?? Adtech needs a bit of Irish luck

Lucid folks,

What an interesting time to be operating in privacy. In data protection, as in politics, we are increasingly watching competing visions collide in high stakes battles, rather than the emergence of a slow-building consensus. Ironically, as those forces compete to a standstill, or a lurching back and forth, it is the middle layer of lawyers, advocates, and regulators, pushed forward by a public that cares about these issues, that keeps moving the ball forward.

Would we be better served by comprehensive national and international standards setting by way of a more considered legislative process? Yuh huh.? But state AGs can only wait so many decades for that to happen. By the looks of it, 2025 is shaping up to be an explosive year of change.

In this issue:

• The California regulator (CPPA) has a board meeting, a new director, an impressive case docket, and an expanding category of data brokers…
• Adtech encircled and facing state AGs coming from multiple angles.
• The privacy impact of Trump’s browbeating, bullying and “America First” policy on the UK and Europe ... What's at stake and where are we going?

…and more.

From our bullpen to your screens,

Colin O'Malley & Lucid Privacy Group Team

With Alex Krylov (Editor/Lead Writer), Ross Webster (Writer, EU & UK), Raashee Gupta Erry (Writer, US & World), McKenzie Thomsen, CIPP/US (Writer, Law & Policy)

?? If this is the first time seeing our Privacy Bulletin in your feed, give it a read and let us know what you think. For more unvarnished insights, visit our Blog.

Your comments and subscriptions are welcome!

CPPA 3/6 Board Meeting – A Warning to Data Brokers

The California Privacy Protection Agency is ramping up scrutiny of data brokers with major developments. Here’s a quick rundown from their March 2025 meeting:

• The CPPA appoints a new Executive Director Tom Kemp
• CPPA explicitly classifies third-party cookie providers as data brokers subject to regulation
• Delete Act Draft Regulations move to formal rulemaking with a 45-day comment period opening soon
• California AG launched an investigative sweep targeting the location data industry
• And guess what? Companies in adtech using third-party cookies likely qualify as data brokers even if currently unregistered

The takeaway: Both registered and unregistered data brokers face increased enforcement actions and regulatory scrutiny in California and beyond. Companies using third-party cookies should urgently reassess whether they qualify as data brokers under these expanded definitions.

Read more

Adtech Privacy Risks at the #BridgePrivacySummit: Increasing Regulation and Enforcement

Adtech Privacy Risks at the #BridgePrivacySummit: Increasing Regulation and Enforcement

Adtech is at a dangerous crossroads. The industry’s reliance on personal data sharing is colliding with aggressive new enforcement from the regulators. At the 2025 Bridge Summit, Raashee Gupta Erry and other panelists broke down the key risks: geolocation data, health data, and state data broker laws. With 19 state privacy laws to consider and new enforcement mechanisms gaining traction, the pressure is mounting. Regulators are targeting not only data sales, but any unauthorized sharing with adtech partners. Companies relying on legacy data-sharing infrastructure & practices need to rethink their strategy—fast. The road ahead is clear: adapt or face the consequences.

Read more?

Do We Need a Little Luck of the Irish for Data Privacy?

As St. Patrick's Day revelers in the US and Ireland don their best green outfits and attempt to “Split the G" there are growing concerns in Ireland and the rest of the EU that the Trump Administration's "America First" approach poses a significant challenge to Europe’s broader privacy and data protection laws.

For example, Vice President JD Vance has openly criticized EU regulations, suggesting AI and tech growth should take precedence over safety concerns. What is emerging isn't simply a policy disagreement but a fundamental philosophical divide about the digital future—one where American-style innovation is increasingly at odds with Europe’s commitment to protecting human rights and fundamental freedoms.

Steve Wood, former ICO Deputy Commissioner, wrote in detail in UK digital regulation - what impact could trade negotiations with the US have? that a trade deal could have a "significant policy impact" on critical issues like disinformation and children's protection from emerging technologies like generative AI.

Friend of Lucid, Nick Stringer, asks in Are you a Digital Mercantilist or an Online Smuggler? whether Europe now finds itself caught between maintaining its GDPR protections and securing favorable trade terms with the United States, and warns that if the EU and UK take a mercantilist approach aimed at driving economic growth, this might come at the expense of privacy standards & data protection.

But maybe there’s some hope to be had? Last week, Lauren Wetzel of InfoSum expressed a more upbeat opinion in her piece, American By Birth, European By Data Privacy Standards, that one day we may see the US adopt more European-style privacy-centric standards. It’s worth remembering that the EU’s commitment to fundamental human rights, including privacy, comes from the battle scars of surviving authoritarian regimes during much of the 20th century. If living under the surveillance state of the Stasi, or the prying eyes of the Gestapo is within one’s living memory, one is more likely to prioritize privacy over the price of eggs. Let’s hope the US doesn't need the same hands-on lesson.

Still, for the moment, that dream seems as likely as finding ‘a pot of gold at the end of a rainbow’, given the Trump Administration's current tactic of exporting American values via jawboning, tariffs, and trade threats.

Who Me? A Data Broker? Can't Be

You might recall in last week’s Bulletin that Lucid’s Ben Isaacson shared his perspective on how California’s new ‘Delete Act’ may classify a broader range of companies as data brokers than most might realize. Ben is back this week, chatting with the Future of Privacy Forum’s Jules Polonetsy on just how murky this definition can be.??

Listen here

Other Happenings

1. Live from SXSW – Meredith Whitaker Warns Us All About Agentic AI: Carey Lening attended South By Southwest last week, where AI, quantum computing, and futurism were the session favorites – and the talk of Line Con. But it was Signal President Meredith Whittaker’s warning that stuck with her the most. We’re already giving up a lot to data-hungry AI companies privacy-wise, Whittaker lamented. But it gets even worse with Agentic AI. Sure, it might be convenient to have an AI Agent plan your calendar, schedule a girl’s night out, or book a holiday, but is it worth the privacy and security risks to give an AI Agent ‘root privileges’ to your life???
2. Honda's Privacy Pit Stop: Implementing and maintaining a compliant Consent Management Platform (CMP) can be a hefty technical and organizational challenge for businesses. Many publishers are content (get it?) with getting "close enough" and living with some loose ends, such as dark patterns in the UI and sloppy advertiser vendor management processes. But be warned–The California Privacy Protection Agency (CPPA) has thrown down the gauntlet, and it seems that getting your CMP "close enough" isn't going to cut it in California any longer. The CPPA has handed down a fine of $632,500 to Honda, $382,500 of which is due to Honda requiring more information than is necessary to opt-out of data sharing that affected a grand total of 153 consumers. That might seem small, but if you do the math, it could get expensive in a hurry.?
3. NAI Announces Framework for New Era of Digital Advertising Self-Regulation.?As the Adtech industry adapts to formal government regulation, so is the Network Advertising Initiative (NAI) evolving from its historic focus on prescriptive self-regulatory requirements to helping companies comply with expanding legal decrees. In its 25th anniversary year, the NAI is replacing its “Code of Conduct” with a new "Framework" organized around a set of guiding principles, with best practices, guidance, and standards designed to help member companies implement programs and processes to meet their compliance needs. Accordingly, the NAI is also updating its annual review program to help members improve their privacy programs and benefit from industry trends and benchmarking.
4. The NFL’s Big Fumble With Consumer Data–What It Means. You’d think an organization as big as the NFL would have its data practices buttoned up. But no—all 32 NFL teams have been collecting and sharing detailed consumer data, including location tracking, without clear notice or opt-out options. Given how sensitive location data can be, this leaves big questions unanswered: How much data was collected? How widely was it shared? And will adtech vendors delete existing data? For a massive brand like the NFL, the real risk isn’t just regulatory—it’s reputational. Fans expect better!

Lucid Resources

• NEW?Consent or Pay Compliance Assessment (COPCA)
• Tracking Technology Privacy Impact Assessment (TTPIA)
• Vendor Security & Privacy Impact Assessment (VSPA)
• Universal Data Protection Impact Assessment (UDPIA)
• Pan-US Data Protection Impact Assessment (US DPIA)
• Pan-US Readiness Record (US)
• EU-US DPF Readiness Record
• Transfer Impact Assessment Template
• California Readiness Record (CCPA/CPRA)
• Virginia Readiness Record (VCDPA)
• Colorado Readiness Record (CPA)
• Connecticut Readiness Record (CTDPA)
• Utah Readiness Record (UCPA)
• China Personal Information Processing Impact Assessment Template (PIPIA)
• China PIPL Readiness Record