Last month at the CIMM (Coalition for Innovative Media Measurement) Summit 2025, Cadent’s VP of Legal & Head of Privacy, Camille Marcos Napa, joined general counsels and privacy leaders for a candid conversation titled Call Your Lawyer to discuss the tension between business growth and the legal challenges in ad tech. The panel, moderated by Tameka Kee of CIMM, also included Julie Rooney, Chief Privacy Officer at OpenX, and Alan Chapell of Chapell & Associates. The group explored AI governance, evolving state privacy laws, emerging regulatory risks, and why many promising data deals stall in legal review. Below are the key insights and moments that stood out.
The panel opened by exploring how organizations are experimenting with generative AI—but too often without formal oversight. According to McKinsey, 65% of respondents report their organizations now use generative AI regularly in at least one business function (up from about 33% the prior year). With AI usage becoming increasingly prevalent, businesses must establish guidelines and best practices for how to do so responsibly.
Camille emphasized the need to be pragmatic and cautious. Stating “even if your company hasn’t adopted AI tools internally, every company should have an AI policy because your employees are using them [...] at minimum you need to make sure that you’re protecting confidential information and making sure that your policy clearly states employees should not be inputting confidential information into these third-party platforms.”
Julie Rooney also drew up a helpful distinction in AI usage, that there’s AI that’s built internally into products and solutions and AI that’s adopted externally, and it’s important to note that the compliance rules differ for each. Camille shared that Cadent is “very careful about not recording or taking notes through these third-party tools when we’re holding sensitive meetings.” And when it comes to the business, “AI guardrails should be clear without “hold[ing] back innovation.”
In short, businesses can’t afford to ignore AI, but they must embed controls around data inputs, tool approvals, and meeting policies.
Of course, discussions on AI inevitably lead to questions on privacy, such as data collection, usage, and governance. And, as the conversation shifted in this direction, the topic of US state privacy regulation quickly surfaced.
“These laws are very new. Regulators are coming out with new guidance all the time on basically a monthly basis. [...] Don’t assume that because I told you something was ok for this particular deal, you always can,” cautioned Julie—a fair warning when you consider that in 2024 alone, seven new states passed comprehensive privacy laws, bringing the total to 19 states with enacted comprehensive data privacy statutes. Understanding how to work with state legislation to reach audiences responsibly is a challenging undertaking that can, however, be assuaged by working with the right partners.
Cadent, Camille explained, addresses this challenge head-on by building the strictest state baseline from the start. The Cadent Platform supports state-level suppression, meaning Cadent can disable access or ad targeting in states where regulations or client preferences demand it.
The key takeaway: As states continue to diverge in how they define “personal data” and enforce compliance, companies must architect systems that can adapt to shifting regulatory landscapes.
As the conversation developed, panelists were invited to explore emerging trends, regulations, and what organizations should keep top of mind, including:
Camille reiterated that Cadent offers solutions that are privacy-safe, that do not leverage HIPAA-regulated data, to help the industry reach audiences while honoring privacy compliance and state regulations. Julie urged the continued monitoring of youth and fairness laws. As regulation corners tighten, the importance of resilient and sober data design becomes non-negotiable.
The final segment covered why deals die in legal. Julie elegantly boiled it down to a litmus test: “if you can’t answer, ‘what data fields are exchanged and what’s each side doing with them’ — legal can’t approve it.”
Alan offered that deals often fail legally by not speaking the language: workflows, data lineage, and purpose. He praised those who internalize the “privacy playbook” and gave a shoutout to John Sedlak, a seasoned and prominent figure in ad tech, who is among the few that build deals around compliance rather than on data alone.
As for Camille, she shared that “I come from a place of: how can we make the deal work? It’s built in that mindset.” From her perspective, legal should be a collaborator, not a gatekeeper. If teams bring clear data flows and purposes from the start, legal becomes an enabler.
If you found this summary useful, take a moment to watch the complete Call Your Lawyer panel for more details and context. Watch the full discussion here.