A few themes dominated the advertising technology discussion in 2024; namely, the future of cookies and pay-or-consent and similar subscription/consent-based models. In addition, the crossover between privacy and antitrust within adtech became more relevant, with both Meta and Google, in particular, facing scrutiny from global competition regulators.
The children's privacy debate also brought many adtech issues to front of mind as Meta and the U.S. Federal Trade Commission continued to clash over the use of minors' data. Adtech issues also took center stage in privacy lawsuits as companies developed their technologies in ways that shaped adtech law and policy. While a lot of what transpired centered around the world's largest online platforms, the repercussions of these actions will reverberate into the wider adtech ecosystem in 2025 and beyond. This was adtech in 2024.
Cookies
Perhaps no issue in adtech has seen more volatility recently than cookies. Efforts to both regulate and to phase out cookies were made over the past year. Data protection authorities around the world — including those in Andorra, France, Latvia and the Netherlands — issued new rules and guidelines surrounding cookies.
Denmark's DPA, Datatilsynet, and the Netherlands' DPA, Autoriteit Persoonsgegevens, also took actions to prevent the misuse of cookies. In March, Datatilsynet ordered newspaper Berlingske to bring its cookie walls into compliance with the EU General Data Protection Regulation after an investigation found the company blocked content if a user did not permit data collection. In its subsequent investigation into these practices across 200 websites, it found 42% used unclassified cookies and 28% lacked information in their cookie banners.
Meanwhile, the AP announced it would prioritize how websites ask for permission to track internet activity with cookie banners. In July, it issued a 600,000 euro fine to the parent company of pharmacy chain Kruidvat for placing cookies on its website without user knowledge or consent. Other DPAs that were active with respect to cookie compliance enforcement were France's Commission nationale de l'informatique et des libertés, Belgium's ADP and the U.K. Information Commissioner's Office.
The courts were also involved in judgments against cookie-related violations. A notable example is the Amsterdam Court of Appeal's reaffirmation of its 2023 ruling that ordered advertising company Criteo to stop placing cookies on consumers' devices without consent. The court imposed a fine of 250 euros per day until Criteo fixes the issue.
In the U.S., perhaps the most notable cookie-related development in 2024 was the change to Google's Privacy Sandbox. The year began with Google working to roll out its Privacy Sandbox and enter its final phase-out of browsing cookies. But it faced some resistance from both the public and private sectors. For example, the U.K. Competition and Markets Authority ordered the company to halt the cookie phase-out until its competition concerns were met. In addition, the Interactive Advertising Bureau Tech Lab identified some issues with the Privacy Sandbox during testing, highlighting advertisers' concerns in a report. The problems identified included its limited support for event-based metrics, threats to brand safety, on-browser computing implications and a lack of consideration for commercial requirements. Google pushed back on the report, noting that it "ignores the broader objective of Privacy Sandbox to enhance user privacy," and provided a point-by-point response to dozens of issues raised in IAB's technical assessment.
Then, in March, competition advocates lobbied to halt the Privacy Sandbox in view of Google's ongoing antitrust trials, fearing the company could use the Privacy Sandbox to circumvent remedies that may be adopted by antitrust authorities in its pending cases. Furthermore, a draft report from the U.K. ICO noted the Privacy Sandbox contained gaps that could be exploited to identify users. A few days later, Google announced its intention to delay its cookie phase-out plan.
Pay or consent
Discussion of pay-or-consent models, which make users of various platforms choose between paying or permitting their data to be processed, also picked up in 2024. Pay or consent was top of mind for many government bodies but most notably for those in Europe. In February, members of European Parliament wrote to the European Commission seeking greater clarity on the legality of the pay-or-consent model. The next month, the European Commission issued a formal request for information to Meta under the Digital Services Act, seeking the company's risk assessments for the pay-or-consent model, among other things. In the U.K., the Information Commissioner opened a call for views from stakeholders to find out how pay-or-consent subscription models would impact them, their customers and their users. Then, in April, the European Data Protection Board issued a heavyweight of an opinion that in most cases large online platforms implementing pay-or-consent models will not comply with the GDPR requirement to obtain valid consent for processing data. While the opinion did not cover smaller platforms, in the same opinion the EDPB said it would issue further guidance on pay-or-consent models outside the scope of what the body designates as large platforms.
These events and the EDPB opinion specifically had a major impact on Meta, which, in 2023, floated the idea of offering users the choice between an advertisement-free paid version of Facebook and Instagram and a free version with ads. Ultimately, in July, the EDPB found Meta in violation of the Digital Markets Act as its preliminary investigation showed Meta's model did "not allow users to exercise their right to freely consent." This coincided with the issuance of a letter by the European Commission to Meta, which identified several practices under the pay-or-consent model that can unfairly mislead, confuse or pressure consumers. With the feedback from users, regulators and policy groups, Meta redeveloped its advertising model, keeping the original pay-or-consent model at a lower cost but adding a free opt-in model designed to serve fewer personalized ads.
Competition
Tech giants Meta and Google also both found their adtech practices under the scrutiny of antitrust regulators.
Meta faced pressure from the competition authorities in the U.K. and Germany but was able to resolve the issues with both. The U.K. CMA accepted Meta's proposed limits on data sharing of certain personal data from advertisers, pursuant to a CMA request that intended to prevent the tech company from securing an "unfair advantage" by using the data of Facebook Marketplace's competitors to improve the it. Meanwhile, Germany's competition regulator, the Bundeskartellamt, closed proceedings against Meta after it agreed to allow users to decide which accounts to connect and share data with. However, before the end of the year, the European Commission issued a 798 million euro fine to Meta for creating "unfair trading conditions" for competitors by embedding Facebook Marketplace within its social network.
Later in the year, Google received attention from both the U.S. Department of Justice and U.K. CMA. In September, the DOJ began its trial against Google over the alleged monopolization of the adtech industry. That same month, the U.K. CMA raised concerns surrounding Google's decision to shelve the Privacy Sandbox for the time being. As of year-end, the CMA made note of its continued effort to engage with Google on the matter.
Children's privacy
Children's privacy in advertising remained at the forefront of adtech law and policy issues in 2024, as the dispute between Meta and the FTC continued. In 2023, the FTC found the company failed to fully comply with a 2020 order. As such, it sought to change parts of the order, including prohibiting Meta from profiting from data collected from users under the age of 18. In turn, Meta filed a lawsuit before the U.S. District Court for the District of Columbia seeking to block the proposed restrictions imposed by the FTC. This legal battle continued in 2024 as Meta sought to delay administrative hearings in connection with the lawsuit in January and March. In an April ruling, the U.S. Court of Appeals for the District of Columbia found Meta had not shown a likelihood of any unconstitutional proceeding and denied its request to halt an FTC hearing on the company's teen data monetization practices.
In response to a Financial Times report alleging Meta and Google privately agreed to target teenagers through YouTube and Instagram, the European Commission took steps to probe the matter. Specifically, the Commission asked Alphabet, Google's parent company, to "review and collate data, presentations, internal chats and emails related to the ad campaigns" in which teens were supposedly served personalized ads for Instagram and YouTube.
Last year also brought about FTC discussion about possible changes to the Children's Online Privacy Protection Act Rule, with efforts to amend it likely continuing into 2025. Suggested changes include requiring separate opt ins in for targeted advertising, limiting nudging children without parental consent and enhancing data security requirements.
Privacy lawsuits
2024 was also marked by several impactful adtech lawsuits. In January, pursuant to a Canadian class-action lawsuit, Meta offered CAD51 million to settle claims of nonconsensual use of user information for advertising purposes. The lawsuit claimed Meta collected and used names and email addresses for its Sponsored Stories ad campaign.
Then in April, as part of its settlement of a class-action lawsuit filed in 2020, Google committed to destroy data collected from the incognito Chrome browsing option. Google was also obliged to update what user data it collects during private browsing and to make an update to Incognito mode that allows users to block third-party cookies by default.
Finally, in October, in a civil complaint brought by NOYB Chairman Max Schrems, the CJEU found Meta was not authorized to process data obtained outside the platform with a view to aggregate and analyze such data for the purpose of offering personalized advertising. In this case, Schrems made a statement about his sexual orientation at a public panel and argued Facebook had processed such information for the purposes of targeted advertising.
Technology and policy developments
Last year was also shaped by many platforms' initiatives to focus on their own services, whether by updating their technology or changing their policies. With respect to the former, Apple introduced an AI-powered privacy filter to its operating system that blocks ads. LinkedIn likewise decided to disable its targeted advertising tool to comply with the EU DSA. Google added encryption to its trusted execution environments and made this a default setting. As to policy changes, Google also announced the implementation of a data retention policy that limits data access to 11 years, including information stored in Google's advertising services. Meta announced plans to restrict advertisers' data access to certain categories of user data on its platforms. This would limit advertisers' access to data by topic and their ability to target users based on online activity.
Adtech 2025: A look ahead
While 2024's top stories centered on major adtech players, the consequences will be felt across the industry, influencing businesses of all sizes in policy, operations and innovation.
DPAs will likely follow Europe's lead by issuing stricter guidelines and investigating cookie misuse. This will push companies to scrutinize their cookie practices. With the decline of third-party cookies, businesses may shift to first-party data strategies or embrace contextual advertising, leveling the playing field for smaller players to compete without relying on complex data-sharing arrangements.
Meta's pay-or-consent debate may discourage others from adopting similar models, prompting companies to explore alternative strategies. Privacy-enhancing technologies and innovative advertising solutions could see broader adoption, reshaping the competitive landscape.
Antitrust scrutiny is expected to remain intense, targeting data collection, sharing and usage. This will increase compliance demands for all businesses, necessitating greater transparency and empowering users to have more control over their data. The growing focus on children's privacy may tighten restrictions on targeted advertising, creating new challenges but also opportunities for different players to innovate.
Litigation will likely spotlight transparency, consent and data practices, underscoring the legal risks for companies that fail to adapt. Issues like automated decision-making and algorithmic bias may draw further attention, compelling adtech businesses to rethink their models and processes. Ultimately, regulatory and legal actions will drive innovation, encouraging companies to adopt privacy-focused technologies, first-party data strategies and alternative advertising models.
Aly Apacible-Bernardo, CIPM, is a legal research associate at the IAPP.