History of Privacy Regulation · 1995–2026

The EU Data Protection Directive (Directive 95/46/EC), adopted in October 1995, was the first comprehensive European framework for personal data protection. It required EU member states to implement national data protection laws and established principles that would later form the basis of GDPR: data should be collected for specified, explicit, and legitimate purposes; it should not be processed in ways incompatible with those purposes; and individuals have rights to access and correct their data. The Directive was not specifically designed for the internet — it predated widespread commercial internet use — but its principles applied to online data collection.

Safe Harbor (2000–2015) was a framework allowing US companies to transfer EU citizens' personal data to the US by self-certifying compliance with EU data protection principles. Safe Harbor was invalidated by the European Court of Justice in October 2015 (in the "Schrems I" ruling) after revelations about NSA surveillance programmes demonstrated that the framework did not adequately protect EU citizens' data from US government access. Safe Harbor was replaced by Privacy Shield in July 2016, which was itself invalidated by the ECJ in July 2020 (Schrems II), leading to the current EU-US Data Privacy Framework agreed in 2022.

The EU e-Privacy Directive (Directive 2009/136/EC), informally called the "Cookie Law," came into force in May 2011 and required websites to obtain consent from users before setting non-essential cookies — including analytics cookies and advertising tracking cookies. This was the first regulation to specifically target the tracking technology that underpinned digital advertising.

Initial implementation was inconsistent: some websites added prominent cookie banners; others implemented "implied consent" (a banner stating "by using this site you accept cookies" without an actual consent mechanism). The UK's Information Commissioner's Office (ICO) and other national data protection authorities issued guidance and ultimately enforcement notices pushing for genuine, opt-in consent rather than implied consent.

The Cookie Law foreshadowed GDPR's more comprehensive consent requirements but lacked GDPR's enforcement teeth — fines for cookie law violations were modest, and enforcement was inconsistent across EU member states. Its primary legacy was normalising the cookie consent banner on websites throughout Europe — and establishing the concept that tracking required consent rather than being a right.

The General Data Protection Regulation (GDPR) was proposed by the European Commission in January 2012 and went through four years of legislative process before being approved by the European Parliament on 14 April 2016. It came into effect on 25 May 2018, replacing the 1995 Data Protection Directive and giving organisations a two-year transition period.

GDPR's key features that distinguished it from its predecessor: direct applicability (it is a Regulation, not a Directive — meaning it is directly enforceable in all EU member states without national implementation legislation); extraterritorial scope (it applies to any organisation anywhere in the world that processes personal data about EU residents); significant enforcement powers (fines of up to €20 million or 4% of global annual turnover); and clearly specified consent standards (freely given, specific, informed, and unambiguous — with a genuine choice and an equally easy opt-out).

The first major GDPR fine was issued to Google by France's CNIL (data protection authority) in January 2019: €50 million for lack of transparency and adequate consent for personalised ads. Meta (Facebook) has subsequently received the largest GDPR fines to date — including €1.2 billion from Ireland's DPC in May 2023 for data transfers to the US.

GDPR's practical marketing implications were immediate and significant:

• Email marketing. Pre-checked opt-in boxes and "soft opt-in" for commercial communications became unambiguously non-compliant. Email lists required genuine, documented consent — leading to widespread "re-permission" campaigns and significant list size reductions for organisations that had built their lists through non-compliant methods.
• Analytics. Analytics cookies require consent under most interpretations of GDPR and the e-Privacy Directive. The requirement for consent management platforms (CMPs) on EU-facing websites became industry standard, and consent rates (the proportion of users accepting analytics cookies) became a measurement quality variable.
• Behavioural advertising. Targeting based on personally identifiable behavioural data requires either consent or a legitimate interests assessment — and several EU data protection authorities have ruled that legitimate interests cannot be used for behavioural advertising tracking, requiring consent.
• Data governance. Organisations required Data Processing Agreements with all third-party processors; regular Privacy Impact Assessments for high-risk processing; and clear data retention policies with implementation.

The California Consumer Privacy Act (CCPA), effective January 1, 2020, was the first major US privacy regulation to impose GDPR-like rights on consumers — the right to know what data is collected, the right to delete personal information, and the right to opt out of the "sale" of personal information to third parties. Amended by the California Privacy Rights Act (CPRA) in 2023, CCPA/CPRA applies to businesses meeting certain size thresholds that process California residents' personal information.

Unlike GDPR's opt-in consent model, CCPA uses an opt-out model: companies can use personal data for advertising by default, but must provide a clear "Do Not Sell or Share My Personal Information" link and honour opt-out requests. This fundamental difference — opt-in vs opt-out — means that CCPA allows behavioural advertising as a default while GDPR generally requires active consent.

By 2026, approximately 20 US states have enacted their own comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, Florida, and others), creating a patchwork of state-level privacy requirements that US organisations must navigate without a single federal standard.

Apple's iOS 14.5 update, released April 26, 2021, introduced App Tracking Transparency (ATT) — requiring all iOS apps to explicitly ask users for permission to track their behaviour across other apps and websites for advertising purposes. The permission prompt uses Apple's standardised language: "Allow [App] to track your activity across other companies' apps and websites?" with "Ask App Not to Track" and "Allow" options.

The impact was immediate and dramatic: industry analyses showed that more than 85% of iOS users in most markets chose "Ask App Not to Track" — opting out of cross-app tracking. Meta (Facebook/Instagram) disclosed in its Q1 2022 earnings call that the ATT changes were expected to reduce its revenue by approximately $10 billion in 2022. The mobile advertising ecosystem that had been built on IDFA (Identifier for Advertisers) — the device identifier that enabled cross-app tracking — was fundamentally disrupted.

ATT demonstrated that when given a clear, comprehensible choice about tracking, the overwhelming majority of users choose not to be tracked. This finding has implications for consent rates under GDPR and other consent-based frameworks — it suggests that high opt-in rates for advertising tracking require either unclear consent mechanisms or genuinely compelling value exchange for user data.

Independent of regulation, browser-level technical decisions have systematically degraded third-party cookie tracking:

• Safari Intelligent Tracking Prevention (ITP). Apple launched ITP in September 2017 with Safari 11, blocking cross-site tracking cookies by default. ITP has been progressively tightened through subsequent versions — as of ITP 2.3 (2019), third-party cookies are blocked entirely in Safari regardless of user consent choices.
• Firefox Enhanced Tracking Protection (ETP). Mozilla launched ETP in June 2019 as the default setting for Firefox, blocking tracking cookies from known trackers. Firefox also blocks cross-site tracking through its "Total Cookie Protection" feature (2021) — isolating cookies to the site that set them so they cannot be used to track across sites.
• Chrome and Google's Privacy Sandbox. Google announced plans to deprecate third-party cookies in Chrome in January 2020, subsequently delaying the deprecation multiple times. In July 2024, Google announced it would not fully deprecate third-party cookies in Chrome but instead provide users with a choice about tracking preferences.

GDPR's influence extended well beyond Europe: its standard-setting effect prompted privacy legislation in dozens of countries. Notable GDPR-inspired laws include Brazil's Lei Geral de Proteção de Dados (LGPD, 2018), India's Digital Personal Data Protection Act (2023), Japan's amended Act on Protection of Personal Information, South Korea's Personal Information Protection Act, and the UK's retained version of GDPR (UK GDPR) post-Brexit. Over 130 countries now have some form of personal data protection legislation.

Google announced the Privacy Sandbox initiative in August 2019, proposing a set of open web APIs that would replace the tracking capabilities of third-party cookies with privacy-preserving alternatives. The initiative faced significant scrutiny from the UK's Competition and Markets Authority (CMA), which entered a formal agreement with Google in February 2022 requiring the CMA to be consulted before Google made changes to Chrome's cookie handling.

Key Privacy Sandbox APIs developed and tested through 2022–2024: Attribution Reporting API (privacy-preserving conversion measurement); Topics API (interest-based advertising without user-level tracking); CHIPS (partitioned cookies that cannot track across sites). After multiple delays, Google announced in July 2024 that it would not proceed with third-party cookie deprecation in Chrome but would instead give users an informed choice — a significant change from the original deprecation plan.

Authentic Sources