 25, 2018, it replaced the patchwork of national data protection laws across the EU with a single, harmonised framework.
The GDPR’s impact on AdTech has been profound because of its broad scope and strict requirements:

• It protects the “personal data” of any EU citizen or resident, regardless of where the company processing the data is located.
• It requires companies to have a valid legal basis for any data processing activity, with “unambiguous consent” being one of the most common and difficult to obtain.
• It grants individuals a robust set of rights, including the right to access, rectify, and erase their personal data.
• It mandates the use of privacy-by-design principles and requires data protection impact assessments (DPIAs) for high-risk processing activities.
• It introduced fines of up to €20 million or 4% of a company’s global annual turnover, whichever is higher, for serious infringements.

For programmatic advertising, which was built on the large-scale processing of user data, the GDPR forced a complete re-architecture of consent management and data handling practices.

Privacy laws in the US

Unlike the EU’s comprehensive approach, the United States has historically regulated privacy on a sectoral basis (e.g., specific laws for healthcare or financial data). There is no single federal privacy law equivalent to the GDPR.

However, in the absence of federal action, individual states have begun to enact their own laws, creating a complex and fragmented regulatory landscape.

The most influential of these is the California Consumer Privacy Act (CCPA), which came into effect on January 1, 2020. The CCPA was later amended and expanded by the California Privacy Rights Act (CPRA).

The CCPA grants California consumers new rights, including:

• The right to know what personal information is being collected about them.
• The right to delete that information.
• The right to opt-out of the “sale” or “sharing” of their personal information.

Following California’s lead, several other states, including Virginia, Colorado, Utah, and Connecticut, have passed similar privacy laws, each with its own nuances and requirements.

Privacy laws around the world

The “Brussels Effect” of the GDPR has inspired dozens of countries to enact similar data protection laws.

Nations like Brazil with its LGPD, Canada with PIPEDA, and Japan with its APPI have all strengthened their privacy frameworks, largely aligning with the core principles of the GDPR.

This global trend means that privacy compliance is no longer just a European issue but a worldwide business imperative for the AdTech industry.

How the privacy laws in the EU and US differ

For companies operating globally, navigating the differences between the EU’s GDPR and the various US state laws is a major compliance challenge.
While their goals are similar, their approaches and definitions diverge in critical ways.

Key terms

The very definition of what constitutes protected data differs.

• Personal Data (GDPR): The GDPR takes an extremely broad view. It defines personal data as any information relating to an identified or identifiable natural person. This includes not only direct identifiers like a name or email address but also online identifiers such as cookie IDs, IP addresses, device IDs, and location data. If a piece of data can be used, alone or in combination with other data, to single out an individual, it is considered personal data.
• Personally Identifiable Information (PII) (US): Traditionally, US law operated with a much narrower concept of PII, which referred to data that directly identified an individual, like a name, address, or Social Security number. However, modern state laws like the CCPA/CPRA have expanded this definition to be much closer to the GDPR’s, explicitly including identifiers like cookies, IP addresses, and geolocation data in their definition of “personal information.”

Key similarities and differences

While both legal frameworks aim to give individuals more control over their data, their core mechanisms are fundamentally different.

The “opt-in” vs. “opt-out” distinction is the most critical difference for the advertising industry. Under GDPR, a company cannot set a tracking cookie or process a user’s data for advertising without first getting their explicit consent.

Under the CCPA, a company can do so until the user clicks a “Do Not Sell or Share My Personal Information” link.

What companies need to do to comply

To navigate this complex environment, companies in the AdTech ecosystem must adopt a comprehensive privacy program that generally includes:

1. Implementing a consent management platform (CMP): A CMP is a piece of technology that presents users with privacy notices and consent banners, captures their choices, and communicates those choices to the rest of the AdTech supply chain via a standardised framework like the IAB’s Transparency and Consent Framework (TCF).
2. Conducting data audits: Companies must know what data they collect, where it comes from, why they collect it, and where it is stored and sent.
3. Updating privacy policies: Privacy notices must be transparent and clearly explain data processing activities in simple, accessible language.
4. Honouring user rights: Companies must have processes in place to handle user requests to access, delete, or opt-out of the sale of their data within the timeframes required by law.

To ensure proper compliance with the relevant privacy regulations, companies should seek legal advice.

The impact of privacy regulation on AdTech & programmatic advertising

The privacy laws and policies detailed above were not mere legal frameworks; they were catalysts that triggered a fundamental rewiring of the programmatic advertising ecosystem.

The impact has been widespread, affecting everything from audience targeting and measurement to the very balance of power within the industry.

The most direct consequence has been a significant decline in signal loss and addressability.
Stricter consent requirements under GDPR and the technical limitations imposed by browsers have dramatically reduced the availability of reliable third-party cookies and mobile IDs.

This makes it far more difficult to identify and target specific users across the open web, challenging the effectiveness of foundational strategies like behavioural targeting and retargeting.

This, in turn, has led to a strategic pivot across the entire industry toward first-party data.

As we explored in Chapter 05, data that a company collects directly from its customers with their consent has become the most valuable asset in advertising. Advertisers are investing heavily in customer data platforms (CDPs) to manage this data, while publishers are leveraging their direct audience relationships to create new, high-value advertising products.

Ironically, these regulations have inadvertently strengthened the dominance of the walled gardens.

Platforms like Google, Meta, and Amazon, which have billions of logged-in users, are perfectly positioned to thrive in a privacy-first world.

They have direct, authenticated relationships that make obtaining first-party consent straightforward, and their vast data assets are now even more valuable in comparison to the increasingly fragmented and anonymous open web.

Lastly, these new constraints have spurred a wave of innovation

The challenges of a post-cookie world have accelerated the development of a new class of privacy-enhancing technologies (PETs), such as data clean rooms and new cryptographic solutions, which are designed to enable effective advertising while protecting user privacy.
We explore PETs in more detail below.

Changes to privacy policies by the tech giants

Alongside government regulation, the technology companies that control the internet’s main gateways – browsers and mobile operating systems – have become powerful privacy regulators in their own right.

Their policy changes often have a more immediate and widespread technical impact than privacy legislation.

Apple’s ITP and ATT

Apple has positioned itself as a champion of user privacy, implementing aggressive changes across its products:

Intelligent Tracking Prevention (ITP)

First introduced in the Safari browser in 2017, Apple’s Intelligent Tracking Prevention (ITP) is a feature that uses machine learning to identify and block third-party tracking cookies by default.

Over successive updates, ITP has become so effective that it has rendered cross-site tracking via third-party cookies in Safari almost impossible, significantly impacting measurement and attribution on Apple devices.

The introduction and updates to Apple Safari’s ITP have had a significant impact on the effectiveness of key programmatic advertising processes.

Below is an overview of the impact of ITP on AdTech and programmatic advertising.

Reduced effectiveness of cross-site user tracking and retargeting: Because third-party cookies are blocked and lifetimes are shortened, tracking users across multiple websites becomes far harder. This undermines many classic behavioural advertising and retargeting models.

For example, users may appear as new when revisiting a website after a cookie has expired, even though they are a returning visitor.

Challenges for attribution, measurement and frequency capping: Shorter cookie lifespans mean that measuring long conversion windows (e.g., for high-consideration purchases) or accurate frequency capping is more difficult. Attribution models built on linking behaviour across sites are disrupted.

Increased reliance on first-party data and server-side tracking: Because browser storage and third-party cookies are constrained, advertisers and publishers are shifting toward using first-party IDs, server-to-server tracking, and data clean rooms.

Changes in ad pricing, publisher revenue and auction dynamics: With less reliable tracking, user-level targeting becomes weaker; this may reduce bid values for some inventory. Some studies find a slight drop in ad prices for Safari traffic compared to other browsers.

A need to adapt AdTech platforms and vendors: Vendors must adjust cookie lifetimes, respect partitioning rules, avoid CACEs or tracking work-arounds that Safari flags, and adopt privacy-first approaches (e.g., anonymisation and aggregated measurement).

App Tracking Transparency (ATT)

Launched with iOS 14.5 in 2021, Apple’s App Tracking Transparency (ATT) is a framework that requires all apps to ask users for explicit permission to allow tracking.

This directly affects the availability of Apple’s mobile advertising identifier, the identifier for advertising (IDFA). With the majority of users choosing to opt-out, the ability for advertisers to target and measure performance in the iOS ecosystem has been severely curtailed.

Google’s Privacy Sandbox

In response to growing privacy demands and the actions of its competitors, Google first announced its plan to phase out third-party cookies in its Chrome browser in 2020.

To do this without completely breaking the digital advertising economy, it launched the Privacy Sandbox initiative as a replacement for the main processes carried out by third-party cookies.
However, after delaying the deadline multiple times, Google announced on April 22, 2025, that it will scrap its plan to shut down support for third-party cookies.

Then, in October 2025 Google announced that it would retire many of its Privacy Sandbox APIs and technologies.

The APIs and technologies being phased out include:

• Attribution Reporting API (Chrome and Android)
• Topics API (Chrome and Android)
• Protected Audience, Private Aggregation, Related Website Sets, and others.

The reasons for this move include ongoing regulatory scrutiny from the UK’s Competition and Markets Authority (CMA) and low adoption rates of Privacy Sandbox.

Firefox’s ETP

Mozilla’s Firefox browser has long been a pioneer in privacy. Its Enhanced Tracking Protection (ETP) feature, introduced in 2019, blocks third-party tracking cookies and other tracking technologies by default for all users.

While Firefox has a smaller market share than Chrome, its privacy-by-default stance was an influential move that signaled the beginning of the end for the third-party cookie.

Ad blockers

Beyond regulations and corporate policies, users themselves have taken privacy and the user experience into their own hands through the widespread adoption of ad blockers.

Ad blockers are browser extensions or applications that prevent ads from being served and displayed on web pages. Their popularity represents a direct response from consumers to years of intrusive, disruptive, and often irrelevant advertising experiences.

Image source: The AdBlock Blog

The rise of ad blockers reflects a fundamental breakdown in the value exchange for many users, who feel the performance lag, privacy intrusion, and visual clutter of online ads outweigh the benefit of free content.

This has created a significant challenge for publishers who rely on advertising revenue to fund their operations, forcing them to adopt a range of strategies to mitigate the impact.

How do ad blockers work?

Ad blockers are not a single technology but a collection of techniques designed to identify and stop ads before they can be displayed.

Their methods are surprisingly effective and can be broken down into two primary mechanisms:

1. Blocking server requests

The most common method involves maintaining vast, community-curated blocklists (such as EasyList) that contain the domain names of thousands of known ad servers, analytics trackers, and AdTech platforms.

When a user navigates to a webpage, the ad blocker monitors all the outgoing requests the browser makes. If a request is destined for a domain on its blocklist, the ad blocker simply intercepts and stops it. The ad creative is never downloaded, and the impression is never counted.

2. Hiding ad elements

Sometimes, an ad creative might be served from a domain that isn’t on a blocklist. In these cases, ad blockers use a secondary technique.

They scan the HTML structure of the webpage, looking for elements with specific attributes that signal an ad, such as class=”ad” or id=”sponsored-content”.

Once identified, the ad blocker injects CSS rules into the page to hide these elements from view, effectively making the ad invisible to the user.

The publishers’ pushback

The rise of ad blocking has forced publishers into a difficult position. They can’t simply ignore the problem, as it directly impacts their revenue.

In response, a variety of countermeasures have emerged, ranging from gentle persuasion to technical hardball.

Improving the ad experience

Many publishers recognise that ad blockers are a symptom of a poor user experience. The first line of defense is to make ads less intrusive and more relevant.

This can involve reducing the number of ads per page, removing disruptive formats like auto-playing video, and focusing on native advertising that integrates smoothly with the site’s content.

As we discussed in Chapter 06, native ads are designed to match the look and feel of the surrounding content, making them less likely to be perceived as disruptive.

Requesting to be whitelisted

A common tactic is to detect the presence of an ad blocker and display a polite message asking the user to add the site to their ad blocker’s “whitelist” or “allowlist.” This approach relies on the user’s goodwill and their appreciation for the publisher’s content.

Blocking access

Some larger publishers with highly valuable or unique content have taken a more forceful stance.

They detect if a user has an ad blocker enabled and completely block them from viewing the content until it is disabled.

Forbes famously pioneered this approach, offering users a choice: turn off the ad blocker or they could not proceed to the article. This creates a direct choice between accessing the content and seeing ads.

Image source: Forbes

Offering an ad-light experience

As a middle ground, some publishers negotiate with users.

Upon detecting an ad blocker, they might offer an “ad-light” experience as a reward for whitelisting the site, promising fewer and less intrusive ads. This acknowledges the user’s desire for a better experience while preserving the publisher’s revenue stream.

Ad recovery and re-insertion

A more technical solution involves “ad recovery” or “ad re-insertion” technology.

These services are designed to circumvent ad blockers by serving ads from domains that are not on the blocklists or by using server-side techniques to stitch ads directly into the content stream before it is sent to the browser.

This makes it much harder for client-side ad blockers to distinguish ads from legitimate content. However, this can lead to a technical arms race between ad recovery services and ad blocker developers.

Paywalls and subscriptions

Perhaps the most sustainable long-term strategy for publishers is to diversify their revenue beyond advertising.

Many have implemented paywalls or subscription models, offering users an ad-free experience in exchange for a recurring fee.

This changes the value exchange entirely, moving from an ad-supported model to a direct-to-consumer one, a trend we explored in Chapter 02 when discussing publisher monetisation.

The ongoing battle between ad blockers and publishers highlights the delicate balance of the modern internet.

While users seek a faster, more private, and less cluttered experience, publishers must find viable business models to continue creating the content that users come to see in the first place.

The most successful publishers will likely be those who can strike the right balance, offering a superior user experience and a clear value proposition, whether it’s supported by advertising or direct payment.

What’s ahead for AdTech as privacy rules shift?

The convergence of regulation, platform policy changes, and consumer behaviour has created a challenging but innovative new era for AdTech.

The future of programmatic advertising will be defined by its ability to deliver relevant, effective campaigns while fundamentally respecting user privacy.

This new world will be built on a foundation of different technologies and strategies.

Alternatives to third-party cookies

As we’ve touched upon throughout this book, there is no one-to-one replacement for the third-party cookie.

Instead, the industry is embracing a portfolio of solutions:

• First-party data strategies: This is the bedrock of the new advertising landscape. Data collected with direct user consent will be used for everything from on-site personalisation to audience activation in data clean rooms.
• Universal ID solutions: As detailed in Chapter 04, these solutions aim to create a new interoperable identity framework for the open web, built on authenticated, first-party data rather than anonymous third-party tracking.
• Contextual targeting: This classic advertising technique is seeing a major resurgence. Instead of targeting users based on their past behaviour, contextual advertising targets the content of the page they are currently viewing, aligning ads with the user’s immediate interests in a privacy-safe way.

Privacy-enhancing technologies (PETs)

Privacy-enhancing technologies (PETs) are a class of technologies designed to enable data analysis and collaboration while minimising the exposure of sensitive personal data. They are becoming central to the future of AdTech.

The most prominent example in AdTech today is the data clean room, which we explored in Chapters 05 and 07.

Data clean rooms allow for secure data collaboration for attribution and audience insights without requiring parties to share their raw data, providing a crucial tool for measurement in a world of signal loss.

Other advanced PETs, such as federated learning and differential privacy, are also being explored to train machine learning models and generate insights without centralising or exposing user data.

This transition is undoubtedly complex, but it is pushing the industry toward a more mature, transparent, and sustainable future.

The next era of programmatic advertising will be defined less by the scale of data collection and more by the quality of the value exchange offered to consumers, with user trust as the ultimate metric of success.