Editor’s note: Updated July 2025
If you’re a programmatic media trader, you know how much it takes to keep clients, account execs, and other stakeholders happy. You’re expected to launch, optimize, and measure campaigns that exceed KPIs. Your QBRs are high-stakes, and you know what it means to feel spread thin. (You might not really have time to read this blog post, so we’ll keep it as clear and actionable as possible.)
One complex factor shaping the programmatic media ecosystem is the rise of data privacy regulations. No matter what DSP you prefer in terms of media inventory, user interface, and navigational toggles, all DSPs must comply with GDPR and CCPA regulations (among others). Here’s the quick lowdown of what you need to know about how data privacy regulations impact your day-to-day as a programmatic media trader.
Which data privacy regulations matter to programmatic media traders?
The two biggest data privacy regulations you need to be aware of are GDPR and CCPA, but other regulations are here — and more are coming. The internet is global, and user data travels across borders, which means platforms and DSPs increasingly take a “comply everywhere” approach.
Before we dive into how these data privacy regulations relate to DSPs, let’s define what they are and what they mean.
GDPR and Beyond: Why European laws matter so much in the US
Remember how cookie consent windows popped up everywhere back in 2018? We have GDPR to thank for that. User experience improved slightly in 2020 after the European Data Protection Board (EDPB) issued additional guidelines to make it easier for consumers to choose their cookie preferences.
At the heart of GDPR is the principle of Privacy by Design, also known as Privacy by Default. This means that companies can only collect data if it’s necessary for a specific purpose — not just because it’s available. Most importantly, companies can’t collect personal data without the individual’s consent.
Privacy by Default empowers users to explicitly choose how their personal data is collected or used. This marks a huge change from “implicit consent,” where simply visiting a website “granted” consent to collect personal data via tracking tools like cookies. Under GDPR, consent must be freely given, specific, informed, and unambiguous.
All sites that allow traffic from EU users must comply with GDPR. Additionally, if a company’s data-processing activities are considered “high-risk,” they must file a DPIA (Data Protection Impact Assessment). Examples of high-risk activities that trigger a DPIA include:
- Location tracking
- Marketing to children
- Processing biometric or genetic data
While GDPR is an undeniably important step forward for consumer rights, it’s also created complications for businesses as they adapt to data protection standards. GDPR has significantly impacted DSPs by requiring greater transparency, fairness, and accountability in collecting, processing, and using personal data. DSPs must comply with GDPR regulations to avoid potential legal and financial penalties, and to maintain consumer trust and confidence.
Other EU data privacy regulations you should know
The Digital Services Act (DSA) and Digital Markets Act (DMA) are two European privacy laws aimed at increasing transparency and fairness in the digital ecosystem, especially around how large platforms operate. Here’s why they matter:
- Ad transparency: Platforms must disclose when content is sponsored and why a user saw a particular ad. This puts pressure on advertisers and DSPs to ensure targeting is both compliant and explainable.
- Stricter targeting rules: The DSA limits the use of personal data, especially for minors. Campaigns in the EU must respect new boundaries around audience segmentation.
- Increased reporting requirements: “Gatekeepers” (e.g., Google, Meta) must share how their algorithms work, potentially reshaping how DSPs access and measure performance.
- Impact on walled gardens: The DMA pushes for interoperability, which could expand inventory access and shift how DSPs integrate with large platforms.
The EU also proposed the ePrivacy Regulation in 2017 to complement the GDPR by regulating cookies, metadata, and direct marketing. However, the data privacy landscape in the EU has since changed significantly, leading to the withdrawal of the proposal in February 2025.
CCPA: California Consumer Privacy Act
Since 2020, the California Consumer Privacy Act (CCPA) has applied to companies doing business in California if they meet certain criteria, including:
- Annual revenues above $25 million.
- Collecting personal information from more than 50,000 consumers.
While CCPA is “just” a state law, California is now the world’s fourth-largest economy; California regulations have resounding implications far beyond the state’s borders. Penalties for non-compliance can include fines of up to $7,500 per violation, not to mention potential lawsuits and reputational damage.
Like GDPR, CCPA gives California residents the right to know what personal information companies collect, and to request deletion of their personal data. CCPA also requires companies to disclose whether they’ve sold or shared personal information with third parties. Consumers have the right to easily opt out of companies selling their personal data. Finally, CCPA prohibits companies from discriminating against consumers who exercise these privacy rights. Consumers must have access to the same products and services regardless of opt-in/opt-out status.
South Korea’s Personal Information Protection Act (PIPA)
PIPA is one of the strictest data protection laws globally. It requires explicit user consent for personal data collection and mandates strong security safeguards. For DSPs handling Korean traffic or working with Korean apps, compliance is non-negotiable.
China’s Cybersecurity Law
The Cybersecurity Law and the Personal Information Protection Law (PIPL) in China place tight restrictions on cross-border data transfers and require data localization. Programmatic partners working with Chinese inventory must be careful about how user data is processed and stored.
Brazil’s General Data Protection LAW (LGPD)
In effect since 2020, LGPD applies to any company processing personal data of individuals in Brazil, regardless of location. Closely aligned with GDPR, it requires a legal basis for data processing, user rights to access/delete data, and prompt breach notification. Non-compliance can result in fines up to 2% of Brazilian revenue, capped at 50 million reais (~$10M USD).
3 Takeaways: Impact on programmatic media trading and DSPs
1. Programmatic campaign performance
Consumers trust and prefer brands that protect their customers’ privacy. As a programmatic media trader, your choices around targeting and inventory selection are connected to how companies protect consumer data. Fortunately, every DSP has privacy regulations built in under the hood — but it’s still important to understand data protection and how it can impact your campaigns and KPIs.
Why this matters for programmatic media traders:
- Improved brand lift: consumers’ preferences for brands that protect their data can have a lasting impact on brand perception and customer loyalty.
- Reduced campaign reach: limitations around location tracking can reduce audiences reached via geotargeting.
2. DSP data collection, processing, and storage
More personal data = more accurate targeting by DSPs and higher ROAS.
As regulations continually tighten, stakeholders are prioritizing privacy-compliant first-party data like consumer email addresses and purchase history. DSPs buying ad space on behalf of brands are involved in collecting, processing, and using this kind of personal data. However, under data privacy regulations, advertisers and DSPs must obtain explicit and informed consent from users before gathering or using this personal data. This means DSPs must provide users with:
- Clear and concise information about data collection, usage, and sharing.
- Easy ways to opt out.
- Access to view, modify, and delete their personal data at any time.
Data protection regulations impact DSPs in other ways, including:
- Investing in tools and processes to ensure secure and confidential data collection and processing.
- Keeping records of the DSP’s data-processing activities.
- Providing these records to regulators upon request.
Why this matters for programmatic media traders:
- 68% of users now feel more control over their app privacy settings than a few years ago.
- However, 44% of users’ concerns over unauthorized parties accessing their data has grown in the past few years
- Collaborate with account managers to understand clients’ first-party data collection methods.
3. Algorithms and Transparency: Audience targeting and real-time bidding
Agencies and DSPs are all keen to leverage first-party data to improve targeting, ultimately making the media spend more efficient. For example, first-party data is super helpful for retargeting campaigns or building lookalike audiences. That’s all well and good, but DSPs must be transparent about how they use automated decision-making, such as algorithms used for targeting and bidding. Additionally, DSPs must provide a way for users to request human intervention in the decision-making process. DSPs’ algorithms need to be transparent, fair, and non-discriminatory.
Why this matters for programmatic media traders:
- 75% of consumers will not purchase from organizations that they don’t trust with their data.
- 69% of users say that they are less likely to pay to remove ads if the ads are more targeted.
- Keep these stats in mind: When you build trust with your users, then they will be more receptive to targeted advertising.
Additional resources for programmatic media traders
- GDPR.eu – GDPR Compliance Checklist
- IAB Europe – Privacy & Data Protection
- Thomas Reuters – Understanding the CCPA
- European Commission – The Digital Services Act Package
 
             
                 
                 
                 
                 
                