Skip to content

As privacy laws become stricter, achieving and maintaining compliance with the major data privacy regulations, like the General Data Protection Regulation (GDPR), and large tech platforms’ requirements resulting from the Digital Markets Act (DMA), is essential for marketers who want to gain in-depth insights, deliver personalized experiences, and win their customers’ trust.

To help you choose cookie tracking software that will meet your data privacy needs in 2025 and beyond, we’ve curated a list of tools that can deepen your understanding of user behavior while simultaneously navigating the complexities of major data privacy laws.

Our picks of the top cookie tracking software:

Software Key feature Recommended for Price*
Usercentrics Granular preference management: Provide users with the option to accept or reject a range of different cookies on one notice with just a few clicks. Businesses of any size: SMB to enterprise From USD 60/month

30-day free trial available

Cookie Information Daily and weekly scans: Get regular updates about all the cookies on your website. Medium-sized businesses From EUR 15/month

30-day free trial available

CookieFirst Re-consent: Increase opt-in rates by setting goals for returning visitors. Solopreneurs managing a single domain From EUR 9/month

Free tier available

2-week free trial

CookieYes WordPress plugin: Add CookieYes to your WordPress website in just a few clicks with the purpose-built plugin. Small businesses From EUR 10/month

Free tier available

Free 14-day trial

Axeptio Conversational UI: Incorporate friendly characters into cookie banners to create empathy and goodwill with users. Businesses needing a low-code solution From USD 29/month

Free tier available

Complianz Easy wizard: Get step by step guidance when setting Complianz up on your website. Businesses using WordPress From USD 59/month

30-day money-back guarantee

Termly Cookie Policy Generator: Generate one free cookie policy for your website. SMBs looking for a budget solution From USD 10/month

Free tier available

*As of July 2024

Why should you keep track of cookies?

Tracking cookies enable you to collect data about users — including visitor demographics, preferences, and behavior patterns — so that you can tailor your website content to enhance the user experience and increase engagement.

Read about tracking cookies now

It’s not all about improving performance, though. First- and third-party cookies are a cornerstone of online advertising. However, as a data controller — the party responsible for the collection and processing of personal data — you must get explicit and prior consent from data subjects (visitors whose personal data is being collected by cookies) before loading any tracking cookies. This is a requirement for most of the major data privacy regulations.

Failing to meet the requirements of these laws can lead to hefty fines, damage your business’s reputation, and potentially limit future opportunities for growth.

This is where cookie consent management software comes in. These tools make it easy to tell your website and app visitors what types of tracking software are present on your website, to offer them clear and granular options for cookie consent, and finally, to keep a detailed record of their consent, as required by regulations such as the GDPR.

We assessed eight of the top cookie tracking software platforms on the market. We scoured user reviews and considered their key features for managing cookie consent, options for customization, and breadth of integrations and supported languages, etc.

1. Usercentrics

An all-in-one consent management platform (CMP), Usercentrics helps businesses manage cookies and GDPR compliance. Trusted by more than 2.2 million websites and apps in 195 countries, the platform is a market leader in solutions for data privacy and privacy-led marketing.

Usercentrics’ cookie detection, categorization, and autoblocking functionality helps enable GDPR cookie consent as well as adherence to other major privacy regulations like the Digital Markets Act (DMA) requirements handed down by designated “gatekeeper” companies, and California Consumer Privacy Act (CCPA).

Usercentrics CMP also comes with the latest version of Google Consent Mode and the IAB TCF 2.2 integrated, helping meet Google’s latest requirements for publishers and advertisers.

Key features

Usercentrics pricing

Usercentrics offers a free 30-day trial, after which users can sign up for one of the following paid plans.

Pros Cons
Consent records stored on EU-based serversAnalytics data only available for 90 days
Automatically blocks third-party cookies
A/B testing

Recent Reviews

Read about shopify cookie banner now

2. Cookie Information

Cookie Information has a stated mission to help businesses collect valid consents to comply with privacy laws and build trust with their customers. The platform offers consent management for both websites and mobile apps but doesn’t offer A/B testing.

Key features

Pricing

Pros Cons
Plugin for WordPress availableNo A/B testing
Detailed consent rate insights
Google Certified CMP partner

3. CookieFirst

CookieFirst advertises a quick and easy signup to get users on their way to achieving GDPR compliance in minutes. Then the tool will scan your site for first- and third-party cookies, after which you can set up your settings and customize your cookie banner with just a few clicks. There is a free version, but you’ll only get a cookie banner in one language along with a one-off cookie scan.

Key features

Read about cookie policy now

Pricing

Pros Cons
Free tier availableNo app consent solution
Google Consent Mode and Google Tag Manager integrations
44+ languages supported

4. CookieScript

CookieScript is a self-hosted CMP with geotargeting that works across 250 countries and 50 US states. While the platform does store all consent records on servers in the EU, users will need to sign up for its Plus tier for access to all of its GDPR features, such as record-keeping for user consents and IAB TCF 2.2 integration.

Key features

Read about wix cookie banner now

Pricing

CookieScript’s pricing is determined by the number of domains that the CMP is added to. Subscriptions are priced per month, but you’ll be locked into a year-long contract.

Pricing for one to two domains is as follows:

Pros Cons
All data stored on EU serversAll GDPR tools only available on the most expensive plan
Ability to manage multiple websites from one dashboard
Transparent, per-domain pricing

5. CookieYes

CookieYes states that the company is trusted by more than 1.5 million businesses worldwide. After starting out as a WordPress plugin, their product has since become a fully fledged cookie consent solution. Despite its range of features, essentials like Global Privacy Control and geotargeting are only available on its two most expensive plans.

Key features

Pricing

CookieYes offers a 14-day free trial, after which users can sign up for a month-to-month or annual subscription. Plan prices are for a single domain:

Pros Cons
Available as a plugin for all major CMSAll plans limit page scans
Multilingual banner, in 30+ languages
Customer support is responsive (G2 users report)

6. Axeptio

Axeptio brings some levity to cookie consent management branding itself as fun and approachable, with fresh UX. The platform is designed to be a low-code consent management suite, making it perfect for teams with limited tech expertise or resources.

Key features

Pricing

Pros Cons
Single widget to manage all consentsCookie management only available in the Enterprise and Agency plans
Supports 25 languages
Live training and webinars

7. Complianz

Complianz is a native privacy suite for WordPress websites. Thanks to a setup wizard, it’s easy to set up. It also includes over 250 service and plugin integrations. While it does come with a cookie scanner, Complianz users have reported that it isn’t always accurate and doesn’t recognize third-party cookies.

Key features

Pricing

Complianz plans are priced per year.

Pros Cons
Includes setup wizardSelf-hosted only
30-day money back guarantee
WCAG and ADA compliant

8. Termly

Designed with small businesses in mind, Termly is an out of the box compliance solution that aims to help users stay up to date with major data privacy laws in more than 25 regions. The platform’s pricing is competitive, but it lacks some features and functions that larger businesses would need for it to be useful.

Key features

Pricing

Pros Cons
Supports IAB TCF 2.2 and Google Consent ModeOnly one domain included in the license
Automatic policy generation
Supports compliance with data privacy laws in 25+ regions

Choosing the right cookie tracking software is essential for staying compliant and building trust with your users. Here are the must-have features to look for:

The right cookie tracking software can help you to achieve compliance with the major data privacy laws without affecting the quantity or quality of insights you’re able to gain from tracking user behavior.

Usercentrics helps you ensure quality marketing insights and maintain personalization — while respecting user privacy and building trust.

The Usercentrics CMP is compatible with all your favorite marketing tools, enabling you to offer users a personalized experience on every platform and achieve privacy compliance with the GDPR, ePrivacy Directive, and Google’s EU user consent policy.

Read about wordpress cookie consent now

The information presented in this article is provided for educational purposes only. Engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations when evaluating solutions is always recommended. This information is accurate based on these publicly available sources as of the date of publication. Details about products, features, pricing, etc. may change over time.

When it comes to online privacy compliance, understanding the nuances between opt-in and opt-out consent is crucial for businesses and website owners. These concepts form the backbone of how personal information is collected, used, and shared online.

Different global privacy laws dictate the specific consent model to be used, impacting how website owners engage with their users. Some international companies may have to navigate both models, depending on where their customers are located and relevant regulations.

That’s why it’s vital to understand the differences between opt-in and opt-out consent, the regulatory requirements surrounding them, users’ rights, and best practices for implementing these models effectively.

Opt-out vs opt-in — what’s the difference?

Opt-in and opt-out are both ways of managing people’s consent for collecting, using, and disclosing their personal information online. However, they differ in how they work and the process they take to do so.

To know when a website owner should implement opt-in or opt-out measures, it’s important to understand the difference between the concepts and what each option seeks to accomplish.

What is opt-in?

Opt-in consent requires website visitors to actively and explicitly agree to the collection, use, or sharing of their personal data. Opt-in means website owners must ask for someone’s consent or permission before or at the time when personal data would be collected, like when a visitor arrives on a website.

Example of opt-in consent

Website owners may use this method to seek user consent for storing cookies, subscribing to marketing emails, or for other activities that collect users’ personal data.

For example, when creating an account on Amazon, users will need to fill in a form, provide their name, email address, and create a password. Below this is a section dedicated to communication preferences, and there’s an unchecked box with the following text:

“Yes, I want to receive personalized product recommendations and exclusive deals from Amazon. By checking this box, I agree to receive marketing emails. I understand I can unsubscribe at any time by clicking the link in the email or adjusting my account settings.”

To agree to this, users need to take action and check the box. It is not pre-checked.

By presenting this opt-in choice, Amazon ensures that customers who receive marketing communications have actively consented to do so, aligning with data protection regulations and respecting user preferences.

A common sight for consumers online in the European Union — and increasingly around the world — is consent banners that pop up when people arrive on websites for the first time (or after a long period when previous consent choices may have expired). These banners request consent for the use of cookies that collect personal data, which can include contact, financial, and order information for ecommerce transactions, or tracking of user behavior to improve website performance or marketing initiatives. This is also the opt-in model of consent in action.

 

Which global privacy laws require opt-in consent?

Several global privacy laws and frameworks mandate that website owners use an opt-in consent model. These include:

It’s important to note that while these laws generally require opt-in consent, the specific requirements and circumstances under which opt-in consent is necessary may vary. Some laws may have exceptions or different standards for certain types of data processing. Additionally, the implementation and enforcement of these laws can differ across jurisdictions.

The list above covers the more well-known privacy regulations, but it is not exhaustive. Website owners are encouraged to conduct their own research depending on their region of operation. Generally, the opt-in consent model is the most common globally.

What is opt-out?

The opt-out consent model requires website owners to share that they collect personal data, how it is used, and other information, but they do not have to get explicit user consent before collecting or processing the data.

Individuals have the option to take specific action to refuse or withdraw consent at any time, however, for functions like the sale or sharing of their data, or its use for profiling or targeted advertising, depending on jurisdiction. Individuals are responsible for actively opting out if they wish to protect their data.

A common exception to this is when the personal data in question has been categorized as “sensitive”. This is data that can be extra harmful if misused and can include information like healthcare history, sexual orientation, financial information, religious beliefs, and more. The data of known children is also commonly categorized as sensitive by default. For sensitive data, prior consent (opt-in) is typically needed, from the parent or guardian in the case of children.

Example of opt-out consent

The California Privacy Rights Act (CPRA), which amends and expands the California Consumer Privacy Act (CCPA), provides a clear example of an opt-out consent model.

Imagine a popular ecommerce website that operates in California. Under the CPRA, this website can collect and use customer data for various purposes, including targeted advertising and sharing with third-party partners, without obtaining explicit consent upfront. However, the law requires the website to provide consumers with a straightforward way to opt out of these practices.

To comply, the ecommerce site must prominently display a “Do Not Sell or Share My Personal Information” link on its homepage and in its privacy policy. When a customer clicks this link, they are directed to a page where they can exercise their right to opt out of the sale or sharing of their personal information. The website must then honor this request and stop selling or sharing that customer’s data.

Also under the CPRA, companies that process sensitive personal data are required to implement a link reading “Limit the Use of My Sensitive Personal Information” to enable visitors to exercise their rights, or a “single, clearly-labeled link if such link effortlessly allows a consumer to opt-out of the sale or sharing of the consumer’s personal information and to limit the use or disclosure of the consumer’s sensitive personal information.”

Which privacy laws allow opt-out consent?

Multiple global privacy laws authorize website owners to use opt-out consent models. These include:

It’s important to note that while these laws generally permit opt-out consent, the specific requirements and circumstances under which opt-out consent is allowed may vary. Some laws may have exceptions or different standards for certain types of data processing.

Additionally, the list above covers the more well-known privacy regulations, but it is not exhaustive. Website owners are encouraged to conduct their own research depending on their region of operation.

Read about cookie opt in now

If you collect personal data from people in the EU, sensitive personal information, personal information from minors, or use non-essential cookies (including third-party cookies), you most likely need explicit consent and must implement an opt-in consent model, unless another lawful basis for processing applies.

To ask for opt-in consent in a privacy-compliant manner, there are eight steps website owners must follow. These are:

  1. Be clear and transparent: Use plain, easy-to-understand language to explain what data you’re collecting, how it will be used, and other parties that may have access to it. Avoid legal jargon or complex terms. This is often done via a cookie banner.
  2. Make it specific: Obtain separate consent for different purposes rather than using blanket consent. This enables users to choose which activities they want to opt in to.
  3. Use active opt-in methods: Use unchecked boxes, toggles set to “off” by default, or explicit confirmation buttons. Avoid pre-ticked boxes or other methods that assume consent, as manipulative design to encourage consent is strongly frowned upon by authorities.
  4. Provide granular options: Enable users to select which types of data they’re willing to share or which specific activities they consent to.
  5. Make it easy to withdraw consent: Provide a clear and simple way for users to change consent preferences or withdraw their consent at any time.
  6. Use just-in-time consent: Request consent at the moment you need to collect or use the data, providing context for why it’s needed. A blanket “clickwrap” agreement is not compliant with most personal data collection regulations.
  7. Keep records: Maintain detailed records of when and how consent was obtained for each user, and any changes over time.
  8. Test different approaches: A/B test different UI configurations and/or consent flows to find what works best for your users while maintaining privacy compliance.

By following these eight steps, website owners can gather opt-in consent in a manner that complies with the GDPR, LGPD, and multiple other global privacy laws. This process also respects user privacy and builds trust.

If you are collecting and processing personal data in a jurisdiction that allows you to do so without obtaining prior consent, you will still legally need to notify users and enable them to opt-out.

To do this in a CPRA-compliant manner, for example, here are eight best practices website owners must follow. These are:

  1. Clear and prominent notice: Provide a clear, conspicuous notice about data collection and use practices, along with an easy-to-find opt-out option. This could be a prominent link or button labeled “Do Not Sell or Share My Personal Information” or similar, depending on what the relevant regulation outlines.
  2. Easy opt-out process: Make the opt-out process simple and straightforward. Avoid multi-step processes or requiring users to create accounts to opt-out.
  3. Clear communication: Explain in simple terms what opting out means for the user’s experience and what data will no longer be collected or shared.
  4. Timely response: Process opt-out requests promptly, typically within 15 days, as required by laws like the CPRA.
  5. Granular options: Enable users to opt out of specific data uses rather than only offering an all-or-nothing approach. This also benefits marketing operations, as some data collection can be maintained with the user’s consent.
  6. Maintain records: Keep detailed records of opt-out requests and how they were honored.
  7. Respect opt-out duration: Once a user opts out, honor that choice for at least 12 months before asking them to opt back in.
  8. Third-party compliance: Ensure that any third parties you share data with also honor user opt-out choices. Under many laws, the controller has ultimate responsibility for privacy compliance, including the activities of third-party processors working for them.

By implementing these practices, website owners can create a transparent and user-friendly opt-out process that respects privacy rights while complying with relevant data protection regulations.

Email marketing and opt-in or opt-out

Email marketing requires businesses to navigate the rules around opt-in and opt-out practices.

Opt-in emails are essential for ensuring that consumers have willingly provided their email addresses for marketing purposes.

Most countries, including New Zealand, Canada, Australia, Hong Kong, Singapore, the United Kingdom, and all European Union countries, mandate explicit opt-in consent.

To comply, businesses should display an unchecked checkbox for users to select if they want to receive marketing communications and include an easy opt-out option in every subsequent email.

In contrast, opt-out practices focus on allowing recipients to unsubscribe from marketing emails they no longer wish to receive.

This approach is particularly relevant in the United States, where the CAN-SPAM Act governs direct marketing practices.

The Act requires that all marketing messages be clearly identifiable as commercial communications, provide a simple and prominent unsubscribe mechanism, and include accurate header information and subject lines.

Additionally, organizations must provide a valid physical postal address to inform recipients of their location.

Combining these practices ensures that businesses respect consumer preferences while complying with international and local regulations, thereby maintaining trust and improving the effectiveness of their email marketing campaigns.

What is double opt-in, and when is it necessary?

Double opt-in is an email marketing consent process that requires subscribers to confirm their subscription through a verification email after initially signing up. This process typically involves a user submitting their email address through a signup form, receiving a confirmation email with a verification link, and clicking the link to confirm their subscription and be added to the mailing list. This mechanism is used for marketing emails, newsletter subscriptions, and other voluntary communications.

Double opt-in is necessary or beneficial in several scenarios:

Double opt-in has benefits, but it’s also worth noting that it could result in slower list growth compared to single opt-in. However, the trade-off is often a more engaged and higher quality subscriber base, and more robust and trustworthy consent management practices.

Preference management

One potentially important addition to the marketing toolkit for companies is preference management, which works hand in hand with consent management. It’s also a source of zero-party data, which is something of a “holy grail” in marketing as it’s high-quality data that comes directly from customers. This is even more valuable with the phasing out of third-party cookies.

Preference management involves obtaining information from customers about their interests and preferences directly, like whether they prefer marketing emails or SMS notifications, or if they want communications about sales only or also about new product launches, etc.

This information can be collected in a dedicated preference management center, or account settings, via surveys, and other mechanisms. The advantage of consent management is that companies then have explicit information about what customers want, and their consent to deliver it in specified ways.

Choose the right approach for your data privacy needs

Navigating the complexities of opt-in and opt-out consent models is essential for maintaining compliance with global privacy laws and respecting user preferences.

Opt-in consent requires explicit agreement from users before their data can be collected or used, ensuring a high level of transparency and user control. Conversely, the opt-out model presumes consent until the user explicitly withdraws it, placing the onus on users to protect their data and privacy in most cases.

Understanding and implementing these consent practices, along with adhering to specific regulations like the GDPR, helps businesses build trust, enhance user engagement, expand Privacy-Led Marketing operations, and stay compliant with data privacy requirements.

By following best practices for both consent models, website owners can create a user-friendly and legally sound environment for their online activities, no matter where their visitors are located.

Navigating the complexities of GDPR compliance can be challenging, especially when managing cookies and tracking tools on your website. Google Tag Manager (GTM) provides a streamlined solution for handling various marketing and analytics tags. However, ensuring it aligns with stringent data protection laws requires careful setup and management.

We’ll explore how to use GTM effectively while staying compliant with global privacy regulations like the GDPR. We’ll discuss the role of Google Consent Mode, the importance of a consent management platform, and practical steps for configuring GTM to respect user consent.

Whether you’re new to GTM or looking to optimize your current setup, this guide will help you balance data collection needs with user privacy rights.

What is Google Tag Manager?

At its core, Google Tag Manager (GTM) is like a control center for your website’s tracking and marketing tools.

Google Tag Manager is a free tool that enables companies to manage and deploy marketing and analytics tags on their websites or mobile apps without modifying the code. It acts as a centralized system where one can add, edit, and manage various tracking codes and snippets, known as “tags,” from a web-based interface.

Imagine you’re running an ecommerce website and want to track user interactions, analyze traffic sources, and measure conversions. Instead of manually adding separate code snippets for Google Analytics, Google Ads, Facebook Pixel, and other tools directly to your website’s code, you would add a single GTM container code to your site.

Then, using the GTM interface, you can set up and manage all these different tags, defining when and where they should fire based on specific triggers, like page views, button clicks, or form submissions. This approach simplifies tag management, reduces the risk of errors, and enables marketers to make changes quickly without having to constantly rely on web developers to modify the site’s code.

In GTM, there are tags and triggers. Tags are the actual snippets of code you want to run on your site, while triggers determine when these tags should fire. For example, you might set up a Google Analytics tag to track pageviews, with a trigger that fires on all pages. You could also have a conversion tracking tag for Google Ads, with a trigger that only fires when a user reaches the “Thank You” page after completing a purchase.

Does Google Tag Manager use cookies?

The Google Tag Manager code does not use cookies. The one exception is when using GTM’s Preview and Debug mode, where it sets several first-party cookies essential for the preview functionality. These cookies are only set for administrators using the Preview mode and are deleted once you exit it.

While GTM doesn’t use cookies itself, it can be used to implement tags from other tools, like Google Analytics, that do set and use cookies. These third-party tools implemented via GTM are likely to store cookies and process personal information.

Therefore, the tags you implement through GTM may set and use cookies. This is why it’s vital to have proper Google Tag Manager cookie consent mechanisms in place, especially for compliance with privacy regulations like the General Data Protection Regulation (GDPR).

Read about GDPR and cookies now

Google Tag Manager doesn’t directly require cookie consent because it doesn’t set cookies, and so doesn’t collect personal information.

However, some tags added through Google Tag Manager may use cookies to track how users interact with a website. For example, Google Analytics uses cookies to collect information about user behavior, such as pages visited, time spent on site, and conversion actions.

Thus, obtaining Google Tag Manager cookie consent is a best practice and potentially necessary to meet GDPR and CPRA regulatory requirements. However, this depends on your marketing tools setup and operations.

Is Google Tag Manager GDPR-compliant?

Google Tag Manager itself is not inherently GDPR-compliant or non-compliant. Its compliance status depends on how it’s used and configured.

By default, GTM does not set cookies or collect personal data on its own. However, it’s commonly used to implement tags from other services, like Google Analytics or advertising pixels, that use cookies and collect personal data. These third-party tags implemented through GTM may require consent under the GDPR.

Read about google analytics GDPR now

To use GTM in a GDPR-compliant manner, website owners need to take several steps:

GDPR data processing using Google Tag Manager

Google Tag Manager (GTM) can play a crucial role in GDPR compliance for websites that use it to manage tracking and marketing tags. As it often deploys scripts and tags that collect personal data. Thus, website owners must ensure that tags implemented through GTM only fire after obtaining proper user consent, in line with GDPR requirements. Under the regulation, website owners are responsible for ensuring that all data processing activities, including those facilitated by GTM, comply with GDPR stipulations.

One key aspect of GDPR compliance in GTM is data minimization. This involves carefully auditing all tags and scripts deployed through GTM to ensure they only collect necessary data. Website owners should regularly review their GTM container to remove any redundant or excessive data collection points.

Another important consideration is the principle of purpose limitation. Each tag in GTM should have a clear, documented purpose for data collection. This documentation can be maintained within GTM using notes and descriptions for tags and triggers, creating an audit trail demonstrating GDPR compliance efforts.

To address privacy regulations like the GDPR and CCPA, GTM offers a Consent Mode framework that enables website owners to adjust tag behavior based on user consent status.

The Consent Mode in GTM supports various consent types for different data collection purposes, such as advertising, analytics, and personalization. Website owners can create Consent Initialization triggers to ensure consent settings are applied before other tags fire. Individual tags can also be configured with specific consent requirements, enabling granular control over data collection practices.

In addition, GTM integrates well with leading consent management platforms, making it easier to implement comprehensive consent solutions.

By leveraging these tools, website owners can ensure their data collection practices comply with global privacy regulations while still gathering valuable insights.

Google Tag Manager and Google Consent Mode

Google Tag Manager and Google Consent Mode work together to help websites manage user consent and comply with privacy laws like the GDPR. Google Consent Mode adjusts Google tags based on user consent status. When used with GTM, it enables precise control over when tags fire and how data is collected.

With this setup, website owners can set default consent states for purposes like analytics, ad storage, and personalization. Tags are configured to respect these consent states, running fully, partially, or not at all based on user choices. This allows data collection to continue in a privacy-respecting manner even if full consent isn’t given.

GTM simplifies implementing Consent Mode by offering built-in variables and triggers for consent management. Website owners can create conditions for tag firing, ensuring tags only execute with the proper consent. This integration helps maintain compliance with privacy laws and improves user experience by respecting privacy preferences while still gathering necessary data.

The consequences of GDPR noncompliance when using Google Tag Manager

Noncompliance with the GDPR when using Google Tag Manager can have severe consequences for businesses.

The penalties for violations can be substantial, with fines of up to EUR 20 million or 4 percent of global annual revenue, whichever is higher, for repeat or particularly serious violations.

Beyond the financial impact, companies can suffer significant reputational damage as customers become increasingly aware of and concerned about their data privacy rights. A breach or misuse of personal data can lead to negative publicity, loss of consumer trust, and a subsequent decline in sales and customer acquisition.

Lastly, non-compliant companies may face legal action from affected parties in jurisdictions that allow it, resulting in costly and time-consuming legal proceedings.

A consent management platform is helpful for organizations using Google Tag Manager to comply with the GDPR for cookie consent. These platforms help websites collect, manage, store, and signal user consent (e.g., with Google Consent Mode) as required by data protection laws.

Integrating a CMP like Usercentrics’ with GTM makes it easier to obtain legally compliant cookie consent through features like customizable banners, an extensive data processing services database, and multi-language support. This helps to ensure transparent consent collection and enables users to easily modify or withdraw their consent.

Usercentrics CMP also tracks and records consent preferences, providing a centralized repository that can be used to demonstrate compliance in the case of a regulatory audit or if a user requests a copy of their personal data, including consent history.

By automating consent management for GTM, CMPs help businesses meet GDPR requirements and build user trust by giving individuals greater control over their data.

Usercentrics understands how important data privacy is to both your business and your customers. That’s why our solution can help you obtain and manage user consent effectively within Google Tag Manager.

Usercentrics CMP integrates seamlessly with GTM using a data layer variable, enabling smooth communication between your GTM settings and the CMP. This integration allows for automated tag management, ensuring that only tags corresponding to consented purposes are fired, respecting user privacy preferences.

Usercentrics also generates customizable consent banners that can be easily implemented through GTM, enabling users to provide granular consent for different types of cookies and data processing purposes.

Google is phasing out third-party cookies in Chrome, marking a significant shift in the digital marketing landscape. Our in-depth session explores what this means for marketers, advertisers, publishers, and users. We address the challenges ahead and provide actionable solutions.

During this webinar, we cover the impact on personalized advertising, delve into alternative tracking technologies, and share strategies to maintain user privacy while achieving marketing goals.

What You’ll Learn:

Who Should Watch:

Stay ahead of the curve and ensure your marketing efforts succeed in a cookieless future. Register now to watch the recording!

As Google expands its EU user consent policy to include Switzerland, it’s crucial for Swiss businesses to stay informed and become or maintain compliance. Our exclusive checklist provides a clear roadmap to understand the new requirements and provides actionable steps to achieve compliance before the 31 July 2024 deadline.

Who this checklist is for

Why you should download our Google checklist

❓When is Google’s deadline?

✅ Enforcement starts 31 July 2024.

❓What regions are included in the requirements?

✅ Online users residing in Switzerland to whom companies target advertising.

❓What are the new requirements?

✅ Businesses using Google advertising and/or monetization products are required to obtain Swiss users’ consent for the use of cookies or other local storage where legally required, as well as for the collection, sharing, and use of personal data for the personalization of ads.

❓Do the new requirements apply to all publishers and advertisers targeting Swiss traffic?

✅ No. The new Google consent requirements in Switzerland mandate the use of a Google-certified CMP that fully supports the Transparency and Consent Framework (TCF) for publishers.

✅ For advertisers that don’t monetize their platforms with digital ads, the only requirement is to obtain consent from Swiss users where legally required.

❓What are the requirements for verifiable consent under Google’s EU user consent policy?

✅ Based on existing requirements from regulations like the Swiss Federal Act on Data Protection (FADP), which is compatible with the General Data Protection Regulation (GDPR).

The main requirements for third parties using Google services:

and

❓What Google services are included in the requirements?

✅ Google’s advertising platforms or services, like AdSense, AdMob, Ad Manager, Google Ads, Google Analytics, or Google Marketing Platform.

✅ Personalization features on these platforms.

❓I am a publisher. What do I need to do to become compliant?

✅ Implement a Google-certified Consent Management Platform (CMP) for the TCF, such as Usercentrics CMP.

✅ Activate the Transparency and Consent Framework (TCF) v2.2 on your CMP.

✅ Use your CMP to obtain prior consent from users to collect their personal data for advertising purposes.

✅ Consider implementing the latest version of Google Consent Mode for additional marketing benefits.

❓I am an advertiser. What do I need to do to become compliant?

✅ Obtain consent from Swiss users where legally required.

💡 For now, you’re not expected to send a verified consent signal for Swiss traffic through Google Consent Mode — a requirement already in force for EU/EEA audiences — but this may change in the future.

❓How do I collect valid consent with Usercentrics CMP?

✅ Start with one of Usercentrics CMP’suser-friendly templates, or fully customize your banner design and messaging.

✅ Set up the CMP for all regulations relevant to your business.

✅ The Usercentrics CMP consent banner enables users on websites to record their consent preference for use of their personal data with the click of a button.

✅ Website users can also revoke consent or update their preferences at any time.

✅ Consent information is securely stored in the event of an audit or data subject access request.

❓How does Usercentrics CMP integrate with the IAB TCF 2.2?

Usercentrics CMP integrates with the IAB’s Transparency and Consent Framework 2.2 via an extra panel in the consent banner of websites registered with the IAB. From Ad Settings, end users can choose between IAB Purposes and Vendors before submitting their consent.

❓How do you set up Usercentrics CMP with Google Consent Mode?

  1. Create an account and add your domain.
  2. Select and customize your banner.
  3. Implement the code into your website. Done!

For detailed instructions on how to set up and implement the Usercentrics consent banner with the IAB TCF v2.2 integration enabled, check our documentation.

❓Is Google Consent Mode v2 implementation included in the new requirements?

✅ Not for now.

✅ You should consider implementing Consent Mode v2 for additional marketing benefits, such as analytics and conversion modeling. It also helps you avoid losing marketing data due to users declining consent.

Get Usercentrics CMP to achieve compliance with Google’s CMP requirements in Switzerland

By using Usercentrics CMP IAB Framework (TCF v2.2) integration as your website’s consent management platform, you can ensure compliance with Google’s new consent requirements for Swiss traffic.

With Usercentrics CMP, advertisers and publishers can also ensure compliant data collection and processing across the board.

In this insightful on-demand webinar, our experts discuss Preference Management and the significance of consent preferences in today’s digital ecosystem. They present current trends, discuss market conditions, and explain how Usercentrics’ Preference Manager solution can help your growing business thrive in today’s rapidly evolving digital landscape.

During the webinar you’ll learn:

Watch now to ensure your consent management strategy remains effective in the face of industry changes. The webinar is free to watch.

Digital marketers already know that “consent is the new gold.” But what if a website visitor simply ignores your cookie banner or intentionally clicks the reject button?

Without their explicit consent, are they lost forever for any targeted marketing activities? Or is there still a way to re-engage users who have opted out?

To answer these questions with confidence, first you need to understand what cookie consent is, how best to obtain it, and what tools are at your disposal.

In this article you will learn:

Cookie consent is permission that websites must obtain from users before collecting, storing or using any personal information — by way of session or tracking cookies — on their computer, smartphone, or other device.

Read about tracking cookies now

Cookie consent is required by many data privacy regulations and frameworks, such as the European Union’s General Data Protection Regulation (GDPR) and ePrivacy Directive. The aim is to protect personal data and inform users about how their information is collected, used, and shared.

To obtain cookie consent, websites typically use a cookie opt-in consent banner, which informs visitors about their use of cookies and provides options to accept or reject them.

Alternatively, depending on the jurisdiction, they may make use of an opt-out model that informs visitors about the use of cookies and provides them with an option to exercise cookie consent preferences, including access to a “Do Not Sell Or Share My Personal Information” link.

This is a requirement in jurisdictions like U.S. states where in many cases consent is not required before data collection, but users must be able to opt out of certain uses of their data. This not only helps in complying with legal requirements but also demonstrates transparency and fosters user trust.

No, not all cookies require consent. That said, a ruling by the the Court of Justice of the European Union improves our understanding of cookie consent requirements under the GDPR.

Read about GDPR and cookies now

It notes that website owners may not assume or coerce consent, and must obtain consent for cookies before or at the commencement of data collection, especially for cookie types that may present privacy issues for the user, per Recital 30 GDPR. These include:

GDPR-compliant cookie consent can only be attained via the opt-in principle. Personal data may only be collected and used for marketing purposes if the user has actively consented to this. Consent also needs to meet other GDPR criteria. Learn more: 7 criteria for a GDPR-compliant consent)

Note: if the user ignores your consent banner and continues to navigate around the website, it does not count as legitimate consent according to the GDPR, as there was no explicit action performed to give consent.

While there are a number of tricks used to get website visitors to opt in, these are forbidden by some laws and strongly frowned upon by data protection authorities. For more details about these, see our article Obtaining user consent: these 5 tricks are not compliant with the GDPR.

Icon Auditcheck

Failing to obtain cookie consent can lead to serious consequences under the GDPR, and not just for big tech companies that draw headlines for huge fines.

Organizations found to be noncompliant can face substantial fines reaching up to 4 percent of annual global turnover or EUR 20 million, whichever is higher, for more severe or repeated violations.

Neglecting to obtain proper consent can also lead to loss of customer trust and reputational damage, as users and consumer rights groups are increasingly aware of data privacy issues.

Once noncompliance is out in the open, regulatory scrutiny is likely to increase, leading to further audits and investigations. Organizations found to be negligent or to have wilfully violated privacy laws are unlikely to get lenience or the benefit of the doubt in the future.

Noncompliance can also hurt the bottom line beyond fines. Consumer trust is crucial for growing and maintaining a loyal customer base. When taken together, these consequences can significantly damage an organization’s reputation and financial health.

Implementing cookie consent is crucial to comply with data protection regulations, such as the GDPR. Below are some key dos and don’ts to consider in your cookie consent strategy.

Cookie consent dos

Cookie consent don’ts

Read about cookie policy now

Why is the acceptance rate of cookies key for improving revenue?

For digital marketers, it makes a big difference whether the majority of users accept only essential cookies or also marketing cookies. After all, the information gained through optional cookies forms the basis for targeted content delivery.

⇨ Acceptance rate is the key to a treasure trove of relevant marketing data, which in turn has a direct impact on ad revenue.

Is re-engaging users who have opted out from cookies worthwhile?

Before devising a strategy to win back users who have opted out, first consider how many can potentially be won back.

How high is the current acceptance rate? What percentage of users are giving their consent to the use of all cookies, on average? If it’s already relatively high, you can still take targeted optimization measures, but the effort is only really worthwhile if there’s a high proportion of users opting out.

Interesting fact: on average, about two-thirds of users give their consent for the use of marketing cookies, according to an internal Usercentrics evaluation.

However, this value does not apply to every website or every industry, because whether a user agrees to the use of their data depends on various factors.

For example:

Cookie expiration and consent

Even with user consent, cookies don’t last forever. Different types of cookies expire after different periods of time, depending on a number of factors. So you likely will get the opportunity to ask opted-out users for consent again in the future.

Some laws also stipulate how soon you can ask certain types of users for consent again if they opt out. Other laws outline how often user consent has to be renewed.

Become familiar with the requirements and prohibitions of privacy laws for cookie consent in jurisdictions relevant to your business.

Before you pull too many levers at once to get a user to opt in, one important thing must be taken into consideration: the user must freely choose to do so (Recital 42, GDPR). They cannot be manipulated or forced into opting in, e.g. by blocking their access to the website with a cookie wall.

Option 1: Use contextual consent

Cookie consent infographic

To convince a user to consent, ensure the added value is clearly evident. Individual, embedded content is a good option here.

For example, if a user who has opted out wants to interact with a certain type of content on the website, a cookie consent dialog is displayed and the user is asked for consent again for that specific context.

For example, this option is available for:

The user recognizes exactly what they get access to by providing their consent, and why consent is needed for that function to work. Cookie consent now fits perfectly into their user journey and increases the likelihood of increased consent rates.

Our assessment

✔ Easy to implement
✔ Fully customizable for branding, messaging and context
✔ High user acceptance

Option 2: Use programmatic display

Cookie consent infographic - Programatic display

While the benefits of contextual consent are immediately obvious, with programmatic display you have to go deeper into data analysis. Using the data obtained from users who have opted in, you need to find out which subpages and landing pages have a high trust factor, and then play out the cookie consent on these pages again.

Keep an eye on the development of programmatic display. To make it as unobtrusive as possible for the user, initially limit the display to a small proportion of users, and only increase the frequency when the data shows corresponding signs.

Our assessment

✔ Unobtrusive option to increase the likelihood of consent
⚠ Requires elaborate data evaluation or analysis
⚠ Strategy must be tracked and readjusted if necessary

Option 3: Replaying the cookie banner during sale events

Replaying the cookie banner during sale events

Major sales promotions, such as Black Friday or Cyber Monday, not only attract more users to retailers’ websites, but also increase consent willingness.

For example, Usercentrics Black Friday research shows that opt in is significantly higher on these days than usual as consumers are highly motivated to pursue very specific and ideally personalized online experiences.

Read about cookie opt in now

People want to get to the bargains as quickly as possible and therefore tend to set aside privacy concerns. Additionally, providing consent may gain them access to even better deals, like discounts at checkout.

It’s up to each retailer to decide to what extent they want to take advantage of this shift in the usual “pain threshold.” However, the replay of the cookie banner should be used judiciously in order to avoid risking users feeling so harassed by it that they leave the page.

Read about optimize cookie banners now

Our assessment

✔ A lot of potential to significantly increase the acceptance rate
⚠ Develop deep contextual understanding of users’ “pain threshold” for banner presentation

Option 4: Incentivization via voucher

Incentivization via voucher

Anyone who has visited a web store has likely seen the obligatory “coupon code in exchange for receiving the newsletter” deal. However, this marketing tactic can also be used to solicit a cookie consent opt in from users who initially declined.

So make your users an offer. “Do you really want to decline? How about a 5% discount code for your next purchase?”

Caution: pay attention to moderation and middle ground here. If you entice users with goodies that are too extravagant, you could quickly come under suspicion of unduly manipulating them to consent.

An offer that looks too good to refuse may be indistinguishable from a bribe. We recommended strictly adhering to the “voluntary” element of consent (Recital 42, GDPR) in order to act in a GDPR-compliant manner.

Our assessment

✔ High user acceptance
⚠ Potentially low retention
⚠ Potential to draw regulatory scrutiny if incentives are too generous
⚠ The user’s choice to consent is not based on building trust

Using a consent management platform like Usercentrics CMP can enhance your ability to manage cookie consent efficiently, aiding in compliance with the GDPR and streamlining the implementation of Google Consent Mode.

Usercentrics CMP offers a flexible and customizable platform that can adapt to the specific legal requirements of your website or app. It facilitates easy tracking of user consent and integrates seamlessly with existing website tools. Key benefits include:

icon Talk

While tracking cookies are a powerful tool for any business with a website, they need to be used responsibly and in accordance with relevant data privacy legislation. In other words, with appropriate user consent.

Having read this article, you should now be equipped to roll out an effective and privacy-compliant cookie consent strategy and solution. We also explored consent rate optimization, with several approaches to obtaining consent from users who initially declined.

Depending on how low your acceptance rate is, winning back these users offers great potential. Just be mindful that implementing these measures requires varying degrees of effort, and, depending on the scenario, can be intrusive or noncompliant.

While most people are unlikely to be bothered by contextual consent, for example, other approaches require much more sensitivity and fine-tuning. Ultimately, great user experience should be a strong driver of your consent and marketing strategies.

The extra effort can be very worthwhile. The additional data collected in compliance with data protection regulations over a longer period of time makes a significant contribution to the total usable data volume, which in turn has a direct impact on ad revenue. You also clearly demonstrate your respect for privacy to customers and prospects.

Our recommendation: keep an eye on your consent rates and regularly check how you can increase them through targeted initiatives. Because sometimes even small levers, such as targeted incentives, can have a big effect.

Internet or browser tracking cookies are a type of technology that everyone should understand, especially when it comes to data privacy.

Primarily, cookies collect information about your interests and actions online, like helping websites track your browser activity. While this may sound problematic, it usually makes your life easier.

For example, many online retailers use cookies to keep track of the items in a user’s shopping cart as they explore the site. If websites didn’t set cookies, your shopping cart would reset to zero every time you clicked on a new product. They also help maintain convenient settings like your language preference or account login.

But not all cookies are created equal, and they collect different kinds of information. There are session cookies that are temporary and only in use for a single session. For example, as long as you browse a website or until you check out with your shopping cart.

There are also first-party and third-party persistent cookies, also known as tracking cookies. Data privacy regulations like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) affect how they can be used.

In this article, we’ll examine tracking cookies, how they work, and what’s required to ensure compliance with relevant data privacy regulations while getting the data you need for marketing operations.

What are tracking cookies and what are they used for?

Tracking cookies are small files that are stored on a user’s device when they visit websites. There are two main kinds: first-party tracking cookies and third-party tracking cookies.

These cookies collect data about the user’s online activities, enabling websites to “remember” their interactions and preferences so they can serve them more relevant content, ensure a better user experience, and numerous other use cases. Collected data includes search history, geographic location, purchasing trends, and other behavioral information.

Cookies are used practically everywhere online — Google, Facebook, Amazon, and almost all business or commercial websites — making it difficult to browse the web without some kind of tracking.

What’s the difference between regular session cookies and tracking cookies? Session cookies are temporary files that are only active during individual browser interactions and are usually needed to retain needed information, like the contents of the online shopping cart we mentioned above.

Tracking cookies are set up by websites and will “follow” you as you browse. They conduct cross-site tracking and build up information on a user. Think of this as an information string that’s being pulled along to each new website a user visits, accumulating data until the end of the browsing session.

The data is then used by the organization that owns the site where the cookies were set, or used by or sold to third parties. This is usually other companies or websites that focus on creating personalized campaigns and serving you product ads that match your browsing history and presumed interests.

Icon shield

What are third-party tracking cookies?

Third-party tracking cookies are set by a vendor other than the website owner. These cookies are used by third-party organizations to collect user data across multiple sites. Most often, this kind of cookie is used for targeted advertising and analytics, enabling these entities to build detailed profiles of a user’s browsing habits and then sell to them.

What are first-party tracking cookies?

A first-party tracking cookie, on the other hand, is set by the website owner. This kind of tracking cookie typically collects data on that one site, which is used to improve the site experience for visitors, like the aforementioned language preferences or user authentication. If a site makes use of a chatbot, it may need first-party tracking cookies to function.

How do tracking cookies work?

Tracking cookies work by monitoring a user’s actions and preferences as they navigate different websites. When the user returns to a website or visits others within the same advertising network, the cookies send information back to the host. This helps build a detailed profile of individual users, which is valuable for analytics and marketing.

This tracking makes it possible for websites and advertisers to remember that visit, tailor content, and display targeted ads based on the user’s browsing history.

What data do tracking cookies collect?

Tracking cookies collect a range of data to improve website functionality and personalize ads. Here is what they typically track:

Are tracking cookies illegal or dangerous?

Tracking cookies are not illegal, but depending on the type of cookie and the information being collected, their use is governed by regulations like the GDPR and the ePrivacy Directive (to be replaced by the ePrivacy Regulation (ePR)). So the use of tracking cookies without a valid legal basis like consent can be a regulatory violation of data privacy.

Tracking cookies collect a wealth of information about individuals that could be used to identify them. Some personal data, like names and unique ID numbers, are obviously identifying. But other types, like purchase history or IP address, could also be identifying if combined with other data points. Recital 30 of the GDPR states that, in these circumstances, this data may be considered personal data, and be subject to the GDPR.

While tracking cookies are not inherently dangerous, there are some concerns about privacy and compliance with global regulations. This is because they can track extensive information about a user’s internet behavior, which could be misused, used for decision-making purposes with significant effects on the individual, or handled in ways that are not secure.

Read about GDPR and cookies now

Privacy laws and tracking cookies

Many privacy laws around the world regulate the use of tracking cookies. These laws are primarily designed to protect user data and online privacy, and ensure transparency between businesses and consumers. Let’s take a closer look at cookie tracking compliance with respect to two such laws: the European Union’s GDPR and California’s CCPA.

GDPR tracking cookies

Using tracking cookies and being fully compliant with the GDPR can be tricky. Regulations require that website providers let their visitors know when websites are using cookies, especially third-party tracking cookies.

They also require upfront information about which cookies (or at least which categories), their purposes, how the data collected may be used, and who may have access to it.

Once visitors know that tracking cookies are being set, such as via the website’s privacy policy and/or a consent banner, they must be able to provide prior consent for each data processing service that collects information.

Without consent, according to a ruling by the European Court of Justice, the collected data cannot be processed, passed on, or sold to third parties, otherwise, the company risks large fines.

This means that no cookies can be set and no data can be tracked without the user first explicitly acknowledging and accepting data collection and use.

While collecting information such as search history, purchase information, and location might not seem too bad, the amount and types of information collected rarely stops there.

“Device information, the time and date when a user clicked on something, the ads a user focuses on, as well as TV shows that are watched are just a small part of the information that is collected,” says Justin Brookman privacy expert at Consumer Reports, “Consent for this must be requested.”

icon lock

Tracking cookies and CCPA

The CCPA is a data privacy law in California that impacts how businesses use and protect individuals’ (data subjects) personal data and rights, part of which relates to how they handle tracking cookies.

Under the law, businesses that collect the personal information of California residents through tracking cookies must inform them about the types of data being collected and the reason for its collection.

The law also requires businesses to provide a clear “Do Not Sell My Personal Information” link on their websites, enabling users to opt out of the sale of their personal data at any time. (Note: since the CPRA has also come into force in California, the statement must now read “Do Not Share Or Sell My Personal Information”.)

While the CCPA uses an opt-out consent model, unlike the opt-in model outlined by the GDPR, for data subjects between the ages of 13 and 16, organizations must obtain consent before they can collect or sell their personal information.

For children under 13, businesses need to obtain prior consent from a parent or guardian. Prior consent is also required if the data to be processed is categorized as “sensitive.”

This regulation highlights the need for transparency and user control in the deployment of tracking cookies. To learn more about the regulation, read our guide to the CCPA here.

Data-driven marketing today requires valid user consent. However, not all consent is created equal. In fact, “The way in which you collect consent is just as relevant,” says Hans Skilrud, CEO of privacy policy generator Termageddon.

Art. 7 GDPR explicitly outlines the conditions for valid consent, a definition adopted by most data privacy laws around the world.

With this in mind, here are guidelines for obtaining valid consent for tracking cookies:

Consent must be freely given

Consent should be voluntary, i.e. given without any pressure or manipulation. Offer clear, unbiased choices without any pre-selections. Tools like the Usercentrics Consent Management Platform (CMP), for instance, make it easy to offer users clear consent options via customizable cookie banners.

Consent must be informed

Users should know exactly what they are agreeing to — with the option of reviewing cookies in use at a granular level — when giving consent for tracking cookies.

This includes details about the data collector, the data being collected, its purpose, third parties with access to it, and retention period. Include all relevant information in a detailed privacy policy. It can also be accessible in the consent banner.

Consent must be explicit

Consent should be an active, deliberate choice. This means that users should not be coerced or influenced into giving consent, such as with only a single button option, pre-checked boxes, or vague and confusing language.

Make sure your language is clear and accessible and that consent options, like buttons, are equally visible and accessible.

Consent must be granular

Consent should be obtained for each data processing activity. As such, clearly differentiate between different tracking cookies and give users the option to consent to their chosen selection.

Consent must be received in advance

No user data can be collected prior to opt in, so tracking cookies should only take effect after consent is obtained. This means your first action with every new user should be asking for their consent via a clear, comprehensive, and intuitive cookie banner.

Google Consent Mode can be used (and is required in the EU in many cases) to signal this consent from the CMP to Google services to control data collection based on consent.

Consent must be well documented

Website operators are subject to the burden of proof in the event of an audit, so it’s crucial that all user consent is documented and easily accessible. A CMP, like Usercentrics, helps keep all relevant consent data in a centralized, secure location.

Data privacy laws also usually give individuals the right to access data collected about them, so consent data may also be a part of a data subject access request.

Consent must be easy to withdraw

Users have the right to change prior consent or withdraw it at any time, and doing so should be as easy as giving it. This means the option to change or withdraw consent should be easy to find on your website, without unnecessary steps or complexity.

icon projekt management

How users stay in control of their data

When using cookies, it is important that users remain in control of their data and are aware of why it is being collected and for whom.

In a study conducted by Ponemon institute, which involved surveying 652 U.S. consumers, as many as 86% of respondents said they are “very concerned when using Facebook and Google,” while 66% of respondents said they are “very concerned when shopping online or using online services.”

This mirrors increasing consumer mistrust. In the same study, two-thirds of consumers (68%) indicated that they are more concerned about the privacy and security of their personal information than they were only a few years ago.

“This lack of empowerment can have devastating effects on consumers’ privacy if it goes unchecked,” Ponemon researchers noted.

This is why it’s important for users to know why website providers set cookies, and to have a clear overview of which cookies are set. Being in control of data also means that users can revoke their consent at any time and be able to give consent only for specific data processing services. Website providers must offer consumers a choice: to opt in granularly and to revoke consent at any time.

Recent data privacy laws also increasingly provide consumers with the right to data portability, enabling them to minimize the inconvenience of taking their data with them to a company’s competitor.

Confused with all of the regulatory changes? You don’t have to be

According to a study conducted by Pew Research, the lack of understanding about data privacy laws among the general public is significant 63% of U.S. residents say they understand little to nothing about the laws and regulations that are currently in place to protect their data privacy. Don’t contribute to that statistic.

Usercentrics offers plenty of webinars and articles to help you stay informed and up to date on the latest policy changes for your company, so you can keep your users informed and obtain the necessary consent for cookie use, as privacy regulations require.

You can also listen to our podcast, Consented, where experts from around the world discuss the critical role of data privacy in consent marketing.

With Usercentrics, your journey to full compliance doesn’t stop at the CMP. You gain access to legal experts, dedicated support and guidance every step of the way so you can be confident about your company’s use of tracking cookies and privacy compliance.

Icon support

After several years of delays, in July 2024 Google announced that the company would not be deprecating third-party cookie use in the Chrome browser. The article’s content remains relevant, however, so we have left it in its original form, with this note, for educational and reference purposes.

Even without the inclusion of Google Chrome, other major browsers have already fully deprecated third-party cookie use, and we believe that privacy-led marketing is the “cookieless” future.

Google started making announcements and began changes relating to phasing out third-party cookies some time ago. Cookieless solutions typically refer to the end of third-party cookie use, but not the end of every type of cookie or tracker. Given the company’s dominant market share, the final deprecation of third-party cookie use in the Chrome browser will mark a significant milestone in the evolution of data processing and digital marketing.

Expert Insights

“Once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products. Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers.”

David Temkin
Director of Product Management, Ads Privacy and Trust at Google

Google has also been rolling out new data privacy-related requirements for its customers, spurred in good part by requirements in regulations like the Digital Markets Act (DMA). The company has updated and is enforcing its EU user consent policy. Many publishers in the EU that need to retain full access to Google services are also being required to implement Google Consent Mode and/or the TCF 2.2.

It’s not all stick and no carrot, though. Google provides cookieless future solutions to help enable data privacy compliance with regulations and the company’s own requirements, while also helping organizations replace strategies that relied on third-party cookies. Millions of companies rely on Google services for advertising, analytics, and more, and there is a suite of options to help your company evolve its digital marketing strategy. Become privacy-led, better engage your audience, and achieve strong growth.

Google Consent Mode is a tool used by websites to signal visitors’ choices about consent for the use of cookies and other tracking technologies. It’s commonly used with a Google-certified consent management platform (CMP) like Usercentrics CMP, which displays a consent banner to site visitors to obtain the consent choice information.

Expert Insights

“Be aware that Consent Mode does not itself enable compliance with data privacy laws. For that, valid consent needs to be obtained via a consent management platform for the use of cookies and other tracking technologies on websites and apps.”

Eike Paulat
Director of Product, Usercentrics

How does Consent Mode work?

Google tags are loaded onto web pages before the consent banner is displayed. This way Consent Mode enables websites to adjust tag behavior dynamically based on whether a user accepts or rejects cookies. When the user provides consent, only then are measurement solutions employed for specific purposes.

The two tag settings Consent Mode has added for managing cookie and tracker behavior based on consent are:

Once consent information is obtained, Consent Mode then signals it to Google tags in various services that are used for measurement of website and advertising performance. Each user’s consent preferences control whether Google services collect and process all or some relevant types of available data, or only anonymized data that can’t identify an individual, potentially a cookieless identity solution where needed.

Watch next: Google Consent Mode: 4 steps you need to take now

What are the benefits of using Consent Mode?

The original version of Consent Mode was primarily for anonymized data tracking. However, with its update to v2 in November 2023, its value and intent have evolved to focus more on signaling capabilities, which help website operators to meet compliance requirements.

Consent Mode enables automation of obtaining and activating visitors’ consent choices for privacy compliance and peace of mind over meeting consent requirements. It also helps with systems integration, enabling more seamless control over data collection and access.

Expert Insights

“Implementing Consent Mode normally takes me 1-2 hours. Implementation with Google Tag Manager and a CMP like Cookiebot by Usercentrics is really simple. So, if you are not implementing Consent Mode because it’s difficult, don’t be afraid.”

Adriaan Dekker
Top 50 PPC Expert

Google Consent Mode enables website operators to get back a significant amount of data for advertisers. Even when a visitor does not provide consent for all cookie and tracker use, you can still gain conversion insights and consent banner interaction information to optimize consent rates. For example, conversion modeling enables you to use anonymized data collected from users who do not consent to cookie use to gather insights. The future is modeled, providing a cookieless solution.

Consent Mode helps website operators to move toward cookieless future solutions, away from mass collection of users’ personal data — like from use of third-party cookies — to a future-proofed, consent-driven system. Regulations and users’ privacy are respected while your advertising business model remains intact, marketers get the data they need, and clarity on conversions.

Google services that Consent Mode supports

Consent Mode currently supports these Google services:

Enhanced Conversions

We mentioned that Consent Mode enables conversion modeling, so let’s look at that more closely. Third-party cookies track users across websites, making it easy to get a full view of the conversion journey, among other data. In a world driven by cookieless solutions, there are new challenges, like knowing whether visitors are first-timers or repeat, if they come from paid or organic traffic sources, or how to connect users’ ad interactions to conversions.

Expert Insights

“2024 will be the year of 𝐄𝐧𝐡𝐚𝐧𝐜𝐞𝐝 𝐂𝐨𝐧𝐯𝐞𝐫𝐬𝐢𝐨𝐧 and 𝐂𝐨𝐧𝐬𝐞𝐧𝐭 𝐌𝐨𝐝𝐞. Those privacy measurement solution can help us reveal more conversion signals and user data while respecting GDPR. But beware:
– This feature is intended for properties with web data streams. At this time, Google does not recommend it if you have an app data stream.
– Expect at least 30 days to see a data enhancement.
– This is not recommended for advertisers using BigQuery!”

Thomas Eccel
Top 50 PPC Expert, Ex-Google Ads Support, Founder of Custom PPC ChatGPT

What is conversion modeling?

Marketers need new solutions to help them adapt their strategies and retain the ability to gain insights into user behavior. Broadly, conversion modeling uses machine learning to assign links between ad interactions and conversions to account for instances where cookies, trackers, and other identifiers weren’t available (like the user declined consent).

Conversion modeling helps to evaluate each user visit’s incremental impact on visitor behavior data, even if you can’t directly observe a final conversion. Advertisers still get data and insights to optimize campaigns for desired outcomes, whether signups, increased sales, or other goals.

Benefits of conversion modeling

Companies need to understand customers’ and visitors’ behavior better to optimize marketing campaigns. Conversion modeling brings several strategic advantages:

Google CMP Partner

Enhanced conversions with Google

Google Analytics 4 (GA4) and Google Ads are the most popular tools on the market for conversion modeling, and they enable predictions on unobserved conversions without identifying individuals, thus complying with privacy requirements. Marketers are increasingly going to need cookieless identity solutions.

Further to improved bidding and user identity protection, Google’s enhanced conversions is a feature to improve conversion measurement accuracy and unlock better, smarter bidding. It acts as a supplement to existing conversion tags, securely sending hashed first-party conversion data from your website to Google using a one-way hashing algorithm. That data is then used to match the customer to their Google account, which they were signed into when they interacted with your ad.

Learn more: Google Ads, GA4 and consent management

Read about google analytics GDPR now

How enhanced conversions work

When a customer converts on your website, first-party data is often captured, e.g. name, address, email address, etc. Conversion tracking tags can capture this information, which, once hashed, can be sent to Google privately and securely. It’s then used to enhance conversion measurement in various ways, depending on which type of enhanced conversions you use, e.g. tracking on-site sales or off-site sales from leads.

Use the Google tag, Google Tag Manager, or Google Ads API to set up enhanced conversions. Recover previously unmeasurable conversions, better optimize your bidding based on quality data, and be confident in your privacy compliance operations with the secure hashing of the first-party customer data.

How to set up enhanced conversions for web

There are three ways to set up enhanced conversions for web:

How to set up enhanced conversions for leads

Conversion data from website lead forms (first-party data) can be imported or uploaded into Google Ads, and doesn’t require modifications to your lead forms or CRM. It’s easy to set up — configure measurement right from your Google Ads account — and enables you to better optimize campaigns to off-site sales and transactions for better performance.

Server-side tagging

Server-side tagging involves serving your tags directly from a server instead of in the visitor’s browser. By moving your core tags to the server, this server-side tracking gives you more control over privacy-compliant data collection and sharing.

It’s an evolution from client-size tagging, which uses tags and data from the user’s browser, transmitted to one or more servers. Commonly, tag management uses this function to share customer data from your website with third parties, like marketing technology partners or other vendors. However, from a privacy perspective, there isn’t any centralized control over the data or who can access it.

Instead of relying on third-party services, with this sitewide tagging, both your website and customers’ data are hosted securely on a centralized server, helping meet privacy regulation requirements. Server-side tags provide a buffer between your customers and third-party vendors that want their data for tracking. It’s a way to integrate cookieless tracking solutions. Third parties cannot directly access collected first-party data from your website(s). You control who gets access, when, how, and to what specific data.

Traditiona website configuration without server-side Tag Manager

What is server-side tracking?

Both functions use a server for data management, but server-side tagging involves directly procuring data from the server, rather than only from the client’s browser. Using this method improves data accuracy, can enhance your website’s performance, and lessens the workload on the client’s side.

Benefits of server-side tagging

In addition to the privacy compliance benefits, there are a number of advantages to adopting server-side tagging and its single data stream:

Benefits of server-side tagging

Marketing teams use this sitewide tagging to benefit from improved visibility through the whole purchasing cycle. Boost conversion rates and advertising ROI. Greater control over the quality of data collection enables more precise insights and better data-driven decision-making for both in-house and third-party activities.

Website visitors also benefit from server-side tagging, as its focus is the privacy and security of their data. Consent choices can be seamlessly communicated across tools and systems to help ensure privacy compliance and controlled access to their data.

Server-side tagging with Google Tag Manager

Using Google Tag Manager for server-side tagging enables website operators to manage their tags, triggers, and variables on a server instead of in the user’s browser. It’s an easy to use solution that’s popular among marketers and web developers.

Tag management is shifted from the client side (the user’s browser), over which you have little control, to the server your company manages. This is particularly valuable to companies focusing on privacy compliance and privacy-led marketing, as well as those handling more sensitive user data.

Website configuration with server side Tag Manager

Server-side tagging with Google Analytics

Google Analytics 4 (GA4) is easy to use, and integrates well with many widely used platforms, making it a popular choice for server-side tracking. Consent Mode also works with GA4 using the analytics_storage tag. Server-side tagging with GA4 involves sending data directly from your server to Google Analytics, so it bypasses the user’s browser entirely. In addition to enhancing security and data privacy, this provides better quality control over data and improves your website performance.

Customer Match

Customer Match is an advertising tool that helps you better leverage your company’s unique online and offline customer data and insights while maintaining robust privacy standards. It uses the high quality data your customers have provided to you to target ads to them — customers control the ads they see via their Google Ads settings — and other potential customers like them. It’s a way to implement cookieless advertising solutions.

Increase brand awareness, drive conversions, and more. Customer Match helps you to reach and re-engage custom segments of your existing customer base with tailored messaging at the most relevant moments using first-party data matched against Google account holders. Customer Match also helps you reach new customers across Google platforms like Search, Gmail, and YouTube in a privacy-led way.

Particularly with the deprecation of third-party cookie use, Customer Match helps you preserve performance and can be a key part of your measurement strategy for revenue growth. It’s a scalable solution to help make the most of your invaluable first-party data in privacy-compliant ways.

How Customer Match works

Customer Match is available for Search, Shopping, Display, Gmail, and YouTube. To get started, segment your customers and upload your first-party data to Google Ads, which then matches your customer data to existing Google accounts. From there, you will target or exclude your new audience list across channels and devices. You can also use auto-generated segments that are similar to expand your list to new customers.

Benefits of Customer Match

In addition to enhancing your privacy compliance operations while still effectively engaging with your audience, Customer Match brings a number of additional advantages:

Benefits of Customer Match

Learn more: Multichannel ad campaigns: A deep dive into Google’s consent requirements for Campaign Manager 360 and Display and Video 360

Google’s Privacy Sandbox

Google’s Privacy Sandbox is and will include initiatives and guidelines to enhance data privacy, as well as cookieless solutions and technologies that support those goals. It was initially launched in 2019.

Privacy Sandbox has two big goals:

The Privacy Sandbox is developing public proposals and working with data protection authorities. Ideas, policies, and tools to display relevant web content, fight spam and fraud, limit covert tracking, and more, will continue to evolve and roll out over time.

Learn more: The Privacy Sandbox timeline for the Web

Comparison of Google’s cookieless tools

Solution: Consent Mode

Function: Signals consent information to Google tags to control data processing functions for privacy compliance. Works with a Google-certified CMP.

Benefits: 

Solution: Enhanced Conversions

Function: Related to conversion modeling, helps to improve accuracy of conversion measurement and improve bidding. Supplements conversion tags, securely sending hashed first-party conversion data to Google to be matched to customer accounts.

Benefits: 

Solution: Server-side tagging

Function: A method of serving website tags from a server instead of the user’s browser. Enables more control over data privacy compliance and processing. Can be done with Google Tag Manager and with Google Analytics 4.

Benefits: 

Solution: Customer Match

Function: An advertising tool to help better leverage data customers provide to your company (first-party data matched against Google accounts) for better insights while maintaining strong privacy standards. Used for ad targeting to drive conversions, target new relevant audiences, and build brand awareness on platforms like Search, Gmail, and YouTube in a privacy-led way.

Benefits: 

Solution: Privacy Sandbox

Function: Google’s Privacy Sandbox is an initiative to create and evolve web technologies in privacy-led ways. Main goals are phasing out third-party cookies and reducing cross-site and cross-app tracking (while keeping online content and solutions free). Also meant to fight online fraud and spam.

Benefits: 

The future is cookieless with Google solutions

While it was easy to rely on third-party cookies and the data they provided, this marketing strategy often failed to respect user privacy. It also doesn’t tend to enable the precision needed for today’s digital audiences and markets. The future is consented for marketers.

Zero- and first-party data are higher quality, can be obtained in a variety of consent-driven ways, and can be used to drive and scale privacy-led marketing campaigns to better grow revenue. Google provides sophisticated yet easy to use and integrate tools — that work with platforms you’re probably already relying on. These solutions enable marketers to continue to find their audiences and engage them while building trust, get the data marketing operations need, and comply with data privacy regulations and Google’s requirements today, and in the future.

For everything from better customer segmentation to improving your website’s performance, there are Google tools to improve your marketing tech stack that also make data privacy compliance easier.

Don’t forget to tie it all together with the most key privacy-led marketing solution — Usercentrics CMP — to obtain, store, document, and signal valid user consent. Comply with global privacy regulations, control data collection and processing, and make that high quality customer data work even harder for you to provide great user experiences and boost revenue.

Expert Insights

“Companies must learn only to collect the data that matters and create great experiences around that instead of treating everything as important.”

Adelina Peltea
CMO, Usercentrics

Want to learn more about Google tools and how they can help you manage the cookieless future with Usercentrics’ data privacy solutions? We’re here to help.

Contact sales

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

By now, pretty much everyone knows about the ever-expanding number of data privacy laws around the world, and the need for consent to process personal data from users online. Added to that are a growing number of requirements levied on businesses from influential tech platforms. As enforcement expands, the risk of revenue loss can bring a far more immediate and pressing impact on digital marketing strategy and operations.

Fortunately, there is a way forward and marketers are already embracing it. The evolution away from third-party cookies and the data they collect has been in process for some time. These changes continue to ramp up as companies have increasing motivation to adapt their digital marketing and privacy compliance practices to protect revenue operations.

We look at the practicalities that come with the end of third-party cookies, why new data sources bring greater opportunities for marketers, and what Privacy-Led Marketing promises for growth in the era of greater customer control and choice.

How are privacy regulations influencing the changes in marketing?

A number of legacy marketing operations now need to be conducted in new ways to meet privacy compliance requirements. Some older technologies are being phased out, and new ones are being developed and evolving. Marketing is increasingly being seen as and conducted as an ecosystem, where all tools and activities are connected and influenced, if not outright controlled, by data privacy. New tools are increasingly becoming necessary to better manage this ecosystem, to enable more successful campaigns, analysis, and optimization that are compliant with regulatory and business requirements.

Consumers online are also increasingly aware of their rights as granted by these regulations, and how they pertain to companies’ access to and use of their personal data. Companies can’t just take what they want. Some types and tactics in digital marketing could have negative effects on brand reputation these days.

“We need to understand how data is flowing, what data we actually need, and to really challenge that — not to collect everything but to get first-party data and build strategies around that.”

– Sandra Wojciechowska⁠, Data Protection Officer & Head of Consent Management, ⁠e-dialog⁠ (Consented podcast, Episode 3: Is Privacy-Led Marketing the solution to the cookieless future?)

It has been common in the past to collect a lot of third-party data from people online, much of it without their awareness, and certainly without their consent. Regulations now prevent that in many cases around the world. More and more, companies must notify users about what personal data they collect, how, for what purposes, and who may have access to it, among other things. No more harvesting vast amounts of data from anywhere companies can get it.

Many privacy regulations now also require companies to get user consent before collecting or processing their data, or at least meet requirements for a different legal basis before doing so. Even in areas like the United States where prior consent is not required in many cases, people must have the option to opt out of companies’ processing of their data.

All of this affects how companies can interact with customers and users, how they get information about them, how they run campaigns and analyze performance, and more. The good news is that Privacy-Led marketing enables companies to do all of these things in more sophisticated and lucrative ways than before.

Read about marketing data privacy now

What are the issues with third-party cookies?

Third-party cookies are typically set by domains (companies) other than the one operating a website. They’re set by elements integrated into the website, rather than built as part of the website itself, and they track people across the internet, not just while they’re on a particular website.

Sometimes information about how they function, what data they collect, and who receives that data is known or easily accessible to website operators, and therefore easily communicated. Those third-party services can also be more easily controlled, enabling compliance with data privacy requirements.

Plenty of these services, however, are nested several layers deep, and run by vendors, for other vendors, for yet other vendors. This obfuscates their presence and functions from the website operator, not to mention the website users. This can be a problem for controlling all data-collecting services and for transparently providing comprehensive information to users, as well as for getting valid consent for data use.

Why are third-party cookies being phased out?

The strategy with third-party data collected via these services has largely been “get as much as you can and sort it out later”. Third-party cookies certainly did provide marketers with a lot of data. There are obvious issues with transparency and consent, and thus for data privacy compliance. Additionally, much of the data has been of poor quality, and needs to be combined with vast amounts of other data to enable meaningful analysis and application.

This data use also does little to build trust with customers and develop long-term engagement and relationships. Customers feel a lack of control over what should belong to them. Increasingly, ensuring people feel in control over their data and building trust with your company is critical for effective marketing. Laws are only getting more strict, activists continue to push for change, and consumers are becoming more savvy about their data and rights. In a nutshell: it just doesn’t work well anymore.

Third-party cookie use is an old, imperfect, and blunt instrument for marketing purposes. Fortunately, technologies have evolved along with privacy regulations. Marketers have more precise and sophisticated tools now to know what data collecting services are in use, provide transparency to users, obtain data with consent, and use both the consent and the data in smarter, more integrated ways throughout the marketing ecosystem.

It’s important to note, however, that as Usercentrics CMO Adelina Peltea noted in our recent episode of the Consented podcast, “Cookieless does not mean all cookies are disappearing.”

Google is phasing out third-party cookies in Chrome – why it’s important

Google announced that they would be phasing out the use of third-party cookies several years ago. Their plans for how to do so and the exact timeline for the changes have evolved several times. However, Google began disabling third-party cookies in early January 2024 in the Chrome browser.

Google is actually late to the party, as Mozilla’s Firefox, Brave Software’s Brave, and Apple’s Safari browsers have blocked third-party cookie use for some time.

Why are changes to cookie use in Chrome influential?

This initiative initially affected about one percent of Chrome’s global users, with the rollout to expand over the course of the year until third-party cookies are fully deprecated in Chrome. While this is only one web browser, Chrome does have the majority market share, so this will affect nearly 3.5 billion web users (over 42 percent of the global population).

What are marketers using to replace third-party cookies?

Marketers need to shift away from third-party cookie data sources to more owned channels, which can be better controlled. There’s the added benefit that they tend to result in higher quality data and better conversion rates, though marketers do need to determine new ways of handling measurement and attribution. These changes also streamline being transparent with users, obtaining valid consent for privacy compliance, and providing better user experience.

Zero-party and first-party data are replacing third-party sources, and driving development of new tools and tactics to collect and activate these rich data sources.

Zero-party and first-party data – what they are and why they’re they are better for marketing

Zero- and first-party data are generally collected by a company about its own users and/or customers via various means. They are more targeted, more likely to be obtained with consent, and easier to provide information about as required by privacy laws.

Zero-party data – marketing gold standard

Zero-party data is so categorized because it comes directly to the company from the customer. There are no intermediary vendors or systems collecting, packaging, or processing it first. It’s also referred to as opt-in or self-reported data due to its consensual nature and customer origins.

Zero-party data is shared by customers, visitors, and users intentionally and voluntarily. This is typically prompted by the company, but with the goal to enable the customer to decide what data they consent to share, and shape their experience with the organization and its products and services.

How is zero-party data collected and deployed?

This data can be collected via many mechanisms, including:

Customers can inform companies about how often they want to be contacted, by what medium (e.g. email, SMS, newsletter), for what purposes, and with what information (e.g. notification of sales, personalized deals, or launch of a new product). They can inform companies what they think about products or services and what they’d like to see more of. Companies can build customer profiles with detailed information on customer identity, interests, preferences, and permissions.

All of this means the data is more likely to be highly accurate. It enables very personalized marketing, and companies can demonstrate their respect for user privacy and customer preferences. This helps develop higher engagement and long-term customer relationships, which grow revenue.

First-party data – marketing work horse

First-party data is obtained slightly less directly than zero-party data and can be slightly less accurate. But it is still a big improvement in quality and maintaining data privacy compliance over third-party data. It’s sometimes referred to as customer, proprietary, owned or in-house data.

First-party data is typically collected via a company’s owned properties, like websites and apps. It isn’t directly collected from customers and users, but is collected about their activities. These services assign unique identifiers to users, and so can recognize them to enable personalized experiences, everything from login status to maintaining the contents of their shopping cart.

“First party data refers to the data we are getting directly from our customers, and this is typically considered one of the most valuable types of data that we can get because it is provided to us, it is reliable, and it is accurate.”

⁠Sandra Wojciechowska⁠, Data Protection Officer & Head of Consent Management, ⁠e-dialog⁠ (Consented podcast, Episode 3: Is Privacy-Led Marketing the solution to the cookieless future?)

How is first-party data collected and deployed?

First-party data is largely collected from the widest variety of sources, which include:

Given how much the average person does online these days, you can see that first-party data can provide a huge amount of information about what people do, when and how they do it, and what interests them. This enables site and app optimization, audience segmentation, personalized ads and communications, and predictive modeling of browsing and purchasing behavior.

First-party data is also critical for evaluating communications and campaigns for effectiveness, determining ROI, and strategizing future efforts to best deploy budgets.

Preference management

Preference management is how zero- and first-party data are obtained and most effectively used. Your preference manager is how you collect zero-party data about customer preferences and record permissions they’ve granted. Preference management also helps fill in data gaps from loss of third-party data, and enable first-party data to be activated more effectively, e.g. via syncing across the CRM and marketing tools.

Preference management also benefits privacy compliance strategies, as granular consent can be obtained, then signaled across the marketing stack and to third-party partners to control data collection and use per the customer’s expressed preferences.

Companies should also look into server-side tagging as a way to collect, centralize and activate their zero-party data, consent, and preferences.

Learn more: What is universal consent and how does it benefit companies and their customers?

What are the risks of not updating your marketing strategy away from third-party cookies?

Privacy noncompliance due to old marketing strategies can be a risk for the whole company, both with regulatory and newer business requirements. The loss of data, audience access, and ad revenue from Google restricting access to its services, for example, could be a huge financial blow for a company. It can also tarnish your brand in the eyes of customers and prospects.

Fines, loss of data, and other penalties

Fines can be up to 4 percent of a company’s annual global revenue under the GDPR in the EU. While GDPR fines levied on big tech companies make the headlines, any size of organization processing EU residents’ personal data can be penalized for noncompliance.

Many sources of valuable first-party data, as well as ad revenue, are also at risk without evolving marketing strategy, complying with new requirements, and obtaining valid consent for first-party data processing services, like those from Google.

Government and corporate enforcement is ramping up

Data protection authorities have already begun investigations into companies the Digital Markets Act (DMA) designates as gatekeepers, including Alphabet, Apple, and Meta. Those companies are likely to make whatever changes are needed to how customers access and use their platforms sooner rather than later to protect their business interests.

To meet DMA compliance requirements, Google (Alphabet is the parent company) has made a number of changes to its requirements of its customers. These include requiring signaling of valid user consent via the use of Consent Mode v2 with a Google-certified consent management platform (CMP). Companies can work with Basic Mode or Advanced Mode, depending on their business needs and the degree to which they’ve embraced Privacy-Led marketing.

Learn more: Implementing consent for Google ads personalization: A comprehensive guide to the Google Ads compliance alert

New requirements for Google customers

Google also now requires publishers in the EU/EEA and UK to implement the TCF 2.2 via a certified CMP if they are using Google AdSense, Ad Manager, or AdMob. Companies risk loss of access to these services’ full functionality if they don’t comply.

Google also has recommendations for tools and strategies for companies to adapt to the new ecosystem for ads and measurement. These include:

Google was building on their Privacy Sandbox to enable web browsers to work in new ways to protect privacy and enable data use, but as of early 2025 has cancelled plans to deprecate third-party cookie use in the Chrome browser. This essentially spells the end for the Privacy Sandbox, but we shall see what future initiatives the company launches to replace it.

Learn more: Are ecommerce businesses ready for the new consent requirements?

Customers ain’t gonna take it

Consumers’ awareness and demands for control of their data and rights continues to grow as privacy laws spread. They are no longer passively accepting of having their data collected and used by entities they don’t know and purposes they haven’t approved. People will vote with their wallets, and are increasingly likely to end a business relationship if they don’t trust a company’s security or use of their data.

Data privacy regulations also increasingly include the right to portability, which means it’s easier for people to take their data and quit a company — probably for a competitor that may offer better products or pricing in addition to demonstrable respect for user privacy.

Companies have access to more sources and types of user data than ever before, but that means they have greater responsibility for how they access and use that data. Increasingly, around the world, there are consequences for not taking that responsibility seriously.

What is Privacy-Led marketing and why is it the future?

Privacy-Led Marketing includes everything we’ve already looked at. Tied to the idea of privacy by design, it puts privacy first marketing strategy and operations, and in customer relations. It involves embracing the benefits and competitive advantages data privacy brings to a company, rather than focusing on what you lose with third-party data, or what can still get away with and for how long.

Privacy-Led Marketing values quality over quantity in user data, learns when and where the right times are to communicate (clearly and right at the beginning), ask for consent and data access (and optimize these over time), and doesn’t focus excessively on what data and access companies no longer have (wasn’t the best anyway).

It values building trust by being transparent with customers and remembering that they want to know “what’s in it for me?” And of course, making it easy for them to express their preferences and manage their consent.

Privacy-Led Marketing thinks about the user journey, not a single opportunity. It strategizes how it can provide a continuous user experience with control, over time becoming clearer and honed for maximum benefit to the company and user, while meeting regulatory and business requirements.

“Users value tradeoffs. When we can provide them with a tradeoff that will be personalized recommendations or targeted adverts that are of interest to them, then users are more prone to share that data with us.”

– ⁠Sandra Wojciechowska⁠, Data Protection Officer & Head of Consent Management, ⁠e-dialog⁠ (Consented podcast, Episode 3: Is Privacy-Led Marketing the solution to the cookieless future?)

Smart marketers are strategizing new paths forward with the knowledge that happy customers share more data and develop more loyalty with brands, which benefits the bottom line.

These strategies focus on using the tools companies now need, like a consent management platform, Google Consent Mode, and the TCF 2.2 to maximum advantage. They understand that marketing is an ecosystem, and that consent and data need to flow throughout and control not only the company’s campaigns, but data access and use by third parties like partners and vendors.

Privacy-Led Marketing is the future because there is no path forward for old ways of doing things. Thanks to ever-evolving data privacy regulations and new requirements from influential platforms, old strategies are too risky, have become primitive and noncompetitive, and, ultimately, simply will not work.

Consent management has been important for some time to enable data privacy compliance, but companies need to start seeing it as one part of Privacy-Led Marketing, if they aren’t already.

Using a high performance consent management platform (CMP), companies can not only obtain valid user consent, but they can get rich data about user interactions with consent banners. These analytics enable insights and smart optimization to increase opt-in rates. This helps offset any data loss from third-party cookie use.

For even better user experience and maximized opt-in rates, you can deploy contextual consent, asking at specific times for specific services and purposes. Visitors and customers will know exactly why you are asking for consent, and what the benefit is to them.

“Collect the right information at the right time, then we will have higher consent rates and we’ll have the trust of the users.”

– Adelina Peltea, Chief Marketing Officer, Usercentrics (Consented podcast, Episode 3: Is Privacy-Led Marketing the solution to the cookieless future?)

Consent management also helps deliver peace of mind, as a solution like Usercentrics CMP can block nonessential cookies and other trackers until user consent is obtained, helping to ensure privacy compliance. It also enables customization for compliance with multiple data privacy laws, so visitors see the right banner for their location. You can even customize the language the banner is displayed in for optimal user experience while achieving privacy compliance.

Your CMP enables you to set up the required signaling for your tag manager, including Google Tag Manager. The Usercentrics and Cookiebot CMP solutions are Google-certified, so can signal consent in the necessary way to meet Google’s latest requirements.

The future of marketing is privacy-led. You’re not alone in figuring out how to embrace these new solutions. Achieve and maintain your privacy compliance while obtaining the data you need, signaling the consent that your marketing ecosystem requires, and growing your loyal customer base and revenue.

Check out the full Consented podcast, Episode 2: Is Privacy-led Marketing the solution to the cookieless future? It’s available on Spotify and YouTube.