Blog

What programmatic traders need to know about data privacy regulations

What's inside

What programmatic traders need to know about data privacy regulations

Editor’s note: Updated July 2025

If you’re a programmatic media trader, you know how much it takes to keep clients, account execs, and other stakeholders happy. You’re expected to launch, optimize, and measure campaigns that exceed KPIs. Your QBRs are high-stakes, and you know what it means to feel spread thin. (You might not really have time to read this blog post, so we’ll keep it as clear and actionable as possible.) 

One complex factor shaping the programmatic media ecosystem is the rise of data privacy regulations. No matter what DSP you prefer in terms of media inventory, user interface, and navigational toggles, all DSPs must comply with GDPR and CCPA regulations (among others). Here’s the quick lowdown of what you need to know about how data privacy regulations impact your day-to-day as a programmatic media trader. 

Which data privacy regulations matter to programmatic media traders?

The two biggest data privacy regulations you need to be aware of are GDPR and CCPA, but other regulations are here — and more are coming. The internet is global, and user data travels across borders, which means platforms and DSPs increasingly take a “comply everywhere” approach.

Before we dive into how these data privacy regulations relate to DSPs, let’s define what they are and what they mean. 

GDPR and Beyond: Why European laws matter so much in the US

Remember how cookie consent windows popped up everywhere back in 2018? We have GDPR to thank for that. User experience improved slightly in 2020 after the European Data Protection Board (EDPB) issued additional guidelines to make it easier for consumers to choose their cookie preferences. 

At the heart of GDPR is the principle of Privacy by Design, also known as Privacy by Default. This means that companies can only collect data if it’s necessary for a specific purpose — not just because it’s available. Most importantly, companies can’t collect personal data without the individual’s consent.

Privacy by Default empowers users to explicitly choose how their personal data is collected or used. This marks a huge change from “implicit consent,” where simply visiting a website “granted” consent to collect personal data via tracking tools like cookies. Under GDPR, consent must be freely given, specific, informed, and unambiguous.

All sites that allow traffic from EU users must comply with GDPR. Additionally, if a company’s data-processing activities are considered “high-risk,” they must file a DPIA (Data Protection Impact Assessment). Examples of high-risk activities that trigger a DPIA include:

  • Location tracking
  • Marketing to children
  • Processing biometric or genetic data

While GDPR is an undeniably important step forward for consumer rights, it’s also created complications for businesses as they adapt to data protection standards. GDPR has significantly impacted DSPs by requiring greater transparency, fairness, and accountability in collecting, processing, and using personal data. DSPs must comply with GDPR regulations to avoid potential legal and financial penalties, and to maintain consumer trust and confidence.

Other EU data privacy regulations you should know

The Digital Services Act (DSA) and Digital Markets Act (DMA) are two European privacy laws aimed at increasing transparency and fairness in the digital ecosystem, especially around how large platforms operate. Here’s why they matter:

  • Ad transparency: Platforms must disclose when content is sponsored and why a user saw a particular ad. This puts pressure on advertisers and DSPs to ensure targeting is both compliant and explainable.
  • Stricter targeting rules: The DSA limits the use of personal data, especially for minors. Campaigns in the EU must respect new boundaries around audience segmentation.
  • Increased reporting requirements: “Gatekeepers” (e.g., Google, Meta) must share how their algorithms work, potentially reshaping how DSPs access and measure performance.
  • Impact on walled gardens: The DMA pushes for interoperability, which could expand inventory access and shift how DSPs integrate with large platforms.

The EU also proposed the ePrivacy Regulation in 2017 to complement the GDPR by regulating cookies, metadata, and direct marketing. However, the data privacy landscape in the EU has since changed significantly, leading to the withdrawal of the proposal in February 2025.

CCPA: California Consumer Privacy Act

Since 2020, the California Consumer Privacy Act (CCPA) has applied to companies doing business in California if they meet certain criteria, including:

  • Annual revenues above $25 million.
  • Collecting personal information from more than 50,000 consumers. 

While CCPA is “just” a state law, California is now the world’s fourth-largest economy; California regulations have resounding implications far beyond the state’s borders. Penalties for non-compliance can include fines of up to $7,500 per violation, not to mention potential lawsuits and reputational damage.

Like GDPR, CCPA gives California residents the right to know what personal information companies collect, and to request deletion of their personal data. CCPA also requires companies to disclose whether they’ve sold or shared personal information with third parties. Consumers have the right to easily opt out of companies selling their personal data. Finally, CCPA prohibits companies from discriminating against consumers who exercise these privacy rights. Consumers must have access to the same products and services regardless of opt-in/opt-out status. 

South Korea’s Personal Information Protection Act (PIPA)

PIPA is one of the strictest data protection laws globally. It requires explicit user consent for personal data collection and mandates strong security safeguards. For DSPs handling Korean traffic or working with Korean apps, compliance is non-negotiable.

China’s Cybersecurity Law

The Cybersecurity Law and the Personal Information Protection Law (PIPL) in China place tight restrictions on cross-border data transfers and require data localization. Programmatic partners working with Chinese inventory must be careful about how user data is processed and stored.

 

3 Takeaways: Impact on programmatic media trading and DSPs

1. Programmatic campaign performance

Consumers trust and prefer brands that protect their customers’ privacy. As a programmatic media trader, your choices around targeting and inventory selection are connected to how companies protect consumer data. Fortunately, every DSP has privacy regulations built in under the hood — but it’s still important to understand data protection and how it can impact your campaigns and KPIs.

Why this matters for programmatic media traders:

  • Improved brand lift: consumers’ preferences for brands that protect their data can have a lasting impact on brand perception and customer loyalty.
  • Reduced campaign reach: limitations around location tracking can reduce audiences reached via geotargeting.

2. DSP data collection, processing, and storage

More personal data = more accurate targeting by DSPs and higher ROAS.

As regulations continually tighten, stakeholders are prioritizing privacy-compliant first-party data like consumer email addresses and purchase history. DSPs buying ad space on behalf of brands are involved in collecting, processing, and using this kind of personal data. However, under data privacy regulations, advertisers and DSPs must obtain explicit and informed consent from users before gathering or using this personal data. This means DSPs must provide users with:

  • Clear and concise information about data collection, usage, and sharing.
  • Easy ways to opt out. 
  • Access to view, modify, and delete their personal data at any time.

Data protection regulations impact DSPs in other ways, including:

  • Investing in tools and processes to ensure secure and confidential data collection and processing.
  • Keeping records of the DSP’s data-processing activities.
  • Providing these records to regulators upon request.

Why this matters for programmatic media traders:

  • 68% of users now feel more control over their app privacy settings than a few years ago.
  • However, 44% of users’ concerns over unauthorized parties accessing their data has grown in the past few years
  • Collaborate with account managers to understand clients’ first-party data collection methods.

3. Algorithms and Transparency: Audience targeting and real-time bidding

Agencies and DSPs are all keen to leverage first-party data to improve targeting, ultimately making the media spend more efficient. For example, first-party data is super helpful for retargeting campaigns or building lookalike audiences. That’s all well and good, but DSPs must be transparent about how they use automated decision-making, such as algorithms used for targeting and bidding. Additionally, DSPs must provide a way for users to request human intervention in the decision-making process. DSPs’ algorithms need to be transparent, fair, and non-discriminatory.

Why this matters for programmatic media traders:

  • 75% of consumers will not purchase from organizations that they don’t trust with their data.
  • 69% of users say that they are less likely to pay to remove ads if the ads are more targeted.
  • Keep these stats in mind: When you build trust with your users, then they will be more receptive to targeted advertising.

Additional resources for programmatic media traders

Editor’s note: Updated July 2025

If you’re a programmatic media trader, you know how much it takes to keep clients, account execs, and other stakeholders happy. You’re expected to launch, optimize, and measure campaigns that exceed KPIs. Your QBRs are high-stakes, and you know what it means to feel spread thin. (You might not really have time to read this blog post, so we’ll keep it as clear and actionable as possible.) 

One complex factor shaping the programmatic media ecosystem is the rise of data privacy regulations. No matter what DSP you prefer in terms of media inventory, user interface, and navigational toggles, all DSPs must comply with GDPR and CCPA regulations (among others). Here’s the quick lowdown of what you need to know about how data privacy regulations impact your day-to-day as a programmatic media trader. 

Which data privacy regulations matter to programmatic media traders?

The two biggest data privacy regulations you need to be aware of are GDPR and CCPA, but other regulations are here — and more are coming. The internet is global, and user data travels across borders, which means platforms and DSPs increasingly take a “comply everywhere” approach.

Before we dive into how these data privacy regulations relate to DSPs, let’s define what they are and what they mean. 

GDPR and Beyond: Why European laws matter so much in the US

Remember how cookie consent windows popped up everywhere back in 2018? We have GDPR to thank for that. User experience improved slightly in 2020 after the European Data Protection Board (EDPB) issued additional guidelines to make it easier for consumers to choose their cookie preferences. 

At the heart of GDPR is the principle of Privacy by Design, also known as Privacy by Default. This means that companies can only collect data if it’s necessary for a specific purpose — not just because it’s available. Most importantly, companies can’t collect personal data without the individual’s consent.

Privacy by Default empowers users to explicitly choose how their personal data is collected or used. This marks a huge change from “implicit consent,” where simply visiting a website “granted” consent to collect personal data via tracking tools like cookies. Under GDPR, consent must be freely given, specific, informed, and unambiguous.

All sites that allow traffic from EU users must comply with GDPR. Additionally, if a company’s data-processing activities are considered “high-risk,” they must file a DPIA (Data Protection Impact Assessment). Examples of high-risk activities that trigger a DPIA include:

  • Location tracking
  • Marketing to children
  • Processing biometric or genetic data

While GDPR is an undeniably important step forward for consumer rights, it’s also created complications for businesses as they adapt to data protection standards. GDPR has significantly impacted DSPs by requiring greater transparency, fairness, and accountability in collecting, processing, and using personal data. DSPs must comply with GDPR regulations to avoid potential legal and financial penalties, and to maintain consumer trust and confidence.

Other EU data privacy regulations you should know

The Digital Services Act (DSA) and Digital Markets Act (DMA) are two European privacy laws aimed at increasing transparency and fairness in the digital ecosystem, especially around how large platforms operate. Here’s why they matter:

  • Ad transparency: Platforms must disclose when content is sponsored and why a user saw a particular ad. This puts pressure on advertisers and DSPs to ensure targeting is both compliant and explainable.
  • Stricter targeting rules: The DSA limits the use of personal data, especially for minors. Campaigns in the EU must respect new boundaries around audience segmentation.
  • Increased reporting requirements: “Gatekeepers” (e.g., Google, Meta) must share how their algorithms work, potentially reshaping how DSPs access and measure performance.
  • Impact on walled gardens: The DMA pushes for interoperability, which could expand inventory access and shift how DSPs integrate with large platforms.

The EU also proposed the ePrivacy Regulation in 2017 to complement the GDPR by regulating cookies, metadata, and direct marketing. However, the data privacy landscape in the EU has since changed significantly, leading to the withdrawal of the proposal in February 2025.

CCPA: California Consumer Privacy Act

Since 2020, the California Consumer Privacy Act (CCPA) has applied to companies doing business in California if they meet certain criteria, including:

  • Annual revenues above $25 million.
  • Collecting personal information from more than 50,000 consumers. 

While CCPA is “just” a state law, California is now the world’s fourth-largest economy; California regulations have resounding implications far beyond the state’s borders. Penalties for non-compliance can include fines of up to $7,500 per violation, not to mention potential lawsuits and reputational damage.

Like GDPR, CCPA gives California residents the right to know what personal information companies collect, and to request deletion of their personal data. CCPA also requires companies to disclose whether they’ve sold or shared personal information with third parties. Consumers have the right to easily opt out of companies selling their personal data. Finally, CCPA prohibits companies from discriminating against consumers who exercise these privacy rights. Consumers must have access to the same products and services regardless of opt-in/opt-out status. 

South Korea’s Personal Information Protection Act (PIPA)

PIPA is one of the strictest data protection laws globally. It requires explicit user consent for personal data collection and mandates strong security safeguards. For DSPs handling Korean traffic or working with Korean apps, compliance is non-negotiable.

China’s Cybersecurity Law

The Cybersecurity Law and the Personal Information Protection Law (PIPL) in China place tight restrictions on cross-border data transfers and require data localization. Programmatic partners working with Chinese inventory must be careful about how user data is processed and stored.

 

3 Takeaways: Impact on programmatic media trading and DSPs

1. Programmatic campaign performance

Consumers trust and prefer brands that protect their customers’ privacy. As a programmatic media trader, your choices around targeting and inventory selection are connected to how companies protect consumer data. Fortunately, every DSP has privacy regulations built in under the hood — but it’s still important to understand data protection and how it can impact your campaigns and KPIs.

Why this matters for programmatic media traders:

  • Improved brand lift: consumers’ preferences for brands that protect their data can have a lasting impact on brand perception and customer loyalty.
  • Reduced campaign reach: limitations around location tracking can reduce audiences reached via geotargeting.

2. DSP data collection, processing, and storage

More personal data = more accurate targeting by DSPs and higher ROAS.

As regulations continually tighten, stakeholders are prioritizing privacy-compliant first-party data like consumer email addresses and purchase history. DSPs buying ad space on behalf of brands are involved in collecting, processing, and using this kind of personal data. However, under data privacy regulations, advertisers and DSPs must obtain explicit and informed consent from users before gathering or using this personal data. This means DSPs must provide users with:

  • Clear and concise information about data collection, usage, and sharing.
  • Easy ways to opt out. 
  • Access to view, modify, and delete their personal data at any time.

Data protection regulations impact DSPs in other ways, including:

  • Investing in tools and processes to ensure secure and confidential data collection and processing.
  • Keeping records of the DSP’s data-processing activities.
  • Providing these records to regulators upon request.

Why this matters for programmatic media traders:

  • 68% of users now feel more control over their app privacy settings than a few years ago.
  • However, 44% of users’ concerns over unauthorized parties accessing their data has grown in the past few years
  • Collaborate with account managers to understand clients’ first-party data collection methods.

3. Algorithms and Transparency: Audience targeting and real-time bidding

Agencies and DSPs are all keen to leverage first-party data to improve targeting, ultimately making the media spend more efficient. For example, first-party data is super helpful for retargeting campaigns or building lookalike audiences. That’s all well and good, but DSPs must be transparent about how they use automated decision-making, such as algorithms used for targeting and bidding. Additionally, DSPs must provide a way for users to request human intervention in the decision-making process. DSPs’ algorithms need to be transparent, fair, and non-discriminatory.

Why this matters for programmatic media traders:

  • 75% of consumers will not purchase from organizations that they don’t trust with their data.
  • 69% of users say that they are less likely to pay to remove ads if the ads are more targeted.
  • Keep these stats in mind: When you build trust with your users, then they will be more receptive to targeted advertising.

Additional resources for programmatic media traders

Subscribe to stay in the know

Subscribe

Related Content

Back to Basics: Display advertising

Blog

Back to Basics: Display advertising Display advertising helps brands reach the right audience with eye-catching, targeted ads. Explore the different formats and how they can drive engagement in this guide.
2025 Mid-Year Review: The trends, flops, and what’s next for app publishers

Blog

2025 Mid-Year Review: The trends, flops, and what’s next for app publishers Based on a survey of leading app publishers, we break down the biggest wins and disappointments of H1 2025, and look ahead to what's next in H2.
Ad revenue optimization by game genre

Blog

Ad revenue optimization by game genre Learn how to optimize ad revenue with genre-specific strategies based on player behavior and session data.
Top takeaways from The 2025 App Publisher Halftime Show

Blog

Top takeaways from The 2025 App Publisher Halftime Show We’re over halfway through 2025 already, which makes it a great time to ask what’s been working (and what’s not) in the world of app publishing and mobile marketing.  To that end, we gathered five experts and asked them about the current state of app marketing, the strategies they’ve seen success using thus far in 2025, and the trends we should look forward to in 2026. We talked with:  Read on for some of the takeaways from this lively conversation.  Most overrated trend: alternative app stores While not everyone on the panel agreed, we heard from two experts that alternative app stores are the most overrated trend of the year. By getting your app into these stores, you supposedly gain access to new regions and audiences. But the results aren’t often worth the effort. Monetization is difficult enough as it is, and if you have to persuade users to try downloading from an alternative app store? That’s a lot more work with fewer rewards. In the first place, it’s tough getting users to switch from their preferred app store. But then you’ll have to maintain your app’s presence in multiple stores, creating more work in the long run.   There are better ways to use that time and effort. For example: nurture direct relationships with users. Or, build alternative ways to transact outside of the app store and nudge your high-spending “whales” toward these transactions.  Emerging monetization strategy: hybrid monetization Most of the panel agreed that hybrid monetization was one strategy gaining traction this year. By combining several revenue-generating models, an app can maximize profitability. This means you see apps offering in-app purchases alongside subscription models, and even sponsorships. One thing all our experts agreed on, though, is to lead with ad monetization.  According to Alex Merutka of CRAFTSMAN+: “An easy way to make money quickly is to turn on ads.” Taking it a step further, if you want more people to engage with your advertising and stay inside your app, you’ve got to start using rewarded video ads to complement your other monetization strategies. These 30-second promos followed by a playable experience are effective because they’re opt-in and deliver immediate value to the user.  Josh Chandley of WildCard Games shared: “If you’re in-app purchase only, best-case scenario is you’re going to monetize 3% to 5% of your players. If you integrate rewarded video and interstitial ads aggressively, you can be monetizing 95%. It just moves the needle.” Hottest ad format: playable ads  It’s no surprise that the panel was enthusiastic about playables. This format allows users to preview a game directly from an ad. Users initiate a gaming experience without needing to download the app. It offers immediate value to the user. That’s why engagement is higher than other formats and conversion rates so effective that even non-gaming apps are getting in on the action.  Merutka said: “In the last year, we’re probably up over 4X in inbounds around playables of companies you would never think would be doing playables.” Biggest challenge: creative fatigue The panel agreed that creative fatigue is a hurdle that every app publisher is contending with.  Users are getting tired of seeing ads since every brand is fighting for engagement. But they’re also annoyed seeing the same ads over and over again. Hence, lower engagement.  You can combat this creative fatigue by managing the ad funnel. The panel suggested investing in tools that let you create ads, test them, and implement them quickly. And finding the right SSP partners who can help you use new formats and channels that counter the “banner blindness” that sets in. A good partner helps you test new ideas and optimize.   Buzzwords of 2026: generative video AI Finally, everyone on the panel had their individual ideas about which buzzwords would dominate 2026. But one stood out: generative video.  With innovations like Google Gemini Veo 3, barriers to producing top quality video continue to come down. And we’ll likely see more new services emerge that enable mom-and-pop companies to create video content rivaling those of big brands. Generative video AI cuts down on the time it takes to produce content, leaving the only real challenge: stand out from the rest of the people using it. This will require being smarter and having real people add the human touch that turns AI video output into world-class advertisements. Want more? Watch the App Publisher Halftime Show on-demand  For a deeper dive into what these experts thought were the hottest ad formats or what other app monetization strategies they recommend, feel free to watch the webinar recording anytime. Bonus: Get the report Watching the on-demand webinar also gets you access to the App Publisher Halftime Report! You’ll find the key results of our latest Publisher Pulse Poll.
How Rovio rewrote its UA playbook in the post-IDFA era

Blog

How Rovio rewrote its UA playbook in the post-IDFA era A conversation with Kentaro Sugiura, Lead UA Manager at Rovio
Cookie loss didn’t kill the web, but AI overviews might

Blog

Cookie loss didn’t kill the web, but AI overviews might AI Overviews (not cookie loss) pose the real threat to the open web, reshaping search behavior and challenging publishers and advertisers to adapt or risk losing traffic.
texture

For Buyers

For Sellers

Resources

Dev Docs

Legal

© 2025 Verve Group, Inc. VERVE, VERVE GROUP and VERVE ATOM are registered trademarks of Verve Group, Inc. in the European Union, and/or U.S.A. and other countries.

All other trademarks are properties of their respective owners. All rights reserved.