The regulatory reckoning
In 2018, the GDPR came into force and the adtech industry held its breath. Then it carried on largely as before. Consent banners appeared. Cookie walls multiplied. The letter of the law was observed. The spirit was ignored. Data continued to flow through the same supply chains to the same brokers for the same purposes.
That window is closing. Enforcement is accelerating. The Belgian Data Protection Authority ruled real-time bidding unlawful. The French CNIL fined Google and Meta hundreds of millions for consent violations. The ePrivacy Regulation, when it arrives, will tighten the rules further. Each enforcement action narrows the space in which surveillance advertising can operate.
Consent fatigue is a design failure
The average European internet user encounters consent dialogs dozens of times per day. Most click accept without reading. Research from Ruhr University Bochum found that fewer than 3 percent of users engage meaningfully with cookie consent interfaces. The mechanism that was supposed to give people control has become a source of annoyance that achieves the opposite.
This is not a failure of regulation. It is a failure of architecture. A system that requires individual consent for every data transaction across every website and every intermediary is structurally unworkable. The number of decisions exceeds any person’s capacity to make them. The result is blanket consent that means nothing, or blanket refusal that breaks functionality.
The architectural answer is to eliminate the need for the consent decision entirely. If data never leaves the device, there is no data transaction to consent to. The question disappears.
The GDPR’s hidden preference for on-device processing
The GDPR does not explicitly mention on-device processing. But its principles point toward it. Article 5 requires data minimisation. Article 25 requires data protection by design and by default. Recital 78 encourages measures that minimise the processing of personal data. On-device intelligence satisfies all three by ensuring that personal data is never transmitted or stored centrally.
Intent HQ’s architecture processes behavioural signals on the handset. The raw data stays on the device. What leaves is a privacy twin: a mathematical representation of behavioural patterns that contains no personally identifiable information. Under the GDPR framework, this represents the strongest possible position. The data is processed. The intelligence is generated. But no personal data is transmitted, stored, or shared.
The ePrivacy question
The forthcoming ePrivacy Regulation will tighten rules around access to terminal equipment, including mobile devices. Current drafts suggest that accessing data stored on a user’s device will require specific consent, with limited exceptions. Surveillance advertising, which depends on reading device identifiers, cookies, and installed app data, will face significant new constraints.
On-device processing inverts the relationship. Instead of a remote system accessing the device to extract data, the device itself processes its own data and produces an output that contains no personal information. The device is not accessed by a third party. The intelligence is produced by the device for the device owner’s benefit. This is a fundamentally different legal posture than surveillance advertising’s model of remote data extraction.
Beyond Europe: the global regulatory trend
The regulatory direction is not limited to the EU. Brazil’s LGPD, India’s DPDPA, South Africa’s POPIA, and the growing patchwork of US state privacy laws all point in the same direction: more constraints on data collection, more requirements for consent, and greater penalties for non-compliance.
Companies building on surveillance architectures face a compounding compliance burden. Each new jurisdiction adds requirements. Each new regulation adds constraints. The cost of maintaining compliance across a global surveillance infrastructure is rising faster than the revenue it produces.
Companies building on on-device architectures face a different landscape. Because no personal data is transmitted, most data protection requirements are satisfied by default. The compliance cost is structurally lower. The regulatory risk is structurally lower. The architecture is future-proof against regulations that have not yet been written.
The regulator as tailwind
For most of the digital advertising industry, regulators are headwinds. Every new rule constrains what they can do. For on-device behavioural intelligence, regulators are tailwinds. Every new privacy regulation makes surveillance advertising harder and makes privacy-preserving intelligence more valuable.
This is not a temporary advantage. The regulatory trajectory is clear and accelerating. The companies that align their architecture with that trajectory now will compound the advantage as each new regulation arrives. The companies that fight the trajectory will spend increasing resources defending a model that is structurally obsolescent.
Behavioural intelligence is more ethical than surveillance advertising. It is also more legally durable. The two properties are not coincidental. When your architecture respects people, it tends to respect the laws designed to protect them. When your architecture exploits people, regulation is a perpetual threat. The ethical position and the competitive position are the same position.