The ultimate guide to privacy-first marketing

The Digital Privacy Landscape in 2023

Gary Stubbenhagen

31st May 2023

Digital Privacy is nothing new, but it’s a contentious and complex problem which has been the subject of a lot of debate for the past few years.

Many of these debates have finally been put to rest by clarifications from regulatory bodies, decisions handed down by the courts, and large tech companies taking a more proactive stance.

However, we still regularly come across businesses who are failing compliance checks. Fortunately, this is increasingly through misunderstanding rather than an attempt to find workarounds or loopholes.

In this guide I’m going to explore the digital privacy landscape in 2023, the essentials to get right, and the things to keep an eye on over the next year or so.

Please remember: This guide is intended as guidance only and does not represent legal advice, always get input from your Data Protection Officer.

The Digital Privacy Landscape in 2023

The EU’s General Data Protection Regulation (GDPR) was announced back in 2016 and took effect on 25 May 2018 – nearly five whole years ago!

Since then, countries around the world have begun rolling out their own digital privacy legislation – the California Consumer Protection Act (CCPA) in the United States and the Brazilian General Data Protection Law (LGPD) to name just two examples.

Statistics published in 2021 by the United Nations  showed that 71% of countries have relevant legislation in place and a further 9% are in the process of drafting legislation.

Source: UNCTAD 14-Dec-2021

Which means that no matter where your business is based or where you sell your products and services, you will either be subject to a digital privacy law or soon will be.

For this guide, I will be focusing on the GDPR, which applies to the UK, EU, and EEA (European Economic Area), as this is still very much the gold standard.

While this legislation has been in force for almost half a decade, there has perhaps been as much effort at trying to circumvent it – either via technological means or legal justifications – as to adhere to it. The result is many businesses are still falling short and a steady stream of fines are being issued by courts across Europe. 

Let’s not forget the size of the prize here – failure to comply with the GDPR is punishable by a fine of up to €20M or 2% of global turnover, whichever is the largest of the two figures.

So, if the stakes are so high, why are so many businesses falling short?

In some cases, businesses are accepting these potential fines as acceptable risk. They believe they have a valid legal argument for considering their tracking to be compliant, and are willing to test that argument in the courts if challenged.

But, far more commonly, there is confusion around what is required or how to implement it correctly. Many businesses we speak with who fail a compliance check, simply don’t realise their tracking doesn’t meet the required standard.

So, let’s look at some of the most common areas where we see mistakes or misunderstanding.

Where are people still falling down?

Analytics is not strictly necessary

One of the earliest debates to spring up after the GDPR was announced was whether we could justifiably consider digital analytics tools, such as Google Analytics, to be strictly necessary.

After all, we use this data to understand the state of the business, how our marketing is performing, to attract new customers, and ensure we’re serving them the best possible experience – that sounds pretty necessary, right? Sadly not.

The GDPR is pretty explicit on this point, so it’s a wonder this was ever truly a debate. In short – if you can remove it from the website and still fulfil its primary purpose (e.g. selling shoes or providing news articles) then you must gain the consent of your users.

“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

Source: gdpr-info.eu

To put the debate to bed, the UK’s Information Commissioner’s Office (ICO) provided this clarification (emphasis mine):

The ‘strictly necessary’ exemption means that storage of (or access to) information should be essential, rather than reasonably necessary. It is also restricted to what is essential to provide the service requested by the user. It does not cover what might be essential for any other uses that you might wish to make of that data. It is therefore clear that the strictly necessary exemption has a narrow application.

Source: ico.org.uk

Consent must be opt-in

It is important to understand that the GDPR requires informed and active consent to be obtained for tracking purposes.

An opt-out or terms of service approach, whereby continued use of the website or mobile app constitutes consent, cannot meet this requirement.

In fact, Ireland’s Data Protection Commission recently ruled against Facebook for use of a terms of service approach to consent for targeted advertising on its own platform.

Source : dataprotection

You must comply relative to your users’ location

The GDPR does not apply to businesses within the UK, EU, and EEA, or websites which target those markets – it applies to residents of those markets.

This means that if you have a website targeting the US market but you have traffic from the UK, you must comply with the GDPR for that UK-based traffic or otherwise prevent it from arriving.

My advice is to embrace the spirit of these regulations, not just the letter of them – request consent of all traffic, regardless of where it’s coming from, and use a good Consent Management Platform (CMP) to target consent messaging appropriately.

Consent requests and tagging need to be aligned

This might sound obvious, but is the biggest point of failure we’re seeing right now.

In some cases, your Consent Management Platform (CMP) may block cookies and/or tracking requests until consent has been given by the user. In many, this must be applied manually based on a data layer update.

Generally, we’d recommend working to the assumption of the latter, just in case – it’s always best to err on the side of caution.

And watch out for those hard-coded tags! 

Ideally, we’d all be using tag management for all tagging now, but I know some websites still have a bit of both going on. Don’t forget that if you do still have hard-coded tags, you’ll need to adjust those too.

How to get digital privacy right? Put yourself in control

Consent Management Platforms (CMPs)

I’ve mentioned CMPs a couple of times already, but they are absolutely critical to getting things right – after all, digital privacy is all about consent.

While we’ve seen some consolidation in the market, there are still loads of options to choose from when looking for a CMP and what works for one business may not be such a good fit for others.

A few of the key considerations include:

Consent Mode for Google Tags

Google provides a Consent API for gtag which allows you to provide context of consent preferences.

When you use this API, the behaviour of tags will change to improve their compliance with some privacy requirements.

For a full overview of all the changes possible with Google’s Consent Mode, check out this help page.

The broad principle here is that the GDPR prevents us from identifying users without consent, but it does not prevent us from tracking our website and mobile apps under any circumstances. 

Or, to put it another way, if you remove all identifiers (or at least their persistence) this complete anonymity should make the data collection compliant.

However, whether these changes go far enough to meet that threshold is something of debate right now, so do be sure to get the view of your Data Protection Officer before implementing this.

If you get the go-ahead, there are some benefits to be had. For example, Google Analytics 4 (GA4) will use consent mode hits to generate modelled data in an attempt to backfill the gaps created through lack of consent.

Server-side tag management

Tag management is the use of software to control what tags we deploy on our website and the data those tags collect.

Most tag management is client-side, meaning that the software runs in the user’s browser. Essentially, it’s a tag that decides what other tags are loaded.

Server-side tag management takes things a step further and moves the tags onto a server. This offers benefits in many areas, including site performance, security, and privacy.

From a privacy perspective, the key here is greater control over the data that is collected by our tags.

For example, if I deploy a purchase tag on a website I might choose to send the purchase ID and the revenue generated, but the tag may also decide to collect the user’s browser type and IP address without my knowledge, and this may cause privacy issues.

With server-side tagging, there is no JavaScript running in my customer’s browser and the tag can only collect the data I explicitly provide it with. Big win!

Implications for digital marketers

The rise of predictive marketing

Compliance with digital privacy requirements essentially implements mandatory data sampling, as a section of our audience will no longer be counted.

This has a material impact on targeted advertising, as it becomes much more difficult to identify individuals and target them with relevant messaging.

Precision marketing is dead, long live predictive marketing!

Predictive marketing, much like predictive analytics, is all about using your data to make accurate predictions about future customer behaviour.

Examples include identifying which users may be likely to buy from you in the next week or which existing customers may lapse.

At its heart, predictive marketing is about making the most of the data we do have and optimising performance to compensate for the reduction in granular targeting opportunities.

How can you get started with predictive marketing?

Anything with the word “predictive” in it can feel a little daunting, especially if you’re a small business without access to an army of data scientists, but it may not be as out of reach as you think.

The key to predictive marketing is the same as any other data challenge: have a clear, manageable plan and ensure your data foundations are solid.

If you make your project too complex, you increase the risk of it failing and the amount of time you’ll be waiting to get value from it. Identify the steps and ensure you back the wins along the way.

Google Analytics 4 to the rescue

Yes, that’s right – Google Analytics 4 (GA4) is your friend here.

The requirement to start from scratch may feel arduous now, but it’s an opportunity to shore up shaky foundations and deal with legacy issues that never quite make it to the top of the roadmap.

Google has also made AI a big focus for GA4, with features such as anomaly detection, predictive audiences, and modelled data already at the heart of the platform. You can read more about these in our GA4 guide here.

And, finally, the opening up of BigQuery exports to all properties enables those further along their predictive journey to plug their GA4 data into custom ML pipelines and third-party tools. 

BigQuery ML even allows you to create ML models using just SQL and now includes AutoML tables, powered by Google’s Vertex AI suite of tools.

CREATE OR REPLACE MODEL <your_dataset>.nyc_yellow_taxi_tip
OPTIONS
(model_type=’linear_reg’,
input_label_cols=[‘tip_amount’]) AS
SELECT
tip_amount,
SUBSTR(CAST(pickup_datetime AS string), 12, 2) pickup_datetime,
SUBSTR(CAST(dropoff_datetime AS string), 12, 2) dropoff_datetime,
passenger_count,
trip_distance,
rate_code,
fare_amount,
pickup_location_id,
dropoff_location_id
FROM
`bigquery-public-data.new_york_taxi_trips.tlc_yellow_trips_2018`;

Things to watch in 2023

Consent Mode for Google Tags

As I mentioned above, there is some debate over whether Consent Mode goes far enough in helping us comply with the privacy legislation and whether there is more we can and should expect. 

I fully expect this debate to continue well into 2023, and there may be some changes to this feature as a result.

For now, I believe it to be a useful part of our privacy arsenal and is worth investigating with your DPO.

US-EU data transfer agreements

Way back in 2020, the European Court of Justice (ECJ) ruled that the existing US-EU data transfer agreement, Privacy Shield, was inadequate as it did not provide sufficient safeguards for data of EU citizens from surveillance by US intelligence agencies.

This pretty major announcement got a little drowned out by the ongoing global pandemic, so it’s passed a lot of us by. In short, it means that personal data cannot legally be transferred to the United States without explicit, individual data transfer agreements in place.

This essentially makes the majority of digital analytics and advertising technologies illegal in markets governed by the GDPR, and we’ve been somewhat protected until now by the ongoing legal challenge.

But don’t panic! Google Analytics 4 provides greater safeguards, including regional controls and EU-based data collection. You can read more on these here.

We also expect Privacy Shield 2.0 to arrive fairly soon – a draft was announced in March 2023 by Presidents Biden and von der Leyen, following an Executive Order in October last year to address some of the concerns.

Digital privacy isn’t simple, but the principle at its heart is – informed consent must be obtained before tracking individuals online.

The biggest hurdle is needing to comply with multiple regulations simultaneously, so get a Consent Management Platform you can trust to tackle that for you.

Then, if you implement tools that put you in the driving seat and take a consent-first approach to digital marketing, you can focus your efforts where it really matters – predictive marketing.

If you need any help or advice on your predictive marketing journey, we’d love to hear from you.

You might also be interested in