Privacy Enforcement Crossed A Line In 2025 – And There’s No Going Back | AdExchanger

image/svg+xml:

Topics
Latest
Marketers
Agencies
Publishers
Technology
Platforms
Identity
Measurement
Data Privacy
Artificial Intelligence
CTV
Commerce
AdExplainer
Exclusive Report
Daily News Roundup

Opinion
All Columns
Data-Driven Thinking
On TV & Video
The Sell Sider
Content Studio
Comic
Contributor Guidelines

About Us
Advertise
Newsletter
AdExchanger Advisory Board
About Us
Contact Us

Events
Programmatic AI Las Vegas
AdExchanger Awards
Webinars
All Events
Network Events

Podcasts
AdExchanger Talks
The Big Story
Inside the Stack

NEW! Programmatic AI 2026

Become an AdHero

Subscribe

Sign In

Sign In

Topics
Latest
Marketers
Agencies
Publishers
Technology
Platforms
Identity
Measurement
Data Privacy
Artificial Intelligence
CTV
Commerce
AdExplainer
Exclusive Report
Daily News Roundup

Opinion
All Columns
Data-Driven Thinking
On TV & Video
The Sell Sider
Content Studio
Comic
Contributor Guidelines

Events & Awards
Programmatic AI Las Vegas
AdExchanger Awards
Webinars
All Events
Network Events

Podcasts
AdExchanger Talks
The Big Story
Inside the Stack

Subscribe Free
Sign Up

About Us
Advertise
Newsletter
AdExchanger Advisory Board
About Us
Contact Us

CONNECT

Home Data-Driven Thinking Privacy Enforcement Crossed A Line In 2025 – And There’s No Going Back

OPINION: Data-Driven Thinking
Privacy Enforcement Crossed A Line In 2025 – And There’s No Going Back By Max Anderson, Ketch

Thursday, January 22nd, 2026 – 12:35 am
SHARE:

Max Anderson
Co-Founder

For most of the last decade, privacy compliance lived in a gray zone. Companies could point to a cookie banner, update a policy and reasonably believe they were doing enough. 
In 2025, that gray zone disappeared.
What changed was not the sudden arrival of a sweeping new law, but the scale and seriousness of enforcement. Regulators began enforcing privacy in volume and with meaningful financial consequences, signaling that these rules were no longer theoretical. Enforcement actions involving brands like Honda, Healthline, Sling and Todd Snyder clarified how privacy rules were meant to work in practice. Expectations around opt-outs, user experience and data handling became far more concrete.
In 2026, the industry will be operating with far less ambiguity and far less margin for interpretation.

Enforcement made privacy operational
The defining feature of 2025 was specificity. State regulators moved beyond asking whether companies offered privacy rights and began empirically testing how those rights functioned in practice.
Opt-out mechanisms were clicked, timed and evaluated; public-facing language was reviewed for clarity and intent; and UX patterns were scrutinized for friction. Regulators probed the nature of the data leaving the browser and how it was repurposed downstream. The Healthline matter was a wake-up call.
Enforcement went beyond data collection. Regulators increasingly examined what happened after a consumer exercised a choice. If a user opted out but their data still flowed into audience creation, targeting models or downstream analytics, that failure became the heart of the investigation.
The cookie banner era is over
For years, much of the privacy industry assumed that GDPR-style cookie consent could simply be transplanted into the US regulatory environment. A cookie banner does not equal privacy compliance in the US, and pretending otherwise is no longer tenable.
California makes that reality impossible to ignore. Early CCPA efforts mirrored a browser-centric, cookie-driven advertising model, but now enforcement has shifted decisively toward “Do Not Sell or Share” obligations that extend far beyond the browser. Regulators are now evaluating whether consumer choices actually change how data moves across systems, devices and identities, not just whether a banner appears on a page.

Subscribe

AdExchanger Daily
Get our editors’ roundup delivered to your inbox every weekday.

Daily Roundup

Daily News Roundup
Can Amazon Be Luxurious?; The Declaration Of Dependence

The next focus will be what happens after consent is revoked: how data is used, propagated and controlled across the enterprise.
That evolution makes one thing unavoidable: orchestration.
Privacy choices can no longer live only in a browser or device. They must travel across identities, systems and workflows, and they must be provable. Auditability and traceability are becoming enforcement expectations.
2025 broke the UX assumptions embedded in privacy tools. Static notices and forms, at best localized by region, no longer work in a world where privacy obligations are situational. Children’s privacy requirements, CIPA-driven disclosures, DNS-level differences based on whether a user is logged in and context-specific VPPA notices all emerged as enforcement realities, exposing a fundamental mismatch between how privacy interactions actually must occur and how most tools were designed.
Ironically, the next generation of privacy will require more data and more context, not less. Delivering compliant experiences will depend on understanding who the individual is, how they are interacting with an application, what data is in scope at that moment and which regulatory obligations apply in real time.
Consolidation is a signal, not a surprise
The privacy tech market sent its own message this year. Consolidation accelerated, with moves like Security AI being acquired by Veeam, TrustArc moving into private equity ownership and other platforms being absorbed or carved up.
This isn’t random. Privacy is a hard category, technically, operationally and commercially. As enforcement grows more sophisticated, it’s increasingly unrealistic to expect a single platform to master consent, rights, data mapping, assessments, governance and enforcement equally well.
Buyers are already adjusting. Many are moving away from one-size-fits-all expectations and toward best-of-breed approaches that align tools to specific risk areas. Long term, privacy will likely find durable homes inside adjacent categories like security, governance and IT operations. But shallow compliance tooling won’t survive contact with enforcement.
What 2026 will demand
Several trends are accelerating. CTV advertising is becoming a major enforcement focus. Children’s and teen data, particularly where age signals are present, will continue to reshape advertising practices. Health data remains squarely in regulators’ sights. And AI governance is moving from policy discussions toward real accountability.
Regulators are sending the same signal. Privacy risk is being measured by what can be observed from the outside. Opt-outs are tested. UX is scrutinized. And companies are held accountable for whether consumer choices actually affect downstream data use.
The companies that struggle in 2026 will not be the ones that ignore privacy outright. They will be the ones that failed to adjust their risk profile.
Privacy crossed a line in 2025. In 2026, that line will be much harder to hide behind.
“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Follow Ketch and AdExchanger on LinkedIn.
For more articles featuring Max Anderson, click here.

Next In Data-Driven Thinking

Goodbye, Outcomes Era? Nah. In 2026, It’s Picking Up Steam

Must Read

Commerce
Hershey’s Undergoes A Brand Update As It Rethinks Paid, Earned And Owned Media

This Wednesday marks the beginning of Hershey’s first major brand marketing campaign since 2018

Programmatic
A Win For Open Standards: Amazon’s Prebid Adapter Goes Live

Amazon looks to support a more collaborative programmatic ecosystem now that the APS Prebid adapter is available for open beta testing.

Publishers
Gamera Raises $1.6 Million To Protect The Open Web’s Media Quality

Gamera, a media quality measurement startup for publishers, announced on Tuesday it raised $1.6 million to promote its service that combines data about a site’s ad experience with data about how its ads perform.

AI
CES 2026: What’s Real – And What’s BS – When It Comes To AI

Ad industry experts call out trends to watch in 2026 and separate the real AI use cases having an impact today from the AI hype they heard at CES.

Commerce
New Startup Pinch AI Tackles The Growing Problem Of Ecommerce Return Scams

Fraud is eating into retail profits. A new startup called Pinch AI just launched with $5 million in funding to fight back.

Commerce
CPG Data Seller SPINS Moves Into Media With MikMak Acquisition

On Wednesday, retail and CPG data company SPINS added a new piece with its acquisition of MikMak, a click-to-buy ad tech and analytics startup that helps optimize their commerce media.

Popular

Measurement
A Jury Orders EDO To Pay $18.3 Million To iSpot Over Data Misuse

A jury in California awarded $18.3 million to video measurement firm iSpot to resolve its lawsuit against EDO, a measurement company co-founded by actor Ed Norton.

Programmatic
A Win For Open Standards: Amazon’s Prebid Adapter Goes Live

Amazon looks to support a more collaborative programmatic ecosystem now that the APS Prebid adapter is available for open beta testing.

Publishers
Gamera Raises $1.6 Million To Protect The Open Web’s Media Quality

Gamera, a media quality measurement startup for publishers, announced on Tuesday it raised $1.6 million to promote its service that combines data about a site’s ad experience with data about how its ads perform.

CTV
Netflix Doubled Its Ad Revenue Last Year – And Expects To Do The Same In 2026

Netflix beat its revenue expectations for last year, ending 2025 with $42.5 billion in revenue, a 16% year-over-year jump. Of that, $1.5 billion came from advertising.

AI
CES 2026: What’s Real – And What’s BS – When It Comes To AI

Ad industry experts call out trends to watch in 2026 and separate the real AI use cases having an impact today from the AI hype they heard at CES.

Join the AdExchanger Community
Join Now

Your trusted source for in-depth programmatic news, views, education and events.
AdExchanger is where marketers, agencies, publishers and tech companies go for the latest information on the trends that are transforming digital media and marketing, from data, privacy, identity and AI to commerce, CTV, measurement and mobile.

NEXT EVENT
Convergent TV World
March 5-6, 2026The Times CenterNew York, NY
Learn More

ABOUT ADEXCHANGER
About Us
Advertise
Contact Us
Events
Subscribe
RSS
Cookie Settings
Privacy & Terms
Accessibility
Diversity, Equity, Inclusion & Belonging

CONNECT

© 2026 Access Intelligence, LLC - All Rights Reserved

The regulatory landscape surrounding privacy underwent a fundamental shift in 2025, moving beyond theoretical compliance to rigorous, operational enforcement. Max Anderson details this evolution, emphasizing that the “gray zone” of past years vanished as regulators began empirically testing how privacy rights functioned in practice. This wasn’t simply about offering a cookie banner; instead, regulators scrutinized opt-out mechanisms, UX patterns, and the downstream use of consumer data. The Healthline matter served as a critical wake-up call, demonstrating the consequences of failing to hold brands accountable for how user choices affected data flow.

The defining characteristic of 2025 was specificity. State regulators moved past broad inquiries about privacy rights and began to test consumer choices directly. Regulators probed the data leaving browsers, examining how it was repurposed and analyzed. This operational approach exposed a fundamental mismatch between how privacy interactions should occur and how many tools were designed. The rise of Children’s Privacy requirements, CIPA-driven disclosures, and VPPA notices amplified this mismatch, revealing that static notices and forms were no longer sufficient.

This operational shift led to consolidation within the privacy tech market, reflecting the increasing complexity of compliance. The industry recognized that a single, all-encompassing platform couldn’t effectively manage consent, rights, data mapping, assessments, and enforcement simultaneously. Buyers began to move away from one-size-fits-all solutions, favoring best-of-breed tools tailored to specific risk areas. Looking ahead, 2026 will demand an orchestration of privacy choices across identities, systems, and workflows – something that must be provable through auditability and traceability.

Several emerging trends will exacerbate this challenge. CTV advertising is receiving increased scrutiny, while Children’s and teen data will continue to shape advertising practices. Health data remains a key enforcement area, and AI governance will transition from policy discussions to concrete accountability. The fundamental message is clear: regulators are observing outcomes—not just intentions. Those who fail to adapt will find themselves struggling against increasingly sophisticated enforcement.