Privacy in AdTech and Programmatic Advertising: What to Expect in 2022

Privacy has been a defining pressure on the programmatic advertising and digital marketing industries for several years — and the forces shaping it are only multiplying.

The story arguably starts in the mid-2000s with the rise of ad blockers, but the first structural shift came in 2016 when the European Union adopted the General Data Protection Regulation (GDPR), triggering a two-year countdown to enforcement in May 2018. Fast forward to the present and the GDPR is no longer the dominant force. Many practitioners would say it's now having the least impact of all the privacy changes in motion.

Understanding where things stand today is essential to reading where they're headed in 2022.

The End of Third-Party Cookies in Chrome

In January 2020, Google Chrome announced it would follow Firefox and Safari by phasing out support for third-party cookies. Then in June 2021, Chrome extended that deadline by two years, pushing the sunset to mid-2023.

The delay exists because before Chrome can remove third-party cookies — which underpin a substantial portion of programmatic advertising and digital marketing — it needs a viable replacement. That replacement is Privacy Sandbox: a collection of open standards designed to handle key ad functions including targeting, retargeting, measurement, and attribution in a more privacy-preserving way, specifically without 1:1 user identification.

Privacy Sandbox has had a turbulent development history since it was first announced in August 2019. The most contentious component has been Federated Learning of Cohorts (FLoC), the standard responsible for interest-based advertising. Despite being designed to group users by interest rather than identify them individually, FLoC drew sharp criticism from privacy advocates who argued it still doesn't adequately protect users.

The original hope was that other browsers would adopt Privacy Sandbox alongside Chrome, but that looks unlikely. Firefox, Safari, and Brave have all stated they won't be implementing it. WordPress also announced it would consider blocking FLoC — a move that would significantly limit its reach and effectiveness given the scale of WordPress-powered sites.

What to Expect in 2022

Heading into 2022, the Privacy Sandbox story will continue to evolve through the same cycle of trials, criticism, and revision. Expect more working simulations as the standards inch toward finalization — but also expect significant pivots. There were reports as early as August 2021 that FLoC could be reimagined as "topic-based advertising" rather than "interest-based advertising," which would represent a meaningful design shift.

On the identity front, various identity solutions are gaining traction as another avenue for replacing third-party cookie functionality. Many advertisers and publishers have already begun evaluating them; broader adoption seems likely through 2022.

The two-year delay Chrome granted the industry provided breathing room — but it also took urgency off the table. That urgency will begin to reassert itself in 2022 as mid-2023 approaches. This is arguably the single most consequential area to watch, given the structural implications for the future of programmatic advertising.

Apple's Privacy Push

Apple has made privacy a central pillar of its brand, and its advertising reflects that. The campaign started several years ago with the introduction of content blockers in iOS 9, which gave users the ability to prevent specific website elements from loading. Blocking ads — and the trackers embedded within them — turned out to be a primary use case.

The effort shifted into higher gear in 2017 when Apple released Intelligent Tracking Prevention (ITP) for Safari. ITP targets cross-site tracking, the technique used by AdTech and MarTech platforms for ad targeting, retargeting, frequency capping, measurement, and attribution. Since launch, ITP has gone through multiple iterations, each tightening its restrictions and closing workarounds that vendors had developed.

More recently, Apple's privacy moves have expanded beyond the browser and into areas that affect digital marketing more broadly — including email marketing and analytics.

Starting with iOS 15, iPadOS 15, macOS Monterey, and watchOS 8, iCloud+ subscribers gained a set of new privacy features:

• Privacy Relay — encrypts information sent between Safari and websites, preventing interception or profiling at the network level.
• Mail Privacy Protection — blocks email senders from using invisible tracking pixels to detect when a message is opened, and masks the user's IP address so it can't be used to infer location or be linked to other online behaviour.
• Hide My Email — lets users generate unique, randomly created email addresses instead of sharing their actual address.

Taken together, these features have real implications for email automation and MarTech platforms, which rely on open-rate tracking to measure performance. iOS 15 launched in September 2021, so the full picture isn't yet clear, but early effects were likely visible to senders by late 2021.

One important nuance: iCloud+ is Apple's paid tier, not the standard free iCloud offering. That means these features won't reach every iPhone or Mac user — only paying subscribers.

What to Expect in 2022

The downstream effects of Apple's privacy changes will become clearer through 2022. The IDFA changes alone reportedly cost Facebook, Snapchat, and Twitter a combined $10 billion USD in revenue. Other in-app advertising businesses almost certainly experienced similar revenue pressure. Expect more public disclosures of that nature as the effects of iOS 15's features begin to fully materialize.

It's also safe to assume Apple will introduce additional privacy features in 2022, as it has done consistently for the past several years.

The GDPR and the Enforcement Gap

For years, the GDPR was the loudest conversation in digital marketing privacy. It has undeniably raised the floor on user rights and produced a substantial number of enforcement actions and fines. But a persistent criticism is that enforcement has been inconsistent — and that the regulation hasn't always functioned as intended.

A recent example: the Irish Data Protection Commission's draft decision on Facebook's use of the contract legal basis for data processing, rather than the consent basis, highlighted just how ambiguous GDPR interpretation can be in practice. For a detailed breakdown of that case, noyb's analysis is worth reading.

What the GDPR holds in 2022 is genuinely uncertain. The honest answer is that the pattern of fines, contested decisions, and uneven enforcement across member states is likely to continue. The regulation's architecture remains sound in principle — but the gap between its stated goals and its practical application remains a live issue in the industry.