At the Crossroads of Risk: Why Adtech Is Due for a Reckoning

Adtech is at a crossroads. The industry has operated in a data collection grey zone, but regulatory pressures are growing. What does that mean for adtech?

At the Crossroads of Risk: Why Adtech Is Due for a Reckoning
AI-Generated Image of man standing on a desolate bridge with a red warning sign saying ! Adtech

Adtech is at a dangerous crossroads. The industry has long operated in a grey zone of data collection and sharing, but the road ahead looks increasingly treacherous. At the 2025 Bridge Summit, Raashee Gupta Erry joined an esteemed panel to discuss the growing regulatory pressure on adtech. 

Common Practices, Now Under Scrutiny 

Over the last year, US privacy regulators have zeroed in on three primary areas of focus, and the penalties are adding up fast:

  • Precise Geolocation Data: Sixteen U.S. laws now classify geolocation data—down to street, building, and event-level coordinates—as sensitive information. Regulators are not impressed by industry attempts to aggregate or deidentify this data. Cases like the Federal Trade Commission (FTC) action against General Motors have shown how linking geo data (even in hashed form) to personal profiles can lead to tangible harm—like higher insurance rates. The definition of "sensitive data" is expanding, and any use for marketing purposes is now under the microscope.
  • Health Data: Health data is rapidly becoming a compliance minefield, thanks to broad definitions and aggressive new laws like Washington’s My Health My Data Act (MHMDA). The MHMDA allows private right of action and treats any inference of health status—like purchasing wellness products or searching for reproductive health services—as sensitive data. The FTC has made it clear that health data, even if derived from browsing behavior, requires explicit opt-in consent.
  • Data Broker Laws: The line between a company using third-party data and being a data broker is blurring. States including Texas and California, along with federal actions at the FTC, are now enforcing against data brokers. As fellow panelist Andrea Wheeler from Quantcast noted, “to be considered a data broker, it does not necessarily require selling data for money, it can simply be sharing data in exchange for valuable consideration or for access to certain features or special pricing.” The ”data broker” definition under the Texas Data Bro­ker Act is rather broad, and the Texas AG has already moved to act, suing Allstate and Arity for col­lect­ing, using, and sell­ing Amer­i­cans’ dri­ving data and allegedly selling that data to insurers. Similarly, the California Privacy Protection Agency’s recent $46,000 fine against National Public Data for failing to register as a data broker underscores how aggressive enforcement is becoming. 

Enforcement is Heating Up

2025 is shaping up to be the year of enforcement. Past is past—this year will bring more targeted action from both federal and state regulators:

  • FTC’s Strategy Shift: The FTC is moving away from broad rulemaking under the new administration but is expected to continue with focused enforcement, targeting deceptive advertising practices, AI misuse, protecting  children and sensitive data collection. 
  • New State Laws: Patchwork of US state laws continues to grow. 19 enacted U.S. state privacy laws meet the IAPP's definition of "comprehensive,". These exclude narrower legislation such as Florida's Digital Bill of Rights and Washington state's My Health My Data Act. States that were early adopters like California and Colorado are expected to up their enforcement. Newer states such as Minnesota, and Maryland are rolling out tough new privacy requirements that will raise the bar for compliance. Minnesota’s new privacy law introduces the right for consumers to contest profiling decisions—pushing beyond standard opt-out rights. Maryland now mandates strict data minimization, while New Jersey requires transparency when using tracking technologies. 
  • Consumer Rights and Global Privacy Control (GPC): Companies built on data-driven business models have been slow to respect Global Privacy Control (GPC) signals—no surprise when it threatens their bottom line. California and Colorado already require companies to honor GPC as a universal opt-out mechanism, with Connecticut, Texas, Oregon, and New Jersey set to follow. Meanwhile, global regulators are closely watching how companies handle consumer rights. 
  • Kids and Teens: Simply applying COPPA-style protections to under-13 users isn't enough. Fellow panelist, Daniel Goldberg from FKKS alluded that subsequent laws such as New Jersey define teens now as a new category and require affirmative consent from minors (13–17) for targeted ads and data sales. But, the way that the web monetization works, identifiers are automatically passed to the third parties especially through SDKs, is a concerning practice in this changing landscape. Broader age coverage and heightened consent requirements mean more scrutiny of data collection through SDKs, ad platforms, and tracking tools. 

Why It Matters

  • Health data, geolocation data, and kids’ data are becoming radioactive. Data collected through SDKs and shared with adtech partners is particularly seen as high-risk. The definition of what counts as “sensitive data” is also expanding. Enforcement isn’t just about data sales anymore—sharing data with partners without proper consent or contractual safeguards may be enough to trigger an enforcement action. It’s not just about consent only, it's about the tangible impacts and outcomes that consumers face. 

What Companies Need to Do

Adtech is still largely  built on personal data sharing and ID-based targeting. That foundation is now a liability. Fixing it won’t be easy, but there are some steps companies can take: 

  • Control the Leakage: A NY AG investigation into 13 major ecommerce sites with a combined total of 75 million site visitors, found that marketing tags kept firing even after users opted out, allowing continued tracking. This highlights a persistent problem: lack of oversight over what data is collected, who receives it, and whether sensitive data (like health or precise geolocation data) is leaking. Regular audits such as Lucid’s Tracking Tech Audit and other monitoring tools can help track data flows and identify gaps before regulators do.
  • Vendor Curation: Many companies have hundreds of adtech partners—but the 80:20 rule still applies where 80% of the value comes from 20% of the partners. Conduct a vendor audit, review data-sharing contracts and focus on your 20%; It may be time to clean house.
  • Better Consent Management: CMPs (Consent Management Platforms) are the front line of compliance. They need to be properly configured to capture granular consent—and pass those signals downstream to adtech partners. Poorly-set defaults are a regulatory trap waiting to be sprung.
  • Streamlining Systems for handling data subject requests: Retrofitting legacy systems to handle granular consent and data minimization isn’t just technically challenging—it’s expensive and time-consuming. This is where industry standards and frameworks can give a head start. IAB Tech Lab’s Rowana Lam suggested, “ specifications like the GPP for communicating user choice and  the data deletion request framework for communicating data deletion requests in a common way is going to be key, especially with laws such as California’s Delete Act”. 

The Road Ahead

Adtech isn’t getting a free pass anymore. The FTC and state regulators are done giving warnings—they’re driving enforcement hard, and companies that fail to adapt will pay the price. The question isn’t if your data-sharing practices will be scrutinized—it’s when.