Privacy in AdTech: Speed Limits vs. Speed Limiters

What impact do privacy laws like the GDPR and privacy settings like Safari's Intelligent Tracking Prevention (ITP) actually have on AdTech? Both carry significant weight on how ads are served, displayed, and measured — but the nature of that impact is meaningfully different.

The Impact of Privacy Laws on AdTech

The GDPR requires companies to obtain voluntary and affirmative user consent before collecting personal data — cookies and device IDs included.

That means if a user declines to have cookies saved to their device, advertisers lose the ability to run behaviourally targeted ads, apply frequency capping, measure campaign performance, or attribute conversions.

The degree of impact depends largely on how seriously a company takes its compliance obligations. A company that adopts implied consent may experience a low-to-medium hit. One that strictly adheres to the GDPR's requirements will likely feel it acutely.

The Impact of Privacy Settings on AdTech

Here's where the distinction sharpens. Privacy laws can, in practice, be sidestepped — which softens their immediate sting. Privacy settings cannot.

Safari's ITP, Firefox's Enhanced Tracking Protection (ETP), and ad-blocking plugins block JavaScript tags from known trackers before they ever load on a page. No JS tag means no ad displayed. There's no consent dialogue to fall back on, no opt-in flow to engineer around. The restriction is simply applied.

Privacy Laws Are Like Speed Limits

Imagine driving at 55 mph through a 30 mph zone. You're breaking the law, but nothing physically prevents you from doing it. The consequences only arrive if someone catches you — a police car, a speed camera. Until that moment, the road is wide open.

That's the dynamic with privacy regulations like the GDPR.

Since it came into force on May 25, 2018, many publishers, AdTech platforms, and advertisers have effectively been speeding. In the run-up to enforcement, there were dramatic moves — companies pulling out of EU markets and pausing programmatic spend — but the full force of the regulation still hadn't really landed. Some companies were investigated and fined; many others carried on with implied consent, pre-ticked boxes, or consent walls.

Companies still cruising in the fast lane should expect a fine eventually — in this case, an investigation notice from a European data-protection authority.

Privacy Settings Are Like Speed Limiters

Now picture a different scenario: you're a truck driver, and at 5 p.m. in New York you receive an order for a shipment that must reach Salt Lake City, Utah — roughly 2,200 miles away — before 5 p.m. the following day.

Even with a two-hour time-zone advantage, you'd need to average 100 mph non-stop to make it. You might be tempted to risk the speeding fine. But here's the twist: your truck has a speed limiter installed. It physically cannot exceed 90 mph. The delivery is, by definition, impossible on time. No law to bend. No camera to hope isn't watching. The constraint is built in.

That's exactly what privacy settings represent in the online advertising world.

Safari's ITP, Firefox's ETP, and ad-blocking plugins like Ghostery and AdBlockPlus are the speed limiters of AdTech. Just as a speed limiter prevents a vehicle from exceeding a set velocity, these tools prevent AdTech platforms from serving ads and saving cookies to users' devices — or significantly shorten the lifespan of the cookies that do get set.

The impact is direct and immediate. Companies have no say. If a user has Ghostery running, the JavaScript tags from AdTech platforms won't load, and ads simply won't appear.

What's Coming: More Speed Limits and Speed Limiters

For the speed demons of AdTech, the road ahead gets considerably more congested.

Privacy Laws (Speed Limits)

CCPA

The California Consumer Privacy Act gives California residents the right to know what data companies collect about them, the right to request deletion of that data, and the right to reject its sale. It came into force in January 2020.

Brazil's LGPD

Brazil's Lei Geral de Proteção de Dados is a federal data-protection law that came into enforcement in February 2020, extending GDPR-style obligations to one of the world's largest digital markets.

ePrivacy Regulation

Still in draft as of this writing, the ePrivacy Regulation could ultimately have a larger impact on AdTech than the GDPR itself, thanks to its specific rules around cookie consent. The current draft requires publishers and website owners to obtain voluntary, clear consent before dropping cookies for any purpose.

The more disruptive element is a proposal that would move consent management out of publisher-controlled consent-management platforms (CMPs) and into the browser itself. If users set their preferences directly in browser settings, the availability of cookies could shrink dramatically — and no amount of CMP engineering would change that.

US Federal Privacy Law

Several US states beyond California have introduced or are considering data-protection legislation. The more rational long-term path would be a single federal standard — one of the original motivations behind the EU's GDPR — but that remains an open question.

Privacy Settings (Speed Limiters)

Safari's Intelligent Tracking Prevention (ITP)

Released in September 2017, ITP has gone through three significant updates across 2018 and 2019, each tightening the screws on tracking and addressing workarounds that had emerged since the previous release. Expect the pattern to continue.

Firefox's Enhanced Tracking Protection (ETP)

Firefox launched ETP in June 2019, initially blocking known trackers only in private browsing mode. By September 2019, the company expanded ETP to block known third-party trackers by default for all Firefox users. Further tightening wouldn't be a surprise.

Google Chrome

Google occupies a complicated position here. As arguably the largest AdTech company, with ad revenues well exceeding those of Facebook, following in Apple and Mozilla's footsteps directly threatens its core business.

Nonetheless, Google has announced meaningful changes to Chrome: greater transparency into which companies participate in ad serving, easier controls to block and delete third-party cookies, and protections against device fingerprinting.

The headline move is Chrome's commitment to shutting off support for third-party cookies by 2022. That single change will effectively end behavioural targeting, retargeting, frequency capping, and cookie syncing as they currently function in web browsers.

The offset is Google's Privacy Sandbox initiative, which aims to enable ad targeting and measurement without relying on third-party cookies — privacy-preserving by design rather than by compliance.

Ad-Blocking Plugins

Ad blocker adoption may have plateaued compared to its peak years, but these tools remain widely installed and actively used. When layered on top of browser-level privacy settings, they effectively double the impact on publishers and AdTech platforms.

Where This Leaves AdTech

AdTech has operated for years on wide-open highways — relaxed speed limits, few limiters, and plenty of room to push the accelerator. That era is winding down.

The industry has demonstrated that it can build systems capable of running real-time auctions across multiple servers in under 300 milliseconds. Engineering solutions that respect both user privacy and the economic needs of advertisers and publishers is a solvable problem. The question is whether companies adapt ahead of the enforcement curve — or wait to be pulled over.