Ads Under Attack? How Privacy Laws are Changing the Game

The Gist

Legislation landscape. Growing privacy regulations, such as GDPR and CCPA, are putting a damper on traditional targeted advertising methods by demanding higher levels of consumer consent.
Industry adaptation. Advertisers are pivoting to alternative approaches like contextual advertising and zero-party data to navigate the increasingly regulated environment.
Challenges ahead. The switch to privacy-centric advertising methods brings technical, cost and trust obstacles that the industry must overcome for effective campaigns.

Targeted advertising faces an uncertain future as growing privacy legislation and consumer distrust challenge the core practices of collecting and monetizing personal data. While total elimination is unlikely, increased regulation, technical constraints, and shifting social attitudes have steadily eroded the unrestrained targeting of ads based on detailed user demographics and browsing history.

The advertising industry is adapting with alternative approaches like contextual and zero-party data strategies. However, the personalization and relevance once promised by micro-targeted ads will become more difficult to achieve legally and ethically. Let's examine current and future privacy legislation, current targeted advertising methodology and alternative targeted advertising practices.

Current and Future Privacy Regulations and Legislation

Over the past few years, there has been a plethora of privacy legislation and regulations put into practice by individual states, countries and continents. A May 2022 Gartner report predicted that by year-end 2024, 75% of the world’s population will have its personal data covered under modern privacy regulations. Here are some of the major current and upcoming privacy regulations impacting digital advertising and data collection practices:

GDPR (General Data Protection Regulation) – Sweeping EU regulations that require transparent data collection and consent. Significant fines for violations.
CCPA (California Consumer Privacy Act) – Gives California residents new rights over their data, similar to GDPR. Expanded with CPRA.
Virginia Consumer Data Protection Act – Imposes opt-in consent requirements for certain data processing.
Colorado Privacy Act – Requires businesses to respect opt-out requests and security breach notifications.
PIPEDA (Personal Information Protection and Electronic Documents Act) - Governs data privacy in Canada, and is being updated to strengthen consent requirements.
Privacy and Personal Information Protection Act – Omnibus privacy bill proposed at the US federal level, but still pending.
Digital Services Act (EU) – Would ban targeted advertising aimed at children, and require opt-in consent from adults.
Americans Data and Privacy Protection Act – Privacy bill proposed in US Congress focusing on data minimization.
Children and Teens' Online Privacy Protection Act – Would expand protections for children under 16.

As of 2023, 43 states have introduced or passed their own privacy bills, and this year alone Virginia, California, Colorado, Connecticut and Utah have enacted or plan to enact data privacy legislation this year. Sean Buckley, a data privacy and technology lawyer at Dykema, a national full-service law firm, told CMSWire that one area of particular concern is the wave of comprehensive privacy laws that are being passed at the state level in the United States. "These laws often expand the definition of 'sensitive information' and set higher thresholds for obtaining consumer consent," said Buckley. "For example, some new state laws are broadening the scope of what is considered 'sensitive information' to include things like geolocation data, biometric data, and even behavioral data.”

Buckley suggested that this expanded scope poses a challenge for advertisers who rely on such data for targeted advertising as the threshold consent requirements for obtaining and using this data are also being raised, typically to an explicit opt-in consent. “This could significantly impact the opt-in rates for data collection, thereby affecting the effectiveness of targeted advertising campaigns,” said Buckley. “These changes are not just compliance issues but also impact the core business models of many advertisers and marketers.” Buckley believes that these changes necessitate a reevaluation of data collection and usage practices, and in some cases, may even require a fundamental shift in advertising strategies.

Jon Morgan, CEO at VentureSmarter, an LLC business consultancy, told CMSWire that privacy legislation, such as the GDPR and the CCPA, have ushered in a new era of accountability for companies collecting and using consumer data. “These regulations require businesses to obtain explicit consent from users before collecting their data and to provide options for opting out of data collection and targeted advertising,” said Morgan. “In this context, targeted advertising faces substantial challenges in obtaining and using user data without infringing on their privacy rights.”

According to Morgan, the demise of targeted advertising is not imminent — rather, the industry is shifting toward a more transparent, user-centric and consent-driven model. “Advertisers are exploring alternative methods, such as contextual advertising, where ads are displayed based on the content of the web page rather than user data,” said Morgan. “Additionally, advancements in privacy-preserving technologies like federated learning and differential privacy enable advertisers to gain insights from aggregated data without compromising individual privacy.”

Current Targeted Advertising Practices

Targeted advertising currently relies on an array of techniques to precisely align ads with individual customers' identities, demographics, interests, behaviors, locations and contexts. Geolocation targeting taps into mobile GPS and IP data to present geo-targeted ads, while retargeting serves ads related to users' past browsing to nudge them to purchase. Email lists are segmented by engagement and attributes for targeted sends.

Nicky Watson, founder and data privacy expert of Cassie, a consumer consent and preference management solution provider, told CMSWire that targeted advertising historically relied heavily on third-party cookies, tracking user behavior across the web to build detailed profiles. "This allowed advertisers to deliver highly personalized ads," said Watson. These are the practices that many consumers found annoying at best, and creepy at worst. Consumers would visit a website to look at dog beds, for instance, only to have ads for dog beds displayed on various sites that they visited later. Watson said that this approach has faced growing privacy concerns and regulatory scrutiny, leading to the development of alternative practices.

Behind the scenes, cross-device tracking links profiles across desktop, mobile and other devices. Social media targeting leverages personal information shared on social platforms for micro-targeted ads. Programmatic targeting uses real-time auctions to algorithmically match users with relevant ads. While these practices maximize relevance and conversion value, privacy advocates argue they rely on broad and invasive surveillance of individuals. Regulators increasingly constrain unrestrained targeting by enforcing transparency, consent, data minimization, and rights around access, correction and deletion.

Georgiana Haig, global product lead, identity for programmatic media partner, MiQ, told CMSWire that they've taken a diversified, portfolio approach to be able to continue to provide precision audience targeting in the face of increasing ID signal loss. "Our predictive targeting technology already uses and optimizes against data points that are not cookie-based — and has done so since the run-up to GDPR in May 2018," Haig explained.

“Meanwhile we've focused on future-proofing our audience buying strategies through activation across logged-in, authenticated users tied to alternative IDs (such as LiveRamp's RampID and the UID 2.0), sophisticated contextual activation, and the increasing use of cohort targeting — leveraging signals from rich publisher first-party data," said Haig.

Alternative Targeting Practices

As privacy legislation becomes law, many brands that have relied upon targeted advertising have been experimenting with alternative technologies and methodologies that still enable them to provide relevant advertisements to consumers. Watson said that many brands are moving to approaches that aim to better respect user privacy and align with stricter regulations, including:

Contextual Advertising: This method involves displaying ads based on the content of the webpage or the context of the user's current activity. It doesn't rely on tracking individual user data but rather on the context in which the ad is shown.
Zero-Party Data: Companies can directly ask users for their preferences, interests and consent to collect data. This information is willingly shared by users, ensuring compliance with privacy regulations and allowing for more personalized advertising.
Privacy-Preserving Technologies: Techniques like federated learning and differential privacy enable advertisers to gain insights from aggregated user data without accessing individual-level information, preserving user privacy.
First-Party Data: Leveraging their own data sources, companies can target ads based on the information users provide on their platforms, such as app usage, email subscriptions or customer profiles.
AI and Predictive Analytics: Companies can use AI algorithms to make predictions about user preferences and behaviors without directly accessing personal data.

Aside from the alternative targeting methodologies that Watson mentioned, there are others that are being tested and applied by brands, including:

Cohort targeting: Grouping users based on behavior patterns without identifying individuals as a privacy-preserving alternative.
On-device targeting: Ads are algorithmically matched to user data processed locally on their device rather than in the cloud, providing increased privacy protection.
Simulated environments: Using realistic generated users and contexts for ad experimentation rather than actual customer data.
Conversion measurement: Focusing optimization on post-click conversions rather than targeting based on extensive personal profiles.

“The advertising industry is investing heavily in understanding consumer behavior and preferences without invasive data collection. This includes using AI and machine learning algorithms to analyze anonymized data patterns and deliver relevant ads without exposing users' personal information,” explained Morgan. “By focusing on the quality of the user experience and respecting privacy concerns, the advertising industry can coexist with privacy legislation.”

The Challenges Advertisers Face With Alternative Practices

Advertisers face significant hurdles as they attempt to move away from invasive targeted advertising practices and adopt alternative privacy-centric approaches. One major challenge is reduced relevance and precision. Methods like contextual targeting and focusing on anonymized user cohorts may align ads with interests and behaviors, however, they lack the laser focus of tracking-based behavioral profiles built on extensive surveillance of individuals. As a result, relevance and click-through rates tend to suffer compared to current highly tailored practices.

Additionally, alternatives generate far less per-user data overall, making it difficult to replicate the massive datasets that power modern programmatic advertising systems. The costs of shifting to new paradigms like on-device processing are also likely to increase. And many emerging solutions remain technically immature compared to established targeting platforms.

On the consumer side, getting users to opt-in to sharing data for approaches like zero-party data presents challenges such as a lack of trust or motivation. Fingerprinting techniques (techniques used to track and identify users online without cookies and other traditional tracking methods) also persist in allowing invasive tracking despite claims to the contrary. New methods like cohort targeting reduce transparency into how groups are defined and targets selected. As such, brands that use such techniques are likely to run afoul of privacy regulations in the future.

While the ethical and legal necessities are clear, changing from current tracking-based targeted advertising will require overcoming a myriad of technical, cost, trust, and transparency challenges on behalf of advertisers.

Learning Opportunities

Webinar

Sep

CMS Briefing: A Live Look at What’s Next in AI-Driven Platforms

Learn how leading organizations are using AI‑driven tools to publish faster, personalize smarter and stay secure.

Webinar

On demand

Ready or Not: How Data-First Organizations Are Unlocking Agentforce Potential

Learn how to cut through the noise, activate Agentforce and build a Salesforce AI strategy that actually delivers.

Watch Now

Webinar

On demand

AI in Customer Service: Faster Resolutions, Happier Customers

Don’t let rising demand burn out your team. See how to build a smarter, more resilient support org.

Watch Now

Webinar

On demand

From Hype to High-Impact CX Strategies That Actually Scale

Turn buzzworthy AI and outsourcing trends into measurable CX wins with fresh 2025 data.

Watch Now

Webinar

On demand

Insights to Action Rethinking the Contact Center for Real Business Impact

Join our exclusive webinar to hear CX executives share their innovative strategies for transforming service delivery.

Watch Now

Webinar

On demand

Accelerating Healthcare Ops with AI

Watch Now

Webinar

Sep

CMS Briefing: A Live Look at What’s Next in AI-Driven Platforms

Learn how leading organizations are using AI‑driven tools to publish faster, personalize smarter and stay secure.

Webinar

On demand

Ready or Not: How Data-First Organizations Are Unlocking Agentforce Potential

Learn how to cut through the noise, activate Agentforce and build a Salesforce AI strategy that actually delivers.

Watch Now

Webinar

On demand

AI in Customer Service: Faster Resolutions, Happier Customers

Don’t let rising demand burn out your team. See how to build a smarter, more resilient support org.

Watch Now

Patricia Thaine, CEO and co-founder of Private AI, the privacy layer for software, told CMSWire that companies are actively spending millions of dollars to deliver highly personalized experiences to their users. "However, this is accompanied by a growing awareness of privacy concerns among their stakeholders,” said Thaine. “The fear of becoming one more company involved in data leak scandals makes it a delicate balancing act to reconcile personalization with privacy." Thaine believes that despite the challenges, there is optimism that finding a balance between personalization and privacy can be achieved without resorting to overly complex frameworks. “The key lies in innovative solutions.”

Final Thoughts on Privacy & Targeted Advertising

While targeted advertising is facing limitations from emerging and current privacy legislation and social attitudes, it is unlikely to disappear entirely. Advertisers are adapting to regulations with new approaches that aim to deliver relevance while respecting consent and data protection. Finding the right balance between personalized experiences and ethical data practices will require the continued innovation and adoption of privacy-preserving technologies, and proactive self-governance by advertisers and marketers.