US Digital Advertising Regulation: Privacy, Transparency and the Policy Landscape

For two decades, digital advertising expanded almost entirely on its own terms — self-regulated, data-hungry, and largely invisible to the consumers whose attention it was buying. That era is ending. The regulatory environment around US digital advertising is tightening from multiple directions at once: state privacy laws, federal scrutiny, browser changes, and court-ordered restrictions on the industry’s largest players.

Unlike Europe, where the General Data Protection Regulation (GDPR) established a comprehensive federal privacy framework in 2018, the United States has not enacted federal privacy legislation as of 2025. Instead, the US regulatory environment is a patchwork of state laws, FTC enforcement actions, and self-regulatory industry standards—supplemented by major legal actions against large platform companies.

State Privacy Laws

California’s Consumer Privacy Act (CCPA), effective January 2020, was the first comprehensive state privacy law in the US. CCPA gives California residents rights to know what personal information is collected about them, to delete it, to opt out of its sale to third parties, and to non-discrimination for exercising these rights. CCPA was strengthened by the California Privacy Rights Act (CPRA), approved by voters in November 2020 and effective January 2023. CPRA added rights to limit use of sensitive personal information, to correct inaccurate data, and created the California Privacy Protection Agency to enforce the law.

For digital advertisers, CCPA/CPRA has significant implications. Selling consumer data to third parties requires providing opt-out rights. Sharing data for behavioral advertising may constitute a “sale” under CPRA’s broad definition. Advertisers operating in California—effectively any US advertiser with California customers—must provide opt-out mechanisms, honor opt-out signals (including the Global Privacy Control browser setting), and document their data sharing practices.

Following California’s lead, over 15 states have enacted comprehensive privacy laws as of 2025, including Virginia, Colorado, Connecticut, Texas, Florida, Oregon, Montana, and others. These laws have similar structures—consumer rights to access, correct, and delete data; opt-out rights for targeted advertising—but differ in important details around enforcement, scope, and exemptions. The patchwork creates compliance complexity for national advertisers who must navigate multiple state frameworks simultaneously.

Federal comprehensive privacy legislation has been proposed multiple times (American Data Privacy and Protection Act, etc.) but has not passed as of 2025. Industry observers expect eventual federal legislation that would preempt state laws, though the timeline remains uncertain. Federal legislation would simplify compliance but might also establish nationwide standards that are more or less restrictive than the most stringent state laws.

FTC Enforcement and Digital Advertising

The Federal Trade Commission regulates advertising practices under its authority to prevent deceptive and unfair trade practices. The FTC’s enforcement actions in digital advertising have focused on disclosure requirements for sponsored content, data broker practices, and children’s privacy.

The FTC’s endorsement and testimonial guidelines, updated in 2023, require material connections between advertisers and endorsers to be clearly disclosed. For influencer marketing, this means creators must disclose when they are paid or receive free products to promote brands. The FTC has issued warning letters to influencers and brands for inadequate disclosure and has brought enforcement actions against companies with systematic disclosure failures. Most social platforms now require disclosure labels for paid partnerships, partially in response to FTC guidance.

Children’s Online Privacy Protection Act (COPPA) prohibits collecting personal information from children under 13 without verifiable parental consent. The FTC proposed COPPA rule updates in 2023 that would strengthen restrictions and expand protections for children’s data in advertising contexts. For platforms with child users—YouTube Kids, gaming platforms, and any service with significant under-13 traffic—COPPA compliance directly constrains advertising data practices.

Antitrust Enforcement Against Ad Tech

The most significant regulatory action in US digital advertising is the Department of Justice antitrust case against Google’s advertising technology business. Filed in January 2023, the DOJ alleged that Google illegally monopolized the publisher ad server market, the ad exchange market, and the advertiser ad network market through anticompetitive conduct. The conduct alleged included tying its publisher ad server to its exchange, implementing “Project Poirot” to reduce competing exchanges’ revenues, and acquiring companies to foreclose competition.

In August 2024, a federal judge ruled that Google holds monopoly power in the publisher ad server market and the ad exchange market. The liability ruling found that Google’s practices of tying Google Ad Manager (publisher server) to Google AdX (exchange) foreclosed competition. The remedy phase began in 2025, with the DOJ and states seeking structural remedies including potential forced divestiture of Google Ad Manager and/or Google AdX.

The outcome of this case will reshape the programmatic advertising ecosystem. If Google is required to divest ad tech assets, independent SSPs (Magnite, PubMatic) and independent exchanges would gain access to inventory currently flowing primarily through Google. Publisher yields might increase as competition intensifies. Advertisers would benefit from more choice in ad tech vendors and potentially lower take rates in the supply chain.

Platform Privacy Changes as Quasi-Regulation

While technically not government regulation, Apple’s App Tracking Transparency (ATT) and Google’s Privacy Sandbox have functioned as quasi-regulatory changes because their impact on advertising practices is as significant as any government rule. Both are driven by privacy principles but have competitive implications that have drawn regulatory scrutiny themselves.

Apple’s ATT requires explicit opt-in for cross-app tracking on iOS. With opt-in rates of 25-35% in the US, 65-75% of iOS users are not tracked across apps. This has reduced signal availability for Meta, Snap, and other platforms that relied on iOS device identifiers for audience targeting and conversion measurement. The impact on Meta’s advertising revenue was estimated at $10 billion in 2022 alone.

Google’s Privacy Sandbox proposes to deprecate third-party cookies in Chrome and replace them with privacy-preserving APIs. Google has repeatedly delayed this deprecation while working with publishers, advertisers, and regulators (including the UK’s Competition and Markets Authority) to develop acceptable alternatives. The CMA is monitoring Google’s Privacy Sandbox implementation to ensure it does not anticompetitively benefit Google’s own advertising business at the expense of competitors.

The Impact on Advertising Practice

The cumulative impact of state privacy laws, FTC enforcement, antitrust actions, and platform privacy changes is a meaningful constraint on behavioral targeting and cross-site tracking in US digital advertising. Practices that were standard five years ago—third-party cookie-based retargeting, device fingerprinting, cross-app behavioral tracking—are now restricted, prohibited, or require explicit consent.

Advertisers are adapting by investing in first-party data, contextual targeting, and consent management. First-party data—customer information collected with consent from brand-owned properties—is exempt from most third-party data restrictions. Brands building strong CRM systems, loyalty programs, and authenticated digital experiences are developing durable targeting capabilities that do not depend on third-party tracking.

Contextual advertising—targeting based on the content of the page or app where ads appear rather than user behavioral history—is experiencing a renaissance. AI-powered contextual targeting can achieve relevance comparable to behavioral targeting for many advertising objectives without requiring individual user data. Publishers with clear content signals and engaged authenticated audiences are benefiting from contextual advertising’s growth.

Future Regulatory Outlook

The US digital advertising regulatory landscape will continue evolving. Federal privacy legislation is likely eventually, though the timeline is uncertain. State laws will continue to multiply in the absence of federal preemption. FTC enforcement priorities around AI-generated advertising, children’s data, and platform data practices will intensify. The Google ad tech antitrust remedy will establish precedent for structural remedies in platform markets.

The long-term direction is toward more privacy, more transparency, and more competition in digital advertising. This transition will advantage advertisers with strong first-party data, publishers with authenticated audiences, and ad tech companies that can deliver performance without cross-site tracking. It will disadvantage businesses that have relied primarily on third-party data and opaque supply chains. Adapting to this regulatory direction is not optional—it is a prerequisite for sustainable digital advertising practice.