This year’s IAPP Privacy. Security. Risk. (PSR) conference made one point impossible to ignore: the era of passive privacy management is over.
Regulators are staffing up enforcement teams including technologists, states are coordinating investigations, and companies are realizing that consent banners and privacy policies alone can’t shield them from lawsuits. As privacy becomes both a compliance requirement and a competitive differentiator, organizations need operational proof that consent is being honored – continuously, not occasionally.
That theme ran through every session, every conversation, and every stop at the Sentinel Insights booth. From the IAB Salon on Wednesday to the CPPA’s keynote on Friday, the message was the same: compliance now demands evidence, not just policy.
The IAB Salon: Privacy Moves Into Continuous Operation
Before PSR officially began, the IAB’s Salon sessions offered an early signal of how regulators and enterprises are thinking about operational privacy. The discussions set a pragmatic tone: less theory, more execution.
Continuous Testing Becomes the Standard.
Speakers emphasized that compliance isn’t a quarterly event; it’s a living process. The summary from a key speaker: “Contract. Oversight. Assessment. Audit.” In other words, don’t deploy once and walk away. Continuous validation is now expected.
Investigations Are Technical.
Attendees heard directly from regulators who now employ engineers capable of replaying website sessions and reviewing tag behavior. Privacy investigations are now driven by legal analysis and backed by code-level evidence.
Proof Over Policy.
Several speakers reiterated a simple truth: policies don’t protect companies, performance does. Regulators judge what actually happens on a site, not what’s written in a privacy statement.
Those insights reflected a broader market shift. Privacy and legal teams are now collaborating with marketing and IT to build defensible systems – tools that can demonstrate that consent decisions are respected in real time.
Enforcement at the Forefront
When Tom Kemp, Executive Director of the California Privacy Protection Agency, took the stage for his keynote, his message reinforced what many already suspected: enforcement is here to stay… and it’s getting smarter.
He shared how the CPPA is building dedicated technical and policy teams to make privacy easier to implement for both businesses and consumers. In his words:
“What good is privacy if businesses can’t implement it?”
Kemp outlined upcoming enforcement priorities:
- The Delete Request and Opt-Out Platform (DROP) launching in 2026, a centralized way for Californians to delete or opt out of data sharing across hundreds of data brokers.
- Mandatory browser-level opt-out signals by 2027, under the new California “Opt-Out Act.”
These initiatives signal a clear shift toward real-time accountability. The CPPA and the California Attorney General’s Office are already coordinating investigations, publishing advisories on dark patterns and data minimization, and reviewing whether companies truly honor Global Privacy Control (GPC) signals.
For organizations, this means enforcement will no longer rely on consumer complaints alone. Regulators have the tools, data, and collaboration networks to find violations independently. You can’t ignore this anymore.
From Audits to Monitoring
That enforcement mindset matched what privacy professionals told us at the Sentinel booth. Nearly everyone we spoke with, from legal counsel to data governance leads, shared the same pain point: periodic audits can’t keep up with how fast their businesses move.
Many teams still rely on monthly or quarterly scans, even as websites update tags and pixels daily. One privacy lead put it succinctly:
“We don’t need another report; we need a signal we can trust.”
This is where Sentinel’s approach resonated. Our Consent Governance Platform continuously monitors every tag, on every page, for every user. It verifies that consent settings from your CMP are actually being honored in the browser – the same way regulators now test for compliance.
This real-time verification model reflects what Tom Kemp called “operationalizing privacy.” As companies adapt to faster product cycles and increasing regulatory expectations, continuous governance is the only defensible approach.
Practitioners at the Core
One of the strongest reactions we saw at PSR came from how Sentinel Insights presents itself: as a platform built by practitioners.
Our founding team came from the same MarTech, compliance, and analytics environments that today’s privacy officers navigate. We’ve worked inside enterprise tag management systems, built marketing data integrations, and dealt with the messy intersection between marketing, IT, and legal teams.
That hands-on perspective showed in our conversations. Attendees appreciated that Sentinel speaks the language of both marketing and compliance – connecting technical enforcement with legal accountability. The ability to “see what’s really happening” behind a consent banner, and to validate that signals fire as intended, addressed a real gap for teams under increasing pressure to produce evidence.
This practitioner-led design is what allows Sentinel to detect and alert on live consent violations in minutes, turning an invisible risk into actionable information.
Privacy as a Competitive Advantage
Another theme that emerged throughout PSR was optimism. Companies are beginning to see that privacy, when operationalized correctly, is as much about earning trust as it is about avoiding risk.
Teams are realizing that when legal, marketing, and IT collaborate, privacy becomes a business enabler. A verifiable consent framework does more than reduce exposure; it signals transparency and strengthens customer relationships.
As one session noted, “Privacy maturity is becoming a differentiator.” In industries where user trust drives retention, having a demonstrable, auditable consent process can directly impact ROI.
For many enterprises, that shift is already underway. They’re investing not only in technology, but also in training and cross-functional processes to ensure compliance at scale. Sentinel’s role is to give those teams the proof they need to operate with confidence and to show that governance can create real business value.
A Connected Community
Beyond the sessions and the demos, PSR reminded everyone how connected this industry is. Privacy professionals, from regulators to engineers, are building a field that values collaboration over competition.
We left San Diego energized by that community spirit. Whether through partnerships, peer learning, or shared innovation, it’s clear that progress in privacy governance depends on open dialogue. And we at Sentinel Insights are proud to be part of that conversation.
IAPP PSR 2025: The Shift to Proof
Across every conversation, one truth stood out: compliance without visibility is no longer credible. Regulators are building the tools to verify consent enforcement. States are sharing data. And enterprises are looking for operational proof that their policies work in practice.
PSR 2025 confirmed that privacy has entered its operational era — one defined by evidence, collaboration, and continuous validation.
Sentinel Insights is built for that reality.
Every user. Every tag. Always on.
What’s Next
See your site the way regulators do. Book a verification call today.
Read more from the IAPP: CPPA executive director discusses enforcement priorities, helping consumers exercise their rights
