Data privacy issues aren’t new for agency marketers.

You’ve been navigating this space for years if any of your agency’s client work touches digital marketing, social media marketing, e-commerce, direct response campaigns or any other strategy or tactic involving consumer data (so, nearly all of you).

And you likely know that wherever there is consumer data to be leveraged, there is probably also a law, regulation or compliance policy around the privacy of that data to be managed.

But do your agency’s marketers have a handle on how the legal landscape related to data privacy has evolved over the last few years…..and months?

The Evolving Data Privacy Landscape – What’s Changed?

There are a number of developments, all happening in a way that seems simultaneous, affecting the data privacy landscape. Those we see most frequently in our work counseling agencies are:

• Consumers have evolved expectations and heightened knowledge about their data privacy rights

Your client’s customers are more knowledgeable than ever about their data privacy rights, thanks probably to the amount of press data privacy breaches receive, and to the number of states actively working to change their regulations around consumer data privacy.

Many of these consumers know the rules about protecting or using their data, as well as (in some cases) what a brand’s responsibility is for answering a consumer’s questions about personal data use, and when a brand needs to remove a consumer’s data. And the brands (your clients) are looking to the agency to understand the rules as well. Or, at a minimum, to help the brands stay compliant with those rules.

• Tech platforms are now proactively embedding privacy features to address compliance requirements

The creators of tech platforms, sometimes under pressure from privacy regulators and sometimes as a voluntary risk-management measure for themselves and their users, are increasingly building in-platform tools and features to help with data privacy compliance.

While reliance on these built-in features doesn’t eliminate a brand or marketer’s responsibility for compliance, as the features become more prevalent compliance with regulations around privacy becomes more top of mind and less cumbersome.

• Legislative activity around data privacy protection has increased

While we have not seen policymaking in the U.S. at the federal level around data privacy protections (we would prefer one universal of policy and rules for our clients, frankly), activity at the state level around data privacy has been dynamic – with Maryland enacting new policy effective October 1, 2025 that rivals California’s state data privacy regulations for compliance burden. There’s also been active rulemaking and enforcement actions in a number of other states and it’s ongoing and increasing (we see you – Rhode Island, Kentucky, Tennessee and Texas, to name a few).

As agencies know, business is national and global. And so the fact that your agency, or your client, doesn’t reside in one of the more heavily regulated states doesn’t reduce your compliance obligations. It’s all about where the consumer(s) reside.

So what’s an agency supposed to do to manage all of this, while not taking on a share of the burden that is unreasonable? Here are 4 (Four) places to start:

1. Know your client’s data collection and use practices.

Ask questions about the origin of the data (where did you get your lists or other customer information?), about how current the data is, and about how they have been using it in their businesses so far.

Know whether the client has received counsel from their marketing, IT and legal advisors in the past about data management practices and data privacy compliance rules.

A lack of clarity around this from the client is a good sign that you may need to probe more deeply to avoid potential data misuse, so long as the agency is asking the questions before it uses the date for a campaign. It’s also the feedback your agency needs in order to decide if hard decisions need to be made about using the data – including halting use of it for a re-engagement campaign or compliance measure to avoid breaking any regulations or platform policies.

2. Build agency team awareness about data privacy compliance issues.

It’s not your agency’s job to be a legal advisor to your clients. It IS your team’s job to be fluent enough in data privacy issues to have an understanding of the rules that could apply, the coordination and communication that is required with the client (see #1), and the campaign details or issues that may need a legal recommendation by the client’s counsel.

How does the agency’s team achieve this fluency? Training and education. If your work involves working in a “data rich” environment (digital campaigns, media planning and buying, direct response marketing, for a few), then investing in education on these issues is not only a risk management but a client retention move.

And if your agency’s client base includes clients in highly regulated industries where access to and use of consumer data is frequent (think health care, finance, insurance), then it should be doubling down on its focus here – attending conferences, webinars, or in-house trainings on data privacy rules and practices.

3. Address data privacy compliance in your agency contracts

Your agency’s client contracts should address data privacy legal compliance meaningfully, and in a way that clearly spells out who is responsible if a breach of some regulation or platform term or condition occurs. The agency should NEVER assume responsibility for the client’s practices or decisions around data handling. And to the extent it agrees to some assumption of liability for a data privacy violation caused by an agency error or practice, the circumstances and extent of liability should be very clearly defined (and ideally backed by appropriate insurance coverage).

If the agency is engaging any third parties to assist in performing work that will handle or use consumer data, the contracts with those parties should also clearly assign responsibility for handling data and liability for any regulation compliance around the data. Experienced vendors should not be surprised by this expectation – and ask about their insurance coverage, too.

4. Understand the intersection of data privacy and AI risk management

Data privacy compliance is one of the key components of managing legal risk when integrating AI into your agency’s work (the other is intellectual property).

Inputting customer and consumer data into any AI-powered tool creates legal risk. This is for two primary reasons:  1) your agency is not in complete control of any output from the tool once the data is input into the tool, and 2) your agency could be violating data privacy laws by inputting the data without sufficient disclosures to and opt-outs for the consumers who own that data. Tread cautiously and with the complete buy-in of the agency’s client and the appropriate legal reviews before moving ahead.

Data privacy compliance is a fast-moving target for agencies. If you have questions about how to handle the risk management around it, reach out to us with questions or for a review.