By Christine Desrosiers, VP of Product, Head of Privacy, Boltive
Privacy conversations today are still dominated by cookies and the slow fade of third-party tracking on the web. It makes sense. The web has been the center of gravity for privacy debates for more than a decade.
But while we are all watching the web, the next frontier of risk is accelerating in places most teams are not monitoring closely enough: in-app and Connected TV.
What happened on the web was a long, visible arc. What is happening in in-app and CTV is a fast, technical shift that is already outpacing the governance frameworks built for the browser world.
And here is the part most teams are not ready for: the failures in these environments are invisible until they are expensive. By the time a privacy team discovers the issue, the issues have already propagated through partners, algorithms have already optimized on top of those broken signals, and the exposure is baked into weeks of traffic.
The Acceleration Factor
When you add AI to the mix, the landscape shifts even faster. Automated systems now optimize traffic, swap creative, and adjust targeting in real time. In these conditions, privacy controls can drift out of compliance faster than any quarterly or even monthly audit can detect.
What was compliant yesterday can become a liability today.
Why In-App and CTV Demand New Attention
Many organizations still treat these environments like just another channel. They are not. They behave fundamentally differently from the web:
- Fragmentation is high: thousands of apps and hundreds of CTV platforms, each with unique SDKs and data flows
- Visibility is low: tracking happens inside opaque environments rather than inspectable pages
- Change is constant: updates, new SDK versions, and server-side shifts roll out without warning
- The stakes are higher: these channels often collect more sensitive user data with far less user transparency
The technology impacting privacy in these spaces is evolving at breakneck speed – years faster than the web’s trajectory – resulting in faster moving and harder-to-detect privacy failures than anything we saw during the cookie era.
The Risk Patterns We See Everywhere
Across organizations of all sizes, we see the same failure modes appearing again and again. They are not edge cases. They are systemic:
Consent signal failure. CMPs capture choices, but the signals do not propagate through every downstream partner.
Persistent tracking after opt out. Pixels or SDKs keep firing despite a user opting out. Even one vendor ignoring a signal creates legal exposure.
Unauthorized downstream sharing. Your direct vendor may be compliant, but their partners may not be. Server-side environments make it difficult to see who is receiving your data.
Ad-triggered data leakage. Creative can contain embedded pixels or network calls that activate without approval, especially when generative systems produce creative variants on the fly.
These are not malicious failures. They are the natural outcome of complex systems evolving faster than governance can keep up.
What Actually Works
The solution isn’t another checklist or another quarterly audit. It’s a fundamental shift in how we think about compliance monitoring.
This is especially critical for in-app and CTV, where the technical complexity and rate of change make traditional monitoring approaches essentially useless. You can’t inspect what you can’t see, and you can’t audit what changes hourly.
2026: What Leaders Should Plan For
The organizations that treat this as just another compliance box to check are the ones who are most at risk. The shift is already underway. It is fast, opaque, and amplified by AI.
The question is not whether privacy controls will drift in a dynamic, AI-accelerated environment. They will. The real question is whether you will detect those changes early enough to address them, rather than discovering them through a regulatory inquiry or public incident. The organizations that build this visibility now will be the ones prepared for the next phase of digital compliance.
