It's Time To Get Serious About Privacy

I’m Alan Chapell. I’ve been outside privacy and regulatory counsel for hundreds of digital media and tech companies, and I’m author of The Chapell Report regulatory outlook. I’ve been working at the intersection of privacy, competition, advertising, and music for decades, and I’m now a pundit writing for The Monopoly Report.

Our latest Monopoly Report podcast is an interview with FTC Commissioner Mark Meador! Please give it a listen.

Not trying to sound like other privacy pros, but…

One of the oldest moves in the privacy world is to sternly warn everyone to get into compliance immediately — OR ELSE!

It’s like you’re holding up a sign demanding repentance, lest the world end tomorrow. Except instead of the world ending, the boogie man is the GDPR, CCPA, an FTC crackdown, or class-action litigation. If you’ve been in the ads space a while, you are probably all too familiar with the drumbeat coming from the privacy hawks.

But here’s the thing: Up until recently, there hasn’t consistently been a huge downside to ignoring such warnings.

Over the years, with each new privacy boogie man that emerged, a percentage of the ads space has ignored the the warning. And most were able to get away with it for a period of time. I know founders who have gotten by without really focusing on privacy to the tune of multiple exits.

So I understand if you take the following with a grain of salt, but here goes:

There are too many ad techs building really interesting tech who need to find religion on privacy.

There. I said it. Is anyone listening?

Making my point more clearly…

I’ve been involved in a few exits recently. I’ve also been involved in a number of attempted and abandoned exits where, for whatever reason, the company looking to sell had skimped on privacy. And in each case, the company was negatively impacted:

• One company had to lower its asking price significantly because it had built on a poor privacy foundation.

• Another had to spend a huge wad of cash on lawyers trying to get through the due diligence process.

• And the others? Well, let’s just say things didn’t work out for them.

More below…..

Marketecture Live III

Marketecture Live: Consumers in Control Speaker Announcement

Marketecture Live is designed for the doers building what comes next and the thinkers shaping how it all works. We’ve announced our first slate of featured speakers, with more to be announced in the coming weeks.

Early Bird pricing ends January 6, 2026: secure your tickets now before rates go up.

What’s different now? Why should we listen to this tired old argument?

Something’s happened over the past five years. While many in the ads space were mostly focused on survival and trying to gear up for the post-cookie reality, a bunch of new laws and rules have emerged.

Rules that have surpassed those of our privacy self-regulatory groups.

Rules that apply to just about anyone operating in ads space — even the “privacy safe.”

AI changes everything (except the privacy rules)

I’ve spent a bit of time over the past month checking out a bunch of the new breed of AI-infused companies being proudly listed on various charts and ‘scapes. And the number of what I sometimes refer to as “broken tail light” offenses I’ve seen within that segment in particular is remarkable:

• Privacy policies mindlessly copy/pasted from other companies

• Privacy policy scope inconsistent with how your products are framed

• Profiling and automated decision-making services offered without an opt-out

• Non-existent or poorly configured site CMP, yet all kinds of retargeting taking place

• No DSAR process in place, no appeals process

When I write “broken tail light” issues, I mean the type of things that a regulator can easily spot and metaphorically pull your company over for a closer look. In other words, each of the above things would take the good folks at Cal-Privacy less than five minutes to see evidence of a compliance issue.

What should you do?

Here are a few things to consider. Please note that this is NOT legal advice. It’s not even a complete list of potential issues. (It’s a free newsletter. What do you expect!!?)

The below are just a few considerations and suggestions from someone involved in this industry for a long time who wants to see it grow and succeed.

1. If you’re an adtech, you’re probably a data broker: At least in California. If you receive pseudonymous personal data (HEMs, MAIDs, IP addresses, etc.) indirectly and pass that type of information downstream, you’re probably a data broker. And being a data broker involves a bunch of additional responsibilities under California’s new DELETE Act as of Jan. 1, 2026.

2. AI is the new behavioral targeting: If you’re using AI as part of your service, you need to creating AI and privacy impact assessments (regardless of the latest proclamation on AI coming from the White House). Regulators are focusing on AI the same way they hyper focused on behavioral ads over the past 20 years.

3. Inferences drawn from AI are personal data: If you’ve built one those new AI-infused audience companies (there are a bunch of interesting ones out there), you might be tempted to think that the rules don’t apply. Resist that temptation. Chances are, you’re profiling, and any inferences you’re drawing are personal data.

4. Fix your CMP: I find myself being pulled into more and more CIPA-related litigation and shakedowns from class-action plaintiffs. A huge percentage of those cases have their roots in someone failing to properly configure their website’s consent management platform (CMP). There are lots of people who can help configure yours, such as Jodie Daniels and Scott Messer. Tell ‘em I sent you.

5. Document your data flows: This probably should be at the top of the list. Historically, it’s not been an area where ad techs generally excel. And without that documentation, you can’t craft a PIA to assess risks. (If you don't know what a PIA is, all the more reason to run toward someone who can help).

6. Consider sensitive data: Understand if you’re collecting sensitive data (and in most instances, figure out how to work without it.) Sensitive data generally requires a consent and imposes additional requirements around secondary use in most instances. Best to avoid. (Secondary use of data should probably be its own bullet.)

7. Craft or update data processing agreements: Europe and California each have a number of very specific requirements around what’s supposed to be in these documents. I’m amazed at the number of companies passing off outdated DPAs that were clearly copy-paste jobs.

8. Get your DSARs in order: States are doubling down on data subject access, deletion, opt-out, and correction rules. California has built out its DROP mechanism for data brokers, and other states will follow in 2026. (I’ll have Tom Kemp from CalPrivacy on the TMR podcast to discuss the DROP in January.)

Then there’s stuff like data minimization requirements, new rules pertaining to minors, secondary use of data, California’s new DROP mechanism, etc. (I’ve already gone into detail regarding issues with opt-out choice mechanisms, particularly in the CTV space.)

There’s a bunch of additional privacy rules in place these days, folks. If you ask me, I don’t think you’ll be able to skate by on privacy anymore.

Regardless of how cool your new platform or toolset may be…

__________________________________________________________________________

If there’s an area that you want to see covered on these pages, if you agree or disagree with something I’ve written, if you want tell me you dig my music, or if you just want to yell at me, please reach out to me on LinkedIn or in the comments below.