As online privacy regulations tighten, brands must adapt quickly to maintain consumer trust and stay compliant. Explore how new laws are reshaping data strategies and the future of advertising.
Following recent changes announced by Google for its Chrome browser, users will be prompted to exercise more control over third-party cookies. And while it is plain to see that Google and regulators wish to avoid a repeat of the App Tracking Transparency (ATT) debacle, the mere possibility of comparison warrants serious investigation into alternatives, of which Privacy Sandbox appears heir apparent.
Years of development and negotiations, its most recent pivot, and newly announced features demonstrate Google’s dedication to finding a balance that satisfies its obligations to the Competition and Markets Authority (CMA) and the concerns of the Information Commissioner’s Office (ICO). When it does, addressability through cookies will decline rapidly and brands dependent on them will be impacted absent adaptation.
Powering this colossal and oft-delayed shift is an irrefutable truth: online privacy has become a core concern for lawmakers and their constituents in Europe and worldwide.
The Legal Push Behind Corporate Change
Privacy is no longer a niche concern; it is becoming a fundamental expectation of regulators and consumers, especially in the States where legal reforms are gaining momentum. Comprehensive privacy laws are taking effect in nearly twenty states, with California leading the way through the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA).
The rapid pace of legislative change is striking — more than half of new privacy laws were introduced in 2023-24 alone. While the House failed to pass the American Privacy Rights Act (APRA) out of committee, the bill came far closer to a floor vote than most anticipated. Congress appears poised to pass children and teen-focused privacy bills before the end of session.
This shift is more than just a legal headache for companies; it reshapes how businesses interact with consumers. Brands should rethink their data collection and data use strategies, due to the requirement to respect types of opt-out signals mandated by laws in California, Colorado, and Texas, as well as increased obligations to consent for certain data types, and internal data mapping requirements.
U.S. state laws, while different in structure from the General Data Protection Regulation (GDPR), share common enforcement elements that compel companies to change their data practices, and penalties for non-compliance are steep The message is clear: compliance isn’t just about avoiding penalties—financial and reputational—it’s about staying ahead of a wave of risk that is only gathering strength.
What the U.S. Can Prepare For
Looking to Europe provides a roadmap for how privacy laws can amplify consumer expectations. The GDPR, now six years into enforcement, has dramatically altered the landscape for advertisers and consumers alike. With more than 2,000 fines issued by March 2024 and penalties nearing €4.5 billion, companies have had to adjust their strategies to comply with stricter privacy regulations.
Even though privacy was already a top concern for consumers in Europe, legally required changes by companies there led to increased awareness of users’ privacy rights and more frequent exercise of those rights
In the U.S., this process is beginning to unfold. While data protection concerns have historically focused on government surveillance, the growing wave of state privacy laws and increasing public scrutiny of private data usage — especially after Cambridge Analytica — are starting to mirror the European experience. However, the signs of fatigue in Europe due to the constant consent requests have led regulators to express a desire for reform. If it happens, the process will likely be slow, but we may hope to see similar changes in U.S. legislation sooner rather than later.
The Path to Consumer Trust
The importance of comparing the EU and U.S. approaches to privacy lies in user behavior. As brands prepare to comply with evolving privacy laws, consumers are becoming increasingly informed about data practices, leading to heightened expectations around transparency and choice. However, there is a critical need to find the right balance between customer expectations regarding data privacy and their desire for relevant, personalized experiences.
A recent survey revealed that 86% of Americans are concerned about their online privacy, a number likely to rise as privacy laws gain ubiquity. Just as the GDPR heightened awareness among Europeans, U.S. consumers will reasonably demand more control over their data. This shift will inevitably result in more users opting out of third-party cookies, requesting their data deletion, and exercising their rights to the data companies hold about them — whether manually, through changes implemented by platforms, or via authorized agents.
Navigating the Road Ahead
It’s essential for brands to recognize that user behavior will evolve alongside legal obligations. Companies that fail to adapt their strategies now risk losing trust and relevance in the eyes of consumers.
The shift towards cookieless technologies is not merely a legal necessity but also a crucial response to meet evolving consumer demands and offset increased risk and overhead associated with new obligations.
First-party data and strong consumer relationships have never been more critical. Diversifying vendors for each critical function will ensure continuity and create a competitive advantage amidst these changes. Additionally, assessing whether partners are equipped to help navigate this new landscape is vital.
Laws are driving changes in both corporate behavior and consumer expectations, forcing companies to adapt. Eventually, the switch for third-party cookies will be flipped to “off.” The time to prepare is now.