In the latest edition of our A&M series, Bryony Long, Rupam Davé and Mark Hersey (Lewis Silkin LLP) were joined by Gary Kibel (Davis + Gilbert LLP) to discuss regulatory changes, enforcement trends and compliance priorities across the UK, EU and US digital advertising markets. Here are the key takeaways:

1. PECR updates now in force

All the Data (Use and Access) Act 2025 amendments to PECR are now in force. While the UK GDPR level fines, (i.e. maximum £17.5 million or 4% of global annual turnover, whichever is higher) are grabbing all the attention, the extension of the cookie consent rules to anyone who "instigates" the storage or access to stored data widens the scope for regulatory enforcement so will need some consideration particularly for advertisers. In addition to this, wider enforcement powers for PECR breaches, the return of the soft opt-in for charities and the relaxation of exemptions for cookie consent where they pose a low risk to user privacy mean now is a good time to revisit your cookie consent mechanisms and direct marketing practices, especially as we know the ICO is very active when it comes to PECR breaches. For those interested in engaging with the ICO and shaping industry codes of conduct watch this space.

 2. EU Digital Services Act enforcement is accelerating

The DSA is driving significant enforcement activity against major platforms. In December 2025, the EU Commission issued its first DSA fine of €120 million. Transparency has been the common thread in all DSA enforcement action to date. In-scope businesses should review their transparency practices now to ensure compliance. Further, it is likely in scope businesses might try to flow down certain of their compliance obligations on to companies using those services caught by the DSA from an advertising perspective, so advertisers should take care to ensure such obligations are appropriate.

 3. Adtech-related data protection breaches continue to attract fines

EU data protection authorities continue to be active in the ecosystem, issuing fines for breaches. The CNIL is particularly active in this area and has issued fines of €3.5 million against a company for transferring loyalty programme data to a social network for targeted advertising without valid consent, €325 million against a big tech company for advertising and cookie practices in its email offering and €150 million against a fast fashion company for placing advertising cookies without valid consent.

The long running IAB Europe TCF litigation concluded, with the €250,000 fine being upheld, and the court confirming that TC strings are personal data and that IAB Europe is a joint controller with TCF participants for storing consent preferences. 

While the dust seems to have settled momentarily on the "pay or ok" debate, privacy campaigners are still active and are pursuing this issue so another area in which to watch this space!

What is clear, is that businesses involved in the adtech ecosystem face growing financial and regulatory risk from non-compliant data sharing and consent practices and so should act now to address any gaps.

 4. Clarification of publisher responsibilities for ad content

Turning to the EU courts, the CJEU's decision in Russmedia (C-492/23) has important implications for online marketplaces and publishers. The court clarified that: 

1. personal data is special category data where it indirectly reveals protected characteristics, whether or not the data is true.
2. publishers process personal data when publishing ads containing personal data, and
3. both publisher and advertiser are joint controllers when the ad is published. 

Further, where a publisher "knows or ought to know" that sensitive data appears in an ad, technical and organisational measures should be implemented to identify such ads before publication. This means publishers should be implementing pre-publication screening processes to manage this risk.

 5. US state privacy laws are creating a complex patchwork of requirements

The US presents a challenging compliance landscape, with California remaining a key jurisdiction following enforcement actions around opt-out processes, cross-device linking and data broker practices. Other states are not to be ignored. For example, the Maryland Online Data Privacy Act, effective October 2025, introduces strict data minimisation requirements that may significantly impact adtech data-gathering practices, including retargeting pixels and behavioural advertising. Children's privacy is a particular focus, with varying age thresholds and consent requirements across states creating operational complexity. Specialist US privacy advice is essential for businesses active in this market.