Privacy Rules (The Laws With Teeth)

The Big One: GDPR

The European Union’s operations were significantly altered when the General Data Protection Regulation (GDPR) went into force on May 25, 2018.

Any business that processes the data of EU citizens is subject to GDPR, regardless of where your business is located.

• All personal information, including name, email, IP address, cookie IDs, device IDs, and pretty much everything else

• Data that is both digital and offline

Important Guidelines

1. Valid Reason for Processing

Processing personal data requires a valid legal justification. The two main choices are: Consent (expressly agreed by the user) and Contract (necessary to provide a service).

• Legal obligation (as mandated by law)

• Legitimate business interest (weighed against user rights)

Consent is typically the only legitimate basis for advertising. No user information should be utilized without express consent.

The user should not be coerced into giving their consent; it should be voluntary.

“By using this site you agree to cookies” cookie banners? are not GDPR-compliant forms of consent.

2. The Right of Access

Users can ask to view all of your personal information. You have thirty days to supply it.

3. The Right to Forget

Users may request that you remove their data. Unless you have a valid reason to keep it, you have to comply.

4. Data Portability

Customers have the option to request their data in a machine-readable format and deliver it to a rival.

5. Designing Privacy

Systems must be designed with privacy in mind, not added after the fact.

6. Notification of Data Breach

If there is a breach, you have to alert the authorities and the impacted users within 72 hours.

AdTech Impact

Several common practices were crippled by GDPR:

• Cookie walls, which require users to accept cookies in order to view content - declared unlawful

• Pre-checked consent forms - not legitimate consent

• Granular consent bundling (accept everything or nothing) is required.

• Ambiguous privacy policies need to be precise and unambiguous.

California’s Version of the GDPR

On January 1, 2020, the California Consumer Privacy Act (CCPA) became operative. Later, in 2023, the California Privacy Rights Act (CPRA) strengthened and modified it.

What It Covers

Applies to for-profit businesses that:

• Have annual gross revenue > $25 million, OR

• Buy/sell personal info of 100,000+ California consumers, OR

• Derive 50%+ of revenue from selling personal data

And process data of California residents.

Key Rights

1. Right to Know

What personal information is collected, used, shared, or sold.

2. Right to Delete

Request deletion of personal information (with some exceptions).

3. Right to Opt-Out

Opt out of the “sale” or “sharing” of personal information.

CCPA defines “sale” broadly—even giving data to third parties for targeted ads counts as a “sale.”

4. Right to Non-Discrimination

Companies can’t penalize you for exercising privacy rights (can’t charge more, deny service, etc.).

5. Right to Limit Use of Sensitive Data (CPRA)

Sensitive personal information includes race, health data, biometrics, sexual orientation, precise location. Users can limit how it’s used.

The “Do Not Sell My Personal Information” Link

CCPA requires a visible link on websites: “Do Not Sell or Share My Personal Information”

Clicking it should stop the sale/sharing of your data. Many companies implemented this as “turn off all cookies” which breaks the site. Not the spirit of the law, but technically compliant.

Impact on AdTech

CCPA forced companies to:

• Implement opt-out mechanisms

• Track what data is sold/shared

• Honor deletion requests

• Maintain records of data processing

Many companies just applied CCPA protections to all US users (not just California) because it’s easier than geo-targeting by state.

Other US State Privacy Laws

After California, the floodgates opened. As of 2025, states with comprehensive privacy laws include:

• Virginia (VCDPA) - Effective 2023

• Colorado (CPA) - Effective 2023

• Connecticut (CTDPA) - Effective 2023

• Utah (UCPA) - Effective 2023

• Iowa, Montana, Oregon, Tennessee, Texas - Effective 2024-2025

Each has slight differences, but they’re converging on similar requirements:

• Right to access, delete, correct

• Opt-out of targeted advertising

• Data protection assessments

• Sensitive data restrictions

The patchwork of state laws is a compliance nightmare. Many companies are lobbying for federal legislation to preempt state laws, but Congress hasn’t acted yet.

COPPA (Protecting Kids)

Children’s Online Privacy Protection Act (COPPA) has been around since 1998, but enforcement ramped up in the 2010s.

What It Covers

Websites and apps directed at children under 13, or that knowingly collect data from kids under 13.

Requirements

• Verifiable parental consent before collecting data from kids

• Clear privacy policies

• No conditioning participation on providing more data than necessary

• Reasonable security measures

The Problem

Many apps/sites just say “you must be 13+ to use this” and call it a day. Kids lie about their age. Problem solved? Nope.

Impact on AdTech

Any platform with kids needs:

• Age verification mechanisms

• No behavioral advertising to kids

• Limited data collection

• Parental consent flows

Google and YouTube now treat all content “made for kids” as COPPA-compliant, which means:

• No personalized ads

• No cookies

• Limited data collection

• Lower ad revenue

PECR (Europe’s Cookie Law)

Privacy and Electronic Communications Regulations (PECR) is a UK/EU law that specifically addresses cookies and tracking.

Key Rule

Before setting non-essential cookies, you must:

1. Tell users what cookies you’re setting

2. Explain what they do

3. Get consent

Essential cookies (session management, security) don’t need consent.

Analytics, advertising, tracking cookies absolutely do.

Why This Matters

This is why every European website has a cookie banner. PECR + GDPR combo means you need affirmative consent before dropping tracking pixels.

Enforcement

Fines are smaller than GDPR, but PECR violations can escalate to GDPR violations if you’re processing personal data without a lawful basis.

Other Global Regulations (Brief Overview)

Brazil - LGPD (Lei Geral de Proteção de Dados)

• Similar to GDPR

• Effective 2020

• Fines up to 2% of revenue (max R$50 million)

China - PIPL (Personal Information Protection Law)

• Effective 2021

• Strict rules on cross-border data transfers

• Requires explicit consent for sensitive data

Canada - PIPEDA (Personal Information Protection and Electronic Documents Act)

• Federal law, some provinces have their own

• Right to access and correct data

• Consent required for collection/use

Japan - APPI (Act on the Protection of Personal Information)

• Revised 2020

• Consent for third-party transfers

• Cross-border transfer restrictions

India - Draft Digital Personal Data Protection Bill

• Still being finalized as of 2025

• Expected to be GDPR-like

The trend globally: More privacy regulation, not less. Consent requirements. Data minimization. User rights.

The Future: More Regulation, Not Less

Expect:

• Federal US privacy law (eventually)

• More states passing their own laws (in the meantime)

• Stricter enforcement globally

• New categories of protected data (biometrics, AI training data)

• Restrictions on AI/algorithmic decision-making

The days of “collect everything, figure out what to do with it later” are over.

Privacy is the new normal. Adapt or get fined into oblivion.