For most of the last decade, privacy compliance lived in a gray zone. Companies could point to a cookie banner, update a policy and reasonably believe they were doing enough.
In 2025, that gray zone disappeared.
What changed was not the sudden arrival of a sweeping new law, but the scale and seriousness of enforcement. Regulators began enforcing privacy in volume and with meaningful financial consequences, signaling that these rules were no longer theoretical. Enforcement actions involving brands like Honda, Healthline, Sling and Todd Snyder clarified how privacy rules were meant to work in practice. Expectations around opt-outs, user experience and data handling became far more concrete.
In 2026, the industry will be operating with far less ambiguity and far less margin for interpretation.
Enforcement made privacy operational
The defining feature of 2025 was specificity. State regulators moved beyond asking whether companies offered privacy rights and began empirically testing how those rights functioned in practice.
Opt-out mechanisms were clicked, timed and evaluated; public-facing language was reviewed for clarity and intent; and UX patterns were scrutinized for friction. Regulators probed the nature of the data leaving the browser and how it was repurposed downstream. The Healthline matter was a wake-up call.
Enforcement went beyond data collection. Regulators increasingly examined what happened after a consumer exercised a choice. If a user opted out but their data still flowed into audience creation, targeting models or downstream analytics, that failure became the heart of the investigation.
The cookie banner era is over
For years, much of the privacy industry assumed that GDPR-style cookie consent could simply be transplanted into the US regulatory environment. A cookie banner does not equal privacy compliance in the US, and pretending otherwise is no longer tenable.
California makes that reality impossible to ignore. Early CCPA efforts mirrored a browser-centric, cookie-driven advertising model, but now enforcement has shifted decisively toward “Do Not Sell or Share” obligations that extend far beyond the browser. Regulators are now evaluating whether consumer choices actually change how data moves across systems, devices and identities, not just whether a banner appears on a page.
The next focus will be what happens after consent is revoked: how data is used, propagated and controlled across the enterprise.
That evolution makes one thing unavoidable: orchestration.
Privacy choices can no longer live only in a browser or device. They must travel across identities, systems and workflows, and they must be provable. Auditability and traceability are becoming enforcement expectations.
2025 broke the UX assumptions embedded in privacy tools. Static notices and forms, at best localized by region, no longer work in a world where privacy obligations are situational. Children’s privacy requirements, CIPA-driven disclosures, DNS-level differences based on whether a user is logged in and context-specific VPPA notices all emerged as enforcement realities, exposing a fundamental mismatch between how privacy interactions actually must occur and how most tools were designed.
Ironically, the next generation of privacy will require more data and more context, not less. Delivering compliant experiences will depend on understanding who the individual is, how they are interacting with an application, what data is in scope at that moment and which regulatory obligations apply in real time.
Consolidation is a signal, not a surprise
The privacy tech market sent its own message this year. Consolidation accelerated, with moves like Security AI being acquired by Veeam, TrustArc moving into private equity ownership and other platforms being absorbed or carved up.
This isn’t random. Privacy is a hard category, technically, operationally and commercially. As enforcement grows more sophisticated, it’s increasingly unrealistic to expect a single platform to master consent, rights, data mapping, assessments, governance and enforcement equally well.
Buyers are already adjusting. Many are moving away from one-size-fits-all expectations and toward best-of-breed approaches that align tools to specific risk areas. Long term, privacy will likely find durable homes inside adjacent categories like security, governance and IT operations. But shallow compliance tooling won’t survive contact with enforcement.
What 2026 will demand
Several trends are accelerating. CTV advertising is becoming a major enforcement focus. Children’s and teen data, particularly where age signals are present, will continue to reshape advertising practices. Health data remains squarely in regulators’ sights. And AI governance is moving from policy discussions toward real accountability.
Regulators are sending the same signal. Privacy risk is being measured by what can be observed from the outside. Opt-outs are tested. UX is scrutinized. And companies are held accountable for whether consumer choices actually affect downstream data use.
The companies that struggle in 2026 will not be the ones that ignore privacy outright. They will be the ones that failed to adjust their risk profile.
Privacy crossed a line in 2025. In 2026, that line will be much harder to hide behind.
“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Follow Ketch and AdExchanger on LinkedIn.
For more articles featuring Max Anderson, click here.
