Inside the NAI Summit: How Privacy is Shaping the Future of Ad Tech
The NAI's 25th Anniversary Summit in San Francisco convened nearly 200 leading privacy experts, and regulators, to explore how emerging legislation, enforcement trends, and ad-tech shifts are shaping data-driven marketing. HealthLink Dimensions has spent the past three years advancing its privacy and data security posture. Insights from this event will guide continued investments in data stewardship and privacy compliance.
-
California Is Cracking Down on Non-Compliant Brokers
The California Privacy Protection Agency (CPPA) is actively conducting investigative sweeps to identify unregistered data brokers. With daily penalties of $200 for each missed consumer request starting in 2026, and mandatory audits every three years beginning in 2028, demonstrating operational compliance is essential.
-
Data Subject Requests Are Flooding Systems
Ad-tech is seeing large volumes of privacy requests from authorized agents, many pertaining to individuals not covered under applicable laws (e.g., non-Californians invoking CCPA). Despite being invalid, these must be logged and preserved. A structured triage process is now critical for maintaining SLA performance and accurately sorting validity from invalid requests.
-
The $6,600 CPPA Fee Is a Barrier and a Signal
California’s broker registration fee rose steeply in 2025. As a result, fewer brokers will register in 2025 than in 2024, despite it being a requirement. It is unclear how many brokers have chosen to “go dark” and operate as an unregistered broker versus those who have chosen to leave the market. Regardless, with the CPPA's public-facing complaint portal, anyone can report unregistered data broker violations meaning that “going dark” is not a viable option.
-
Statewide Opt-Out API Will Be Mandatory by Late 2026
California’s DELETE Act will mandate all data brokers to integrate with a centralized opt-out API. This "The Drop Signal" initiative aims to simplify consumer rights management, but it will likely require significant technical preparation on the part of data brokers. Engineering and legal teams should begin planning now to meet integration and compliance demands.
-
The Patchwork of State Laws Is Growing and Conflicting
At least 19 states now have unique privacy laws, with many layering in data minimization, opt-in for teen targeting, and are contemplating their own universal opt-out mechanisms. Several states limit geotargeting to nearly a half mile radius, with distances differing state-to-state. With no federal privacy bill expected in 2025, cross-state signal recognition and compliance mapping is now table stakes for scalable campaigns.
-
Treat PII Like Fissile Material
During the summit, a senior enforcement official compared PII to "enriched uranium" due to its power and potential to cause harm if mishandled. Other panelists pointed out that even hashed emails can be considered PII due to the reidentification risk. This reinforces the importance of short retention periods, robust access controls, and data-loss prevention protocols, especially for location and health-related data.
-
Selling Location Data Abroad Is Now a National Security Issue
With both the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA) and the DOJ Rule (28 CFR Part 202) in place, it is now illegal to sell precise location data, identifiers, or health data to entities in China, Russia, Iran, North Korea, or Venezuela. Violations carry severe penalties, including large fines and potential imprisonment.
Pursuing these violations will be a priority for the DOJ, prompting a renewed focus among ad-tech and data brokers for more stringent partner and vendor vetting.
-
NAI Has Shifted from Audit Model to Principle-Based Framework
The NAI has evolved its self-regulation model from a formal audit-based system to a principle-driven approach grounded in transparency, choice, data governance, sensitive personal data, and accountability. While this provides greater flexibility for members and eliminates the “51st state” concerns, it also puts the onus on members to independently align with state-level laws and prove their compliance when necessary.
-
FTC Is Targeting Misleading Marketing Claims
The FTC is increasing scrutiny of marketing statements such as "100% de-identified" and practices that make opting out difficult. Legal and marketing teams must coordinate closely to ensure evidence-based truth in advertising. As it pertains to privacy claims, organizations should regularly audit consumer-facing privacy workflows to ensure they align with internal practices and market promises.
About HealthLink Dimensions
If your organization relies on healthcare provider data, now is the time to revisit your compliance architecture. As HealthLink Dimensions continues to lead with trust, transparency, and accuracy, these learnings will shape how we support clients across life sciences, healthcare, and digital health.
Want to know how we manage privacy, data accuracy, and regulatory alignment while serving as a leading healthcare data broker? Talk to a data expert at HealthLink Dimensions.
