The advertising technology industry has a complicated relationship with privacy. For most of its history, the dominant logic was that privacy and performance were in fundamental tension: more data meant better targeting, which meant better performance for advertisers, which meant more revenue for publishers. Privacy constraints were obstacles to be worked around, minimised, or deferred until regulators forced the issue.
That logic is breaking down, not because the industry has had a change of heart, but because the technical and regulatory ground has shifted enough that building on the old surveillance infrastructure is increasingly untenable. In its place, a set of genuinely privacy-preserving technologies and approaches is emerging - some industry-led, some regulator-shaped, some developed by independent researchers and open-source communities.
For publishers, understanding what is worth adopting and what is marketing dressed up as privacy is increasingly important.
Google’s Privacy Sandbox
The most prominent privacy-preserving ad tech initiative of the past five years is Google’s Privacy Sandbox, a collection of browser-based APIs designed to support advertising use cases without enabling individual cross-site tracking.
The central component for advertising is the Topics API. Rather than third-party cookies tracking individual browsing behaviour and sharing that data with advertisers, the Topics API has the browser itself assign users to broad interest categories based on their recent browsing history. These categories - there are currently several hundred of them - are then shared with advertising scripts on pages the user visits, allowing interest-based targeting without any individual-level tracking data leaving the browser.
The Topics API is genuinely privacy-preserving in a technical sense: the data doesn’t leave the device, the categories are broad enough to prevent individual identification, and users can inspect and modify their topic assignments. It is also considerably less powerful than third-party cookie targeting, which has limited its adoption by advertisers who have been reluctant to accept reduced targeting precision.
For publishers, the practical significance is that the Topics API is an additional demand signal that can improve programmatic revenue modestly for users who haven’t consented to other tracking. It should be treated as a component of a broader strategy rather than a complete solution.
Server-side infrastructure
One of the most significant technical shifts in privacy-preserving ad tech is the move towards server-side infrastructure for both analytics and advertising. Rather than loading third-party JavaScript directly in the user’s browser - where it can access browser state, set cookies, and communicate with external servers - server-side implementations route data through the publisher’s own server infrastructure first.
This has several privacy benefits. The publisher controls what data is shared with third parties. IP addresses and other identifying information can be stripped or anonymised before data leaves the publisher’s server. The consent signal can be applied at the server level, ensuring that non-consented users’ data genuinely isn’t passed to advertising partners.
It also has performance benefits: fewer third-party scripts in the browser means faster page loads and better Core Web Vitals scores, which improves both SEO performance and ad viewability.
The move to server-side is not without complexity. It requires more technical infrastructure than client-side tag implementation, and the setup and maintenance cost is higher. For publishers with significant traffic, the investment is generally justified both by the compliance benefits and the performance improvements. For smaller publishers, managed server-side solutions are increasingly available that reduce the technical barrier.
First-party data infrastructure
The most durable privacy-preserving approach for publishers is the development of robust first-party data infrastructure - a relationship with readers that generates data that is directly, consciously, and lawfully shared, rather than inferred through surveillance.
This means registered user bases, email newsletters, membership programmes, and subscription products. It means clear, honest communication with readers about what data is collected and how it is used. And it means consent flows that generate genuine, auditable consent for the advertising and personalisation uses that publishers want to make of that data.
Publishers with strong first-party data are, in 2025, in a genuinely advantageous position. They can offer advertisers audience segments that are accurate, consented, and impossible to replicate through any third-party mechanism. They can charge premium rates for this inventory because it is scarce relative to the demand. And they are insulated from the regulatory and technical changes that continue to erode the value of surveillance-based targeting.
Building first-party data infrastructure takes time. Publishers who haven’t started that work yet are further behind than they should be, but the investment remains worthwhile - and the gap between publishers with strong first-party relationships and those without them is likely to widen rather than narrow over the next several years.
What to ignore
Not everything marketed as “privacy-preserving” deserves that label. Probabilistic fingerprinting - identifying individual users through combinations of device and browser characteristics without using cookies - is widely used and widely presented as a privacy-friendly cookie alternative. It is neither. It is cross-site tracking by a different technical means, and it is subject to the same legal constraints as cookie-based tracking. Publishers who are told that their ad stack includes a “cookieless ID solution” should ask exactly how that ID is generated and maintained.
The principle is straightforward: if a technology enables the tracking of individual users across sites without their consent, it is not privacy-preserving regardless of what mechanism it uses. Regulatory frameworks are technology-neutral for precisely this reason.