How will the latest legislation out of Europe and the United States impact digital advertising in 2025 and beyond?
It’s been a busy few years for digital advertising industry regulators, with new regulations taking effect around the US and new legislation popping up across the globe. What’s the latest, and how will it impact advertising and marketing professionals?
While the United States has taken its time determining how to handle Big Tech regulation, the European Union has embraced its reputation as the world’s fiercest tech regulator.
Unrestrained by free speech rules like America’s First Amendment, the EU has taken the lead on matters like consumer privacy (with GDPR), walled gardens like Apple’s App Store and the Google Play Store (with the Digital Markets Act), and misinformation and hyper-personal ad targeting on social media (with the Digital Services Act).
Though some requirements of the Digital Services Act (DSA) came into effect in 2023, with “Very Large Online Platforms” and “Very Large Online Search Engines” being subject to the law’s stipulations, it wasn’t until February 2024 that all platforms became subject to its broader implementation and enforcement. The law compels social platforms like Facebook, Instagram, and YouTube to dedicate more resources to stomping out misinformation and hate speech on their platforms, and bans any targeted online ads that are based on an individual’s ethnicity, religion, or sexual orientation. Google and Meta are also now subject to annual audits to uncover “systemic risks” related to their social assets, search engines are required to suppress misleading search results, and even Amazon will have to comply with new rules aimed at curbing the sale of illegal products. Since the Digital Services Act went into effect, the European Commission has aggressively enforced it: X has been under investigation since 2023, while the Commission opened formal proceedings against Facebook and Instagram in 2024 to assess compliance.
While the DSA has somewhat inhibited targeting precision in the region, it is also helping to foster safer advertising environments—particularly on social media—helping both brands and users enjoy a more hospitable digital ecosystem. With brand safety looking like an increasingly-elusive proposition in the United States, an internet with less misinformation and more trust sounds downright novel, providing marketers with some welcome upside in the face of targeting limitations.
As for the Digital Markets Act, in September 2023, the EU designated six companies—Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft—as “gatekeepers” under this regulation. Though TikTok and Meta appealed this designation and Apple filed a legal challenge to the DMA itself, these tech giants have been forced to make changes to meet the rules and requirements outlined in the DMA, such as allowing users to choose different default browsers and search engines, download iPhone apps outside of Apple’s App store, and control how their personal online data is used.
Altogether, social media platforms face strict regulation in the EU—and serious consequences when they breach the bloc's privacy laws. Meta learned this the hard way, incurring a nearly $1.3 billion penalty for transferring user data between the United States and countries in the EU and the European Economic Area. It’s the biggest penalty an EU regulator has levied on a tech company since 2021 and a clear signal that privacy compliance is non-negotiable. That said, the EU-US Data Privacy Framework should hopefully help prevent similar data flow-related fines and confusion going forward.
Back stateside, industry regulation is a bit more decentralized—at least, for now. While federal-level legislation has mostly lingered in congressional purgatory, 11 new state-level data privacy acts have already taken effect this year—with many more set to take effect throughout 2025.
The broadest and most impactful of these enacted state-level regulations is the California Privacy Rights Act, aka CPRA. Building off the foundation of 2018’s groundbreaking California Consumer Privacy Act (CCPA), the act created a California Privacy Protection Agency that’s dedicated to (and responsible for) enforcing the law—indicative of increased enforcement—while also reducing ambiguity around how to interpret some of the data-related aspects of the law. The CPRA now requires companies to give consumers the opportunity to not only opt out of the sale of their personal information, but also of giving or sharing that data with someone else, including a third party that might use it for cross-context behavioral advertising.
As Basis General Counsel Derek Zolner put it, “Essentially, the CCPA, CPRA, and the other data privacy acts that are popping up around the US are establishing legal enforcement mechanisms around personal control of one’s personal data and codifying many of the core principals of our industry—namely, transparency, notice, and the right to opt out. Only now, instead of the industry self-regulating these matters, state governments are intervening to take control of that enforcement.”
Meanwhile, at the federal level, privacy-focused legislation remains stuck in lawmaking purgatory. In April 2024, a bipartisan group of lawmakers released a draft piece of legislation that would establish a comprehensive federal consumer privacy framework, called the American Privacy Rights Act (APRA). In its original form, the APRA was expected to have serious implications for the digital advertising ecosystem—establishing strong data security standards as well as clear national data privacy rights and protections, giving individuals the right to sue those who violated these rights, and giving the FTC authority to enforce any violations of the bill. But the bill has since stalled and, with the change in administration, appears unlikely to be revived anytime soon.
As consumers grow increasingly skeptical of Big Tech’s handling of their personal data, state-based legislation has provided users with increased transparency and control…for the residents of those states. With national legislation looking increasingly unlikely, at least at any point in the near future, advertisers and publishers are likely to leverage different tactics in different states—or, alternatively, will default to the most stringent policies (such as the CPRA) across all their campaigns.
From a consumer perspective, as much as consumers say they want a unified, omnichannel experience, they’ve also made it clear that they want more control over who can—and who cannot—access their personal data as part of the advertising process. Private companies like Apple (with iPhone’s App Tracking Transparency and the lack of third-party cookies on its Safari browser) and even Google (which, while no longer deprecating cookies in Chrome, is planning to let users make an “informed choice” about third-party trackers in their browser) have shown a willingness to slowly but surely give consumers more control over their data. With signal loss having crossed 50% and third-party cookies heading toward the same fate as MySpace and the VCRs, advertisers should continue to embrace privacy-friendly tactics like alternative identifiers, contextual, and brand lift studies.
As if pending legislative action wasn’t enough, Google, Meta, and Amazon—which, together, account for almost two-thirds of the nearly $350 billion US digital ad market—are also facing both consumer scrutiny and federal lawsuits around monopolizing the adtech market, the social media market, and the online retail market in the US.
Google, in particular, has caught the eye of the Justice Department and several states. It has faced not one but two lawsuits alleging violation of US antitrust laws. The first case, brought by the Department of Justice and 11 state Attorneys General, aimed to prevent Google from “unlawfully maintaining monopolies through anticompetitive and exclusionary practices in the search and search advertising markets.” This suit and its ruling come at a time when Google owns an almost 90% market share in search, though the company maintains that its supremacy in the landscape is because they “simply provided a superior product.” The 10-week trial for this case concluded in early May 2024, and in August 2024, a federal judge ruled that Google had, in fact, violated antitrust laws in online search. In his ruling, Judge Amit P. Mehta stated, “Google is a monopolist, and it has acted as one to maintain its monopoly.” Potential penalties or remedies for Google’s misconduct have not yet been set, although the DOJ has proposed significant modifications to the tech giant’s business, including selling off its Chrome browser.
Additionally, Google is the subject of a second suit accusing the company of “monopolizing digital advertising technologies” in violation of the Sherman Antitrust Act. While the first case addressed its monopolization of the search landscape, this second case relates to Google’s overall presence within the digital advertising landscape. During the trial, which wrapped up in November 2024, the Department of Justice argued that Google monopolized the ad server and ad network markets, attempted to monopolize the exchange market, and applied monopoly power by uniting all of the products they used to do so into a single offering. A ruling on this case is expected early this year.
This antitrust regulatory action isn’t limited to the US. Across the pond, Google faces similar antitrust charges for its digital advertising practices, with the European Commission citing Google’s heavy involvement at “almost all levels of the so-called adtech supply chain” and noting concerns that the world’s fourth-most valuable company “may have used its market position to favor its own intermediation services.” This marks the fourth time Google has run afoul of EU antitrust regulations in recent years, and with the bloc’s history of action against US-based tech giants, the case is unlikely to go away anytime soon.
Beyond these antitrust suits, recent years have seen a notable increase in class-action lawsuits against brands for allegedly making false and/or misleading claims in their advertising.
For instance, Starbucks was sued for advertising that they’re “committed to 100% ethical sourcing” despite sourcing coffee beans and tea from “cooperatives and farms that have committed documented, severe human rights and labor abuses,” according to the lawsuit filed by the National Consumers League. Soda company Poppi faced a class-action lawsuit for advertising “prebiotic” and “gut healthy” benefits, when such benefits are negligible—particularly given how much sugar their products contain. The makers of Liquid I.V. were sued for including a “no preservatives” label on their electrolyte drink powder, despite using citric acid and other well-known preservatives. And Grubhub faced a lawsuit that alleges the company deceives customers by promising free delivery, but then charging fees at checkout.
This uptick in false advertising lawsuits shows a growing awareness and intolerance towards deceptive marketing practices among consumers and regulators alike. Both are increasingly willing to hold companies accountable for misleading claims, reflecting a broader demand for transparency and honesty in advertising. Additionally, several new enacted and proposed state-level regulations echo these growing demands, including a California law that targets misleading product labeling around recyclable plastic, a proposed Arizona bill aimed at helping to eliminate misleading information in healthcare advertising, and a proposed Louisiana bill addressing truth in advertising, specifically as it relates to related to how foreign seafood is sourced and labeled.
Given the increased legal scrutiny, consumer sentiments, and uptick in legislation aimed at tackling misleading or false advertising, brands and marketers must be diligent in ensuring that they are not just satisfying regulations, but using messaging that is rooted in truth and authenticity, lest they risk both legal repercussions and lasting damage to their reputations.
Since its public release in 2022, generative AI has garnered a lot of hype—and for good reason. From AI chatbots like ChatGPT, to AI image and art generators like Midjourney, to Microsoft and Google both embracing new AI-powered search capabilities, this emerging tech is making some serious waves in the marketing and advertising world (and beyond). But for all the excitement around generative AI, its boom has also been accompanied by fierce warnings and concerns from experts across the globe.
Amidst these mixed emotions, it’s no surprise that AI regulation has become a hot topic. In 2024, the world’s first comprehensive AI law, the EU AI Act, went into effect. The act outlines the many potential benefits of AI, while establishing “obligations for providers and users depending on the level of risk from artificial intelligence.”
The US, meanwhile, has yet to take action quite as deliberate as the EU’s, but that doesn’t mean Washington has been ignoring AI’s emergence. In 2023, OpenAI CEO Sam Altman appeared before Congress and directly encouraged lawmakers to regulate artificial intelligence. Later that year, former President Joe Biden signed an executive order that aimed to address the “safe, secure, and trustworthy development and use of Artificial Intelligence.” However, President Trump has since rescinded that order and, more generally, has signaled that his administration will adopt a more relaxed regulatory approach to AI. Meanwhile, several AI-focused bills have stalled in Congress, with their paths toward enactment looking increasingly uncertain.
On the state level, Utah became the first state to enact a consumer protection law focused on AI. The 2024 Utah Artificial Intelligence Policy Act (UAIP) mandates that organizations disclose their use of generative AI tools to consumers, and restricts organizations from attributing consumer protection violations to generative AI. And in California, draft regulations around the use of AI and automated decision-making would amend the CPRA to give Californians the right to access information about how implicated businesses use automated decision-making tools, including AI tools, in relation to consumers, as well as the right to opt out of their data being used by those tools.
With President Trump’s increasingly-warm ties to the AI industry, federal-level regulation appears to be off the table for the time being. However, international and state-level AI regulations continue to move forward, and more are likely to be introduced in the coming months and years as the technology continues to proliferate. With nearly three-quarters of marketing and advertising professionals saying they believe AI’s development and usage should be regulated—and with its incredible potential benefits still tempered by its significant risks—it’s critical that advertisers stay up-to-date on this evolving landscape to both ensure compliance and to understand where the industry is headed.
Last but not least, while the majority of industry-focused regulation has centered around American-based companies, there is one notable exception to the trend: TikTok, whose fate in the US is increasingly tenuous.
In 2024, Congress passed legislation requiring TikTok parent company ByteDance sell its stake in the app within 12 months or else the app would be banned in the US. While TikTok filed a subsequent lawsuit seeking to halt the law, the Supreme Court unanimously upheld the ban in January 2025. The app was set to go dark on January 19, but on January 20, President Trump signed an executive order that aims to delay enforcement of this ban until early April. The legality of such an order remains unclear, but for the time being, the app remains online in the United States.
Looking ahead, TikTok’s fate may hinge upon ByteDance’s willingness to sell the app to an American company—or, alternatively, on Congress passing new legislation that amends or supersedes the 2024 bill to permit TikTok’s return to US app stores. While that was long rumored to be a non-starter for the company, recent signals indicate that both the Chinese government and ByteDance’s leadership may be increasingly open to a sale. And though a number of potential buyers have shown an interest in acquiring the wildly popular app, none have emerged as a front runner, leaving TikTok’s future uncertain.
With TikTok’s fate still unknown, advertisers should continue to craft their contingency plans to swiftly shift budgets should the app ultimately be banned in the US. But the clock is ti(c)king...
For much of the past decade, regulators have increasingly turned their eye toward the digital advertising industry and its key players. Advertising leaders looking to balance innovation with compliance must take regulators’ concerns seriously—specifically, by prioritizing consumer privacy, staying abreast of antitrust lawsuits, avoiding false and/or misleading messaging, approaching AI with caution and intentionality, and keeping an eye on regulatory developments across the board.
While the US is likely headed toward a looser regulatory environment, one way or another, the digital advertising industry is going to have to prioritize privacy. Consumers and regulators alike are demanding increased transparency and individual control over user data. And if Big Tech—and the advertising industry—don’t want to make the difficult choices involved in regulating themselves when it comes to consumer privacy, then world governments will likely be all too happy to do it for them.
