Posts

EU AI Act Compliance in 2026: Deadlines, Fines and the Four Risk Categories Explained

Image
  Artificial intelligence is now regulated law in Europe, and many businesses are further behind than they realise. The EU AI Act entered into force on 1 August 2024 as the first legal framework built entirely around AI. Its rules arrive in stages, and some of the most important ones already apply. The four risk categories The Act sorts every AI system into one of four tiers, and your obligations depend on where your systems land. Unacceptable risk systems are banned outright. Since 2 February 2025, the EU prohibits AI that manipulates people into harm, exploits vulnerable groups, runs social scoring for public authorities, scrapes facial images from the internet, or reads emotions in workplaces and schools. High-risk systems are allowed, with strict conditions. This tier covers AI used in hiring, credit scoring, education, critical infrastructure, law enforcement and border control. Providers must complete conformity assessments, keep detailed technical documentation, register...

AI Governance Basics: What It Is, Which Rules Apply, and How to Start

Image
  Artificial intelligence now sits inside hiring tools, credit checks, chatbots and marketing platforms. Yet many organisations use these systems without any structure for managing the risks they create. That structure has a name: AI governance. What AI governance means AI governance is the set of internal policies, roles and checks that guide how an organisation builds, buys and monitors AI. It covers the full life of a system, from the data used to train it through to how its outputs are reviewed once it is live. The central idea is accountability. Someone must be able to answer for what each system does. It is worth separating governance from regulation. Regulation is imposed from outside by law. Governance is what an organisation builds internally, and good governance usually goes further than the legal minimum. The rules that now apply The most important law in this area is the EU AI Act. According to the official implementation timeline published at artificialintelligenc...

Mobile App Compliance in 2026: GDPR, CCPA and App Store Rules Explained

Image
Mobile app compliance means meeting the legal and technical rules that govern how your app collects, uses, and stores personal data. In 2026 that covers privacy laws such as GDPR, CCPA, and LGPD, and also the frameworks Apple and Google enforce through their app stores. Getting it wrong risks fines, store removal, and advertising data you cannot legally use. Which laws apply to your app The laws that apply depend on where your users are, and this catches many app owners out because a company registered in one country can still owe duties in many others. If you have users in the EU or UK, GDPR requires explicit opt-in consent before non-essential data processing, and consent must be specific to each purpose.  If you have users in California, CCPA gives them the right to opt out of the sale or sharing of their data, and since 2026 businesses must confirm they have processed opt-out requests, including Global Privacy Control signals. Brazilian users fall under LGPD, and several ...

What Is a Mobile Application SDK and What Does It Do With User Data?

Image
If you own or manage a mobile app, third-party SDKs are almost certainly inside it. Understanding what they are and what they collect is now a basic requirement for running an app legally. What an SDK actually is A mobile application SDK is a pre-built software toolkit that developers add to an app to get specific functionality without building it from scratch. Analytics, advertising, crash reporting, and payments are the most common uses.  A typical SDK contains an initialisation module that activates when the app loads, an API layer that connects to the provider's service, a data collection module, and a logging component. People often mix up SDKs and APIs. An API is a set of rules that lets two systems talk to each other. An SDK is a bigger package that usually contains APIs along with libraries, sample code, and documentation.  An SDK saves development time, but it also brings a third-party dependency into your app that needs ongoing management. What SDKs collect Eac...

Google Consent Manager: How It Works With Google Ads and GA4

Image
  If you run Google Ads or track visitors with GA4, a cookie banner alone does not tell Google anything. Google Ads and Analytics need structured consent signals, and a standard banner does not send them. This is what a Google consent manager actually does. It is the layer that sits between your visitor's choice and your Google tags, translating "accept" or "reject" into signals Google can read. The four signals that matter Google's Consent Mode covers four parameters: ad_storage , analytics_storage , ad_user_data , and ad_personalization . The first two have existed since the original Consent Mode launch and control advertising and analytics cookies. The other two were added in November 2023, according to Google's developer documentation, and specifically govern whether Google Ads can personalise ads or match Enhanced Conversions using hashed customer data. Basic versus advanced implementation Google offers two ways to run Consent Mode. Basic mod...

How to Make a Mobile App GDPR Compliant: A Complete Checklist

Image
  If your mobile app collects any personal data from users in Europe, GDPR applies to you, regardless of where your company is based or how large it is. Many app owners assume GDPR is a website issue. It is not. Mobile apps often collect more personal data than websites, through location tracking, device identifiers, contact lists and behavioural logs. Here is what GDPR compliance actually requires in practice. Start with consent. GDPR requires consent to be freely given, specific, informed and unambiguous. That means no pre-ticked boxes, no bundled permissions, and a separate opt-in toggle for each purpose you process data for. Present Accept and Reject with equal visual weight so neither option is designed to be harder to find. Build a proper privacy policy. It should name your data controller, list every type of data you collect, explain your legal basis for processing it, and set out user rights, including access, correction, deletion, restriction, portability and objectio...

GA4 Server-Side Tracking: How to Stop Losing Conversion Data to Ad Blockers

Image
  If your Google Analytics 4 reports show fewer conversions than your CRM, you are not looking at a reporting quirk. You are looking at a data gap — and it is caused by something most marketing teams do not see coming. Ad blockers affect between 25 and 40 percent of web traffic, depending on the industry and device type. Every blocked request is a conversion event your analytics never receives.  Browser privacy tools like Safari's Intelligent Tracking Prevention (ITP) compound the problem further by capping the lifespan of JavaScript-set cookies at just seven days. If a customer converts eight days after their first visit, that attribution gets lost entirely. Why Client-Side Tracking Has a Structural Weakness Client-side tracking works by running JavaScript tags directly in the user's browser. The browser then sends the event data to Google Analytics 4. This approach is simple to set up and has worked for years — but browser privacy controls now sit directly in its path. A...

Mobile App Compliance for iOS and Android: What Every App Owner Needs to Know in 2026

Image
  If you own or manage a mobile app, privacy compliance has changed significantly in the past two years. Regulators are no longer satisfied with a privacy policy page buried in your settings. They want to see how your app actually handles data at the moment of collection, and app stores have added their own requirements on top of that. This post covers what mobile app compliance means in 2026, which regulations apply, what a proper consent flow looks like, and where most apps fall short. Which Regulations Apply to Your App The regulations that apply depend on where your users are located, not where your company is registered. If your app has users in the EU or UK, GDPR applies. This regulation requires explicit opt-in consent before you collect data for non-essential purposes like analytics or advertising. Pre-ticked boxes and bundled consent do not meet the standard. If your app has users in California, CCPA gives those users the right to opt out of the sale or sharing of ...

Why B2B Advertisers Are Losing Microsoft Ads Data (And What Consent Mode Does About It)

Image
  If your Microsoft Ads campaigns target visitors in the EEA, UK, or Switzerland, there is a specific compliance step that has been mandatory since May 5, 2025. Without it, a portion of your conversion data goes unrecorded, your smart bidding operates on incomplete information, and your remarketing lists may include users whose data was collected without valid consent. That step is Microsoft Consent Mode. This article explains what it does, why it matters specifically for B2B advertisers, and how to get it working without a technical team. What Microsoft Consent Mode Does Microsoft Consent Mode connects your UET tag to each visitor's consent decision. The tag reads a signal from your Cookie Consent banner, specifically the ad_storage parameter, and adjusts its behaviour accordingly. When a visitor accepts cookies, UET records the full conversion event as normal. When a visitor declines, UET switches to cookieless mode and sends only anonymised, aggregate signals. No individua...

Why the iOS Tracking Prompt Timing Affects Your Ad Revenue More Than You Think

Image
Apple's App Tracking Transparency framework put a hard gate in front of IDFA access. The user permission prompt is now mandatory for every iOS app before cross-app tracking begins. Most development teams shipped the minimum viable implementation and moved on. The revenue effect of that decision took a few quarters to show up clearly. When users decline, ad platforms switch to modelled attribution. They use statistical inference about cohorts rather than real signal from individual users. Audience targeting becomes less accurate. Budget allocation drifts toward average users rather than high-value ones. ROAS numbers look stable until they don't. What the pre-prompt actually changes Apple's system dialog is fixed. Two options, standard wording, no customisation. What happens before it appears is entirely up to the developer. A pre-prompt screen — shown before the Apple dialog — can explain what tracking enables for that specific user. Not legal language. Not vague assurances....