Skip to content

The growing popularity of blockchain technology is transforming how we approach data privacy and consent management.

Blockchain consent management provides a secure and transparent solution that empowers users to control their personal data. By leveraging the properties of blockchain technology, it provides an accountable and efficient way to handle permissions to access personal data. 

This shift represents not just an upgrade in technology from previous consent management options, but a fundamental change in how we think about data privacy and control.

Blockchain consent management provides a way to handle user data permissions securely and transparently. It’s a digital system that gives users control over how their personal information is used online. It acts like a customizable, trackable permission slip, enabling individuals to decide exactly what data to share, with whom, and for what purpose.

Unlike traditional agreements that rely on more broad, potentially vague consent, this system offers more precision. 

Every consent action, like granting or withdrawing permission, is securely recorded on a blockchain ledger. A blockchain ledger is like a shared digital spreadsheet that exists simultaneously on many computers. 

Everyone has the same updated information, and no single person can change it without everyone else knowing.

This means that the records are tamper-proof and easy to track. Companies can only access data if the user explicitly allows it. This helps organizations meet the requirements of privacy regulations, like the General Data Protection Regulation (GDPR), while giving users greater control.

Furthermore, the blockchain’s distributed ledger supports transparency and accountability, while smart contracts — known as self-executing digital agreements — automatically enforce consent rules. These “if/then” rules trigger actions only when specific conditions are met.

For example, a smart contract could automatically block a marketing company from using your personal data if you withdraw consent, instantly removing their access rights. When you update your preferences, the contract immediately enforces your wishes, preventing unauthorized data usage without requiring manual intervention.

This system reduces human error and simplifies compliance by helping to ensure data access happens only when the user’s requirements are fulfilled.

Traditional consent management systems are like filing cabinets where a company stores user permissions. You, as a user, typically agree to terms by clicking “I accept,” and the company keeps track of your consent in its own database. These systems are straightforward but have limitations in both transparency and user control.

Blockchain consent management is more advanced. Imagine a shared, digital ledger where every consent decision is recorded in a way that everyone can see, and that can’t be easily changed except by the relevant party making the consent decisions. 

This gives individuals more visibility into how their data is being used, and prevents companies from secretly modifying or ignoring users’ permissions.

The key differences lie in control and transparency. Traditional consent systems rely on companies to manage and track user permissions. This does work, but can leave users with limited visibility into how their data is used. 

Blockchain consent gives the user more say in how their information is shared. Relevant parties — users, companies requesting the permissions, third parties needing access to the data for processing — can see exactly who has accessed the data, when, and for what purpose.

Security is another key difference. Traditional systems are centralized, meaning data is stored in one place and subject to one company’s security measures, which can make it more vulnerable to unauthorized access. 

In contrast, the blockchain distributes information across multiple secure networks. This reduces the risk of a single point of failure and makes it harder to compromise any user’s data.

Blockchain consent management has the power to reshape the way companies handle user permissions. It solves some of the issues found in traditional systems by combining secure technology with features that benefit both users and businesses.

Here’s why companies are adopting blockchain for consent management.

The blockchain distributes data across multiple nodes, which reduces the risks of breaches or system failures. Since consent records are stored permanently, they can’t be altered without detection. This helps keep data secure and builds trust.

Every consent action is recorded in the equivalent of a transparent ledger. This makes it easy for users and regulators to track compliance. Organizations can also use this record to demonstrate compliance with privacy laws like the GDPR. This transparency can foster trust and reduce disputes over data use.

Blockchain offers more user control and privacy

Blockchain enables users to control exactly what data they share, with whom, and for what purpose. This is foundational for Privacy-Led Marketing, which focuses on ethical and user-centered practices. For businesses, it means having access to more accurate, consent-driven data that improves the efficiency of marketing campaigns.

On blockchain, users can set detailed preferences, specifying which data points they share and who can access them. This level of control supports universal consent management by enabling users to manage permissions across multiple platforms. This helps businesses align their data use with user expectations and build stronger customer relationships.

Blockchain uses smart contracts for automation

Smart contracts automatically enforce consent rules based on user preferences. They restrict data access to agreed parameters, reducing compliance risks. This automation also makes consent-based marketing easier by streamlining permission management.

Blockchain enables businesses to verify user consent instantly. They can then use data according to the latest permissions, improving operational efficiency. As blockchain also supports Privacy-Led Marketing, companies can rely on verified first-party consent.

Infographic presenting how the blockchain consent management works

Blockchain consent management offers a secure, transparent way to control how your personal information is used. Instead of relying on vague agreements or hidden terms, blockchain consent records and enforces your choices, and makes them easy to track. Here’s how it works:

  1. When you grant permission for a company to use your data, your choices are securely recorded on the blockchain.
  2. This record acts like a digital ledger, shared across multiple computers. This makes it nearly impossible to alter that record without your knowledge.
  3. You can decide exactly what data to share and with whom, which offers more precision than simply clicking “I agree.”
  4. Smart contracts enforce your consent choices, maintaining compliance without manual oversight.
  5. Every time someone accesses your data, it’s logged in the consent management of the blockchain. It creates a transparent history you can check anytime.
  6. If you change your mind, you can easily update your permissions, and the system will automatically follow your new preferences.

This approach puts the user in control of their personal information while giving companies a straightforward way to prove they’re respecting their audience’s wishes.

Checklist presenting the best practices for how o implement blockchain consent management

Download now

Using blockchain for consent management can improve data control and security, but getting it right requires careful planning. Here are some best practices to keep in mind.

Start by identifying your organization’s specific consent requirements. Understand what types of data you manage and how consent is collected, stored, and used. Align these needs with your operational goals to help ensure the blockchain solution fits your processes.

Choose the right blockchain platform

Pick a platform that suits your company’s needs. Public blockchains like Ethereum offer transparency, but may not be suitable for sensitive data. Private blockchains, such as Corda — a popular option in the financial sector — provide more control and customization. This can be useful for compliance-heavy industries.

Confirm that it integrates with existing systems

Verify that the blockchain solution works well with your current systems to avoid operational disruptions. In addition, check that databases and interfaces can support blockchain’s distributed structure.

Provide user-friendly interfaces

The success of blockchain consent management depends on its usability. The system and its layout should be easy for your audience to use. This means creating simple dashboards where users can manage their data permissions. Work with user experience experts to design intuitive tools that simplify complex blockchain processes.

Educate stakeholders

Blockchain can be complex. Offer training sessions, workshops, or guides to help stakeholders understand its benefits. Clear communication builds trust and encourages adoption across your organization.

Use enhanced privacy tools

Employ technologies like encryption and zero-knowledge proofs to protect sensitive data stored on the blockchain. This keeps data secure while maintaining the transparency of the system.

Test and plan for scalability

Before rolling out a blockchain system, test it thoroughly before launching. Identify potential issues, such as slow performance or security risks. Plan for future growth by designing a system that can handle more users and transactions over time.

Implement smart contracts

Use smart contracts to automate blockchain consent management processes. These contracts can define terms, track permissions, and revoke access when needed. Make sure that the code is secure and reliable before deployment.

Continuously monitor and improve

Regularly review how the system performs and gather user feedback. Based on new data privacy regulations, implement mechanisms for users to easily adjust their consents and opt out when necessary. Make updates as needed to improve functionality and address issues that arise over time.

As data privacy laws tighten worldwide, many companies are seeking simpler ways to stay compliant. Blockchain consent management offers a solution that enhances compliance without disrupting operations.

Different regulations have unique requirements. Here’s how blockchain can address the specific demands of global data privacy laws.

The GDPR in the European Union sets high standards for data privacy. It emphasizes user consent and control over personal data. Blockchain technology aligns with several GDPR principles, including data minimization, transparency, and accountability. 

Blockchain technology provides a secure and transparent way for organizations to keep records of consent transactions. Once recorded, these records cannot be changed, making them resistant to tampering. This helps organizations easily track and prove compliance with regulatory requirements.

However, the GDPR also presents challenges that blockchain technology does not address. The regulation’s “right to be forgotten” requirement conflicts with blockchain because its records cannot be easily changed or deleted. To solve this, many companies use hybrid solutions. This typically means keeping personal data outside the blockchain while storing only consent-related information on it. 

Data privacy laws across the US

The United States does not have a single federal privacy law equivalent to the GDPR. However, state-level regulations like the California Consumer Privacy Act (CCPA), now amended by the California Privacy Rights Act (CPRA), introduced requirements for user consent and data control. Blockchain-based consent management systems could offer a tamper-proof record of user permissions, enabling businesses to demonstrate compliance with the CCPA’s requirements for data collection, deletion, and opt-out requests.

PIPEDA and blockchain in Canada

The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada emphasizes the importance of user consent for data collection and processing. Blockchain can support PIPEDA’s principles of accountability and individual access by offering a decentralized and user-centric consent management system.

LGPD compliance and blockchain in Brazil

Brazil’s General Data Protection Law (LGPD) closely mirrors the GDPR in its approach to data privacy. It mandates that personal data processing must be based on consent or other legal grounds, and individuals have the right to access, correct, and delete their data.

Blockchain technology can support a company’s efforts to be LGPD-compliant by providing transparency and security in consent management. However, like with the GDPR, blockchain’s permanent nature makes it difficult to delete data upon request. To comply with the law, companies may need to use off-chain solutions.

Download checklist

Data privacy regulations in Asia

Privacy regulations throughout Asia, such as Japan’s Act on the Protection of Personal Information (APPI) and China’s Personal Information Protection Law (PIPL), impose strict requirements on data handling and user consent. 

In Japan, organizations must obtain clear user consent before processing personal data, and blockchain can provide a transparent and auditable method to record such consent. 

In China, the PIPL mandates strict data localization requirements. This means that blockchain consent solutions must support compliance by storing consent data in approved locations while maintaining operational efficiency.

At this point, blockchain may appear to be a promising solution for consent management. However, despite its potential, several challenges must be addressed within the technology before it can become a practical option for businesses.

Wrapping up: Blockchain’s role in compliance

Blockchain consent management isn’t a cure-all for data privacy challenges. Still, it does offer a practical solution for improving transparency, security, and user control. By addressing some limitations in traditional systems, it helps businesses navigate privacy regulations while respecting user preferences.

Its implementation, however, requires careful planning and some technical know-how. But as technology and data privacy regulations evolve, blockchain may play a role in shaping better data practices.

Accessible design is just as important online as it is in the physical world to ensure as many people as possible can work, play, learn, and feel included. But who decides what reasonable digital accessibility looks like and how to achieve it?

That’s what the Web Content Accessibility Guidelines (WCAG), published by the Web Accessibility Initiative (WAI) of the World Wide Web Consortium (W3C), are meant to accomplish. The most recent version, WCAG 2.2, was released in October 2023.

We look at the importance of digital accessibility, how businesses can achieve and maintain it, and how it dovetails with consent management. We’ll also dig into how accessibility standards and requirements are evolving with changes in the law and societal expectations. And we’ll explore the WCAG 2.2 specifically — with its highlights and implications for design and development of websites and apps.

Why digital accessibility matters

Digital spaces and tools have become essential for how many people around the world learn, work, create, socialize, and more. We have standards and tools to ensure that as many websites and apps as possible work well with the most systems and devices.

Similarly, we have accessibility standards and legal frameworks to ensure that as many websites and apps as possible work for the largest number of people, regardless of their abilities or accommodation needs.

The World Health Organization (WHO) estimates that about one in six people, about 1.3 billion of us, will experience significant disability in our lifetimes, which is a very large audience to potentially exclude from equity and access online, not to mention a large potential customer base.

A lack of digital accessibility can prevent people from getting educated and staying informed, earning an income, and being a part of social groups. Digital accessibility standards and requirements address and provide accommodation for a variety of physical, cognitive, and other disabilities.

By implementing and maintaining digital accessibility standards, we can help to ensure that online spaces are more fair and welcoming for everyone. While ideally all websites and apps would be designed and maintained using accessibility best practices, in this as in many things, regulation is required to ensure standards are met and maintained. We will look at legal pressures and laws that have been applied to improve digital accessibility, as well as the standards themselves and their evolution.

What is the WCAG 2.2?

WCAG 2.2 is the latest version of the Web Content Accessibility Guidelines recommendations, released in October 2023. The most recent updates to this version came out December 12, 2024. The recommendations build on WCAG 2.0 and 2.1.

WCAG 2.2 addresses accessibility considerations for people with motor disabilities, cognitive and learning disabilities, and low vision. It introduces additional success criteria for web developers, like simplified navigation and text that is easy to understand, to improve accessibility and inclusivity.

There is also a focus on improving consistency of experience across websites, especially for those using assistive technologies. WCAG 2.2 also refines the existing guidelines for clarity and to make implementation easier.

What are the key updates with WCAG 2.2?

The key updates include guidelines with a focus on user customization, reduced reliance on memory, refinements to existing criteria, and new success criteria.

Focus on user customization

This update stresses the importance of enabling users to customize their content experience, making adjustments to text sizes, fonts, colors, and other elements to better meet their needs.

Reduced reliance on memory

This update aims to ensure that users don’t have to remember information across multiple pages. This is particularly meant to assist users with cognitive disabilities who may have difficulty recalling previous actions or interactions, or information they obtained from elsewhere on a website.

Refining existing criteria

These include refinements to existing success criteria from WCAG 2.0 and 2.1 to improve clarity and applicability.

WCAG 2.2 new success criteria

New success criteria in WCAG 2.2 aim to improve accessibility for people with cognitive impairments and motor disabilities.

Accessibility laws and WCAG 2.2 compliance

Around the world there are a variety of laws to protect people with disabilities, enforce their rights, and facilitate their equitable participation in society. We look at some regulations that are relevant to digital accessibility and with connections to the WCAG.

Americans with Disabilities Act (ADA)

The Americans with Disabilities Act (ADA) is a federal civil rights law enacted in the United States in 1990 to protect American citizens with disabilities from discrimination. It is divided into five sections:

In April 2024, the Department of Justice updated its regulations for Title II, publishing the Web & Mobile Application Accessibility Rule, which sets technical requirements for state and local governments to follow to ensure that their websites and mobile apps are accessible to people with disabilities.

The ADA doesn’t explicitly reference the WCAG or directly influence the recommendations, but both have similar goals and are updated to reflect changes in the digital landscape to improve accessibility.

Section 508 of the Rehabilitation Act

The Rehabilitation Act of 1973 is a federal law in the United States, and was the first major civil rights law there addressing the needs of people with disabilities. It aims to ensure that individuals with disabilities have equal access to opportunities in public life, such as education, employment, and public services.

Section 508 of the Rehabilitation Act is an amendment from 1998 that requires federal agencies to make their electronic and information technology accessible to people with disabilities. This includes websites, documents, printers or other hardware interfaces like TVs, and desktop or mobile software.

As of June 28, 2025, all businesses will have to be fully compliant with the Act’s accessibility requirements, and enforcement with potential penalties for noncompliance will begin.

EU Web Accessibility Directive

The EU Web Accessibility Directive (WAD) is an EU-wide law that came into force in 2021 to address digital accessibility for websites and mobile apps of public sector bodies and ensure that websites and mobile apps are accessible to people with disabilities.

To ensure a consistent definition of accessibility, the WAD is supported by a harmonized technical standard. Websites or mobile apps that meet all the applicable technical requirements in the standard are assumed to be compliantly accessible under the WAD. The standard has been based on the WCAG 2.1 and the WAD has a specific focus on WCAG 2.1 Level AA compliance. It’s expected that the WAD will be updated to align with the WCAG 2.2.

We believe that privacy is a human right, as is choice. It’s also codified by an increasing number of laws around the world. This is why it’s important for consent management platforms (CMP) to implement and maintain accessibility standards.

A CMP with poor accessibility excludes users with disabilities, which can be a legal violation in addition to bad user experience that alienates audiences and can negatively impact your business’s reputation.

If a user can’t easily access or read legally required notifications about what data your business collects, why it’s processed, and what their rights are and how to exercise them, legally can their consent be considered informed? If a user can’t easily express choices about what cookie uses they consent to, legally can their consent be considered explicit under laws like the GDPR?

Beyond questions of consent, delivering a worse website experience for some users could be construed as discriminatory, violating requirements of various laws meant to protect users with disabilities.

In addition to legal issues, poor accessibility sends a loud, clear message that your website or app — and by extension, your company — doesn’t care about a substantial audience or their privacy rights, and doesn’t want them as visitors or customers. If a company doesn’t care about that, users may wonder what other legal requirements a company is ignoring or corners they might be cutting.

In some cases, such a lack of accessibility would be a clear signal for people to take their engagement, personal data, and wallets elsewhere. In other cases, there may not be other options, and users would be prevented from doing important things online or exercising their legal rights to privacy and choice.

As outlined above, CMPs need to address a diverse set of needs, whether it’s reducing the cognitive load of navigation, making buttons easy to read and click, or providing a well integrated experience for users relying on assistive technologies. Delivering on these workflows and functions shows attention to detail, respect for the law, care for your audience, and builds trust.

How a WCAG 2.2-qualified CMP like Usercentrics CMPs works

Usercentrics is WCAG 2.2 AA certified for the Web CMP, and working toward certification for Usercentrics App CMP. In addition to our websites, our CMP products meet digital accessibility standards. These include following accessible design principles for user interfaces and consent workflows; testing to ensure compatibility and interoperability with assistive technologies like voice control or screen readers; and flexible, user-friendly interfaces with focus management and enhanced keyboard navigation.

International data privacy laws require that users have easy access to clear notifications about what data is collected, how it’s used, who it may be shared with, and other factors, including what users’ rights are and how to exercise them. To meet digital accessibility standards users with disabilities need to be able to easily find, navigate to, and read or listen to this information in consent banners.

Once informed, users with disabilities need to be able to make choices to accept use of all cookies, some cookies for specific purposes, or deny all but essential cookie use. This requires them to be able to easily find, navigate to, and perform explicit actions like clicking a button or moving a toggle or slider. Many laws also require them (and all users) to be able to return to that functionality to change their consent preferences in the future.

Individuals with disabilities need to be able to access this information and complete these functions as easily as all other users, for all relevant interfaces, including websites, apps, and other connected platforms.

Companies banking on continued growth need to prioritize digital accessibility standards for audiences of all abilities and in all jurisdictions. European users with disabilities need the same access to manage granular consent under the GDPR as users in California do to opt out of the sharing or sale of their personal data, even if they don’t have to provide prior consent in most cases.

Usercentrics Web CMP and App CMP meet WCAG standards to enable your business to provide users with disabilities with an equal and user-friendly website or app experience to get informed about consent and exercise their choices. Meet data privacy and accessibility regulatory requirements, provide great user experience, and build long-term trust with your audience.

Google Analytics is a powerful tool for understanding website performance, user behavior, and traffic patterns. However, its compliance with the General Data Protection Regulation (GDPR) has been a subject of concern and controversy, particularly in the European Union (EU). The data protection authorities of several European Union (EU) countries have weighed in on privacy compliance issues with Google Analytics, with similar complaints that focus on its insufficient protections and data transfer practices.

In this article, we’ll examine the timeline of EU-US data transfers and the law, the relationship between Google Analytics and data privacy, and whether Google’s popular service is — or can be — GDPR-compliant.

Google Analytics and data transfers between the EU and US

One of the key compliance issues with Google Analytics is its storage of user data, including EU residents’ personal information, on US-based servers. Because Google is a US-owned company, the data it collects is subject to US surveillance laws, potentially creating conflicts with EU privacy rights.

The EU-US Privacy Shield was invalidated in 2020 with the Schrems II ruling, and there was no framework or Standard Contractual Clauses (SCC) in place for EU to US data transfers until September 2021 when new SCCs were implemented. These were viewed as a somewhat adequate safeguard if there were additional measures like encryption or anonymization in place to make data inaccessible by US authorities.

A wave of rulings against Google Analytics after the invalidation of the Privacy Shield

The Schrems II ruling sparked a series of legal issues and decisions by European Data Protection Authorities (DPAs), which declared the use of Google Analytics as noncompliant with the GDPR.

A week before the Austrian ruling, the European Data Protection Supervisor (EDPS) sanctioned the European Parliament for using Google Analytics on its COVID testing sites due to insufficient data protections. This is viewed as one of the earliest post-Schrems II rulings and set the tone for additional legal complaints.

The EU-U.S. Data Privacy Framework

On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, which covers data transfers among the EU, European Economic Area (EEA) and the US in compliance with the GDPR.

The framework received some criticism from experts and stakeholders. Some privacy watchdogs, including the European Data Protection Board (EDPB), pointed out striking similarities between the new and the previous agreements, raising doubts about its efficacy in protecting EU residents’ data.

As of early 2025, the EU-U.S. Data Privacy Framework and adequacy for EU/U.S. data transfers are in jeopardy. President Trump fired all of the Democratic party members of the Privacy and Civil Liberties Oversight Board (PCLOB). As a result, the number of PCLPB board members is below the threshold that enables the PCLOB to operate as an oversight body for the EU-U.S. Data Privacy Framework.

This action will likely undermine the legal validity of the Framework for EU authorities, particularly the courts. The EU Commission could withdraw its adequacy decision for the EU-U.S. Data Privacy Framework, which would invalidate it. The Court of Justice of the EU (CJEU) could also overturn the Commission’s adequacy decision following a legal challenge. The last option is how the preceding agreements to the Framework were struck down, e.g. with Schrems II. 

Should the EU-U.S. Data Privacy Framework be struck down, it could have significant effects on data transfers, cloud storage, and the function of platforms based outside of the EU, like those from Google, including Analytics. At the very least, Google may be required to make further changes to the function of tools like Google Analytics, along with related data storage, to meet European privacy standards.

Google Analytics GDPR compliance?

Google Analytics 4 has several significant changes compared to Universal Analytics. The new version adopts an event-based measurement model, contrasting the session-based data model of Universal Analytics. This shift enables Google Analytics 4 to capture more granular user interactions, better capturing the customer journey across devices and platforms. Website owners can turn this off to stop it from collecting data such as city or latitude or longitude, among others. Website owners also have the option to delete user data upon request.

Another notable feature is that Google Analytics 4 does not log or store IP addresses from EU-based users. According to Google, this is part of Google Analytics 4’s EU-focused data and privacy measures. This potentially addresses one of the key privacy concerns raised by the Data Protection Authorities, which found that anonymizing IP addresses was not an adequate level of protection.

The EU-U.S. Data Privacy Framework alone doesn’t make Google Analytics 4 GDPR-compliant. The framework can make data transfers to the US compliant, if they are with a certified US company, but the onus is on website owners to ensure that the data was collected in compliance with the legal requirements of the GDPR in the first place.

How to make Google Analytics GDPR compliant

All Google Analytics cookies should be set up and controlled so they only activate after users have granted explicit consent. Users should also have granular control so that they can choose to allow cookies for one purpose while rejecting cookies for another.

A consent management platform (CMP) like Usercentrics can enable blocking of the activation of services until user consent has been obtained. Google Analytics couldn’t transfer user data because it would never have collected it.

Google Consent Mode allows websites to dynamically adjust the behavior of Google tags based on the user’s consent choices regarding cookies. This feature ensures that measurement tools, such as Google Analytics, are only used for specific purposes if the user has given their consent, even though the tags are loaded onto the webpage before the cookie consent banner appears. By implementing Google Consent Mode, websites can modify the behavior of Google tags after the user allows or rejects cookies so that it doesn’t collect data without consent.

Read about consent mode GA4 now

Website operators must provide clear, transparent data processing information for users on the website. This information is included in the privacy policy. Information related specifically to cookies should be provided in the cookie policy, with details of the Google Analytics cookies and other tracking technologies that are used on the site, including the data collected by these cookies, provider, duration and purpose. The cookie policy is often a separate document, but can be a section within the broader privacy policy.

The GDPR requires user consent to be informed, which is what the privacy policy is intended to enable. To help craft a GDPR-compliant privacy policy, extensive information on the requirements can be found in Articles 12, 13 and 14 GDPR.

4. Enter into a Data Processing Agreement with Google

A data processing agreement (DPA) is a legally binding contract and a crucial component of GDPR compliance. The DPA covers important aspects such as confidentiality, security measures and compliance, data subjects’ rights, and the security of processing. It helps to ensure that both parties understand their responsibilities and take appropriate measures to protect personal data. Google has laid down step-by-step instructions on how to accept its DPA.

Can server-side tracking make Google Analytics more privacy-friendly?

Server side tracking allows for the removal or anonymization of personally identifiable information (PII) before it reaches Google’s servers. This approach can improve data accuracy by circumventing client-side blockers, and it offers a way to better align with data protection regulations like the GDPR. By routing data through your own server first, you gain more control over what eventually gets sent to Google Analytics.

Impact of the Digital Markets Act on Google Analytics 4


The implementation of the Digital Markets Act (DMA) has had some impact on Google Analytics 4, affecting functions, data collection practices, and privacy policies. Website owners who use the platform have been encouraged to take the following steps for ongoing compliance.

  1. Audit your privacy policy, cookies policy and data practices.
  2. Conduct a data privacy audit to check compliance with GDPR, and take any corrective steps if necessary.
  3. Install a ​​CMP that enables GDPR compliance to obtain valid user consent per the regulation’s requirements.
  4. Seek advice from qualified legal counsel and/or a privacy expert, like a Data Protection Officer, on measures required specific to your business.

Learn more about DMA compliance.

How to use Google Analytics 4 and achieve GDPR compliance with Usercentrics CMP

Taking steps to meet the conditions of Art. 7 GDPR for valid user consent, website operators must obtain explicit end-user consent for all Google Analytics cookies set by the website. Consent must be obtained before these cookies are activated and in operation. Using Usercentrics’ DPS Scanner helps identify and communicate to users all cookies and tracking services in use on websites to ensure full consent coverage options. 

Next steps with Google Analytics and Usercentrics

Google Analytics helps companies pursue growth and revenue goals, so understandably, businesses are caught between not wanting to give that up, but also not wanting to risk GDPR violation penalties or the ire of their users over lax privacy or data protection.

The Usercentrics team closely monitors regulatory changes and legal rulings, makes updates to our services and posts recommendations and guidance as appropriate. 

However, website operators should always get relevant legal advice from qualified counsel regarding data privacy, particularly in jurisdictions relevant to them. This includes circumstances where there could be data transfers outside of the EU to countries without adequacy agreements for data privacy protection.

As the regulatory landscape and privacy compliance requirements for companies are complex and ever-changing, we’re here to help.

Start now

The Interactive Advertising Bureau (IAB) launched the Global Privacy Platform (GPP) in 2022, a project of, and part of the portfolio of solutions from, the IAB Tech Lab’s Global Privacy Working Group. The GPP is the result of significant collaboration among industry stakeholders, including leading tech companies and tech experts around the world.

In line with aspects of the evolution of data privacy, the GPP enables streamlined transmission of signals from websites and apps to ad tech vendors and advertisers. This includes consent, preferences, permissions, and other relevant and often legally required information that affects data handling tools and processing. We look at how this tool can benefit publishers as data privacy compliance requirements expand and evolve, especially across digital marketing platforms.

What is the Global Privacy Platform (GPP)?

The GPP provides a framework for publishers that works similarly to the TCF or Google Consent Mode. Where Consent Mode signals consent information to Google services’ tags to control use of cookies and trackers, the GPP is a protocol that enables simple and automated communication of users’ consent and preference choices via a signal to third parties like ad tech vendors. 

The GPP enables advertisers, publishers, and technology vendors in the digital advertising industry to adapt to regulatory demands over time and across markets. It employs a GPP String, which encapsulates and encodes transparency details and consumer choices (like granular consent) as applicable to each region, helping enable compliance with privacy requirements by jurisdiction.

Enroll for free

How does the GPP signal work?

Digital property owners, like companies running websites or apps, are responsible for generating, transmitting, and documenting the GPP String and the information it sends. This enables data integrity and contributes to compliance.

Usercentrics CMP generates and manages the GPP String in an HTTP-transferable and encoded format. Ad tech vendors receive user choice information for consent and preferences, and can decode the GPP String to determine compliance requirements and status for each user. 

The format’s flexibility enables granular regulatory coverage, e.g. state-specific strings for the US where data privacy laws are in effect. The GPP covers 15 states as of early 2025, and five more are expected to get coverage this year. Country and regional strings like for the US and EU are also supported, as are non-geographic signals like those from Global Privacy Control, which are browser-based, with recognition of them to date only required by some laws.

The GPP is designed to evolve as the data privacy and regulatory landscape does, not requiring significant redevelopment when requirements change. The IAB Tech Lab’s Global Privacy Working Group handles the ongoing work of the GPP’s technical specification.

Why do publishers and others in ad tech need the GPP?

The majority of the world’s population is now covered by at least one data privacy law. Some regions, like the European Union, have multiple laws that intersect in various ways. Additionally, these regulations affect major tech platforms, which are adopting more stringent requirements for their customers to enable privacy-compliant ecosystems. This has significant effects on digital advertising, as major players like Google and Facebook adapt their operations and requirements. 

Additionally, in the United States, there isn’t one federal law to comply with. To date the data privacy laws are state-level, so a company could have to comply with one or ten or more as the regulatory landscape continues to evolve. However, many of these US regulations are fairly similar, which does support the “US National” signaling approach. Companies need tools, like a consent management platform and the Global Privacy Platform, designed to evolve with changes and expansion in regulations.

The GPP is designed for flexibility and scalability. It supports all current privacy signals and will be able to support future ones as new laws are passed and existing ones evolve. The architecture is designed to grow with companies’ operations, enabling publishers to better respect users’ privacy choices and more effectively signal them to vendors and partners.

Does the GPP affect the TCF?

The GPP isn’t the IAB’s first framework for publishers and ad tech. The Transparency & Consent Framework (TCF) was launched in 2018, the same year the EU’s General Data Protection Regulation (GDPR) came into effect. As of 2024, the TCF is now at version 2.2.

The GPP is designed to better meet the needs of publishers that need to signal consent across multiple jurisdictions, as many companies doing business around the world — or across the United States — need to do.

The plan is to ensure that updates made to the TCF over time are also reflected in the GPP, giving companies the best tools to achieve and maintain compliance with their digital advertising operations. Eventually, the goal is for the Global Privacy Platform — as the name suggests — to be the single framework for consent and preference signaling.

In Europe and the UK, Google will continue to use the TCF and will not be accepting the GPP signal. Using Ad Manager will still require the use of a certified consent management platform integrated with the TCF. TCF strings sent through the GPP won’t be accepted.

What is the multi-state privacy agreement (MSPA) and how does the GPP affect it?

The Multi-State Privacy Agreement (MSPA) is an industry-centric contractual framework for companies doing business in the US, which covers 19 states as of early 2025. It’s meant to “aid advertisers, publishers, agencies, and ad tech intermediaries in complying with five state privacy laws.” The IAB Tech Lab is prioritizing updates to MSPA/US National before providing further state-specific strings, though that’s expected later in 2025. 

The MSPA evolved from the IAB’s Limited-Service Provider Agreement (LSPA), from 2020 and focused on CCPA/CPRA compliance initially. The evolution has focused on legal standards and protecting consumers’ privacy rights, and working with the GPP (including the specific privacy strings for each state). The MPSA is also designed for flexibility and scalability as US data privacy challenges become more complex.

The Global Privacy Platform currently supports various privacy signals around the world, both for their own frameworks and external ones. Some US state-level data privacy laws require recognizing a universal opt-out mechanism like Global Privacy Control, but not all of them.

Learn more

GPP and international privacy laws

The Global Privacy Platform was designed to address the increasing complexity of data privacy regulation and requirements. Many companies do business across international jurisdictions and have many partners and vendors that they work with. This is only going to increase.

GPP and the GDPR

Europe has led the way in modern data privacy with the GDPR, TCF, and other relevant regulations and frameworks. It was the IAB Europe that brought the TCF to the market, and the GPP supports the EU TCF v2 signal. As noted, Google does not currently support the TCF via the GPP, so until industry adoption changes, this implementation isn’t recommended.

One of the main goals of the TCF was to help organizations meet GDPR compliance requirements, and the GPP is meant to extend this mandate.

GPP and PIPEDA

In Canada data privacy is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), which has been in effect since 2000, and a lot has changed since then. There are a number of requirements in PIPEDA and Quebec’s Law 25 that the GPP helps with, and the Platform already does support the CA TCF signal. Here are some of the benefits.

GPP and US privacy laws

The patchwork of data privacy laws and requirements in the US was a major factor in building out the Global Privacy Platform. As of the end of 2024, 21 data privacy laws have been passed by US state-level governments, which can introduce a lot of complexity into doing business. 

The IAB Tech Lab created the US Privacy Specifications, which have been used to support the CCPA Compliance Framework. However, a lot more laws have been passed since the CCPA came into effect. As of 2023, the US Privacy Specifications are not being updated, and have been replaced by state-specific privacy strings available via the GPP.

However, IAB MSPA US National also provides a national approach to privacy compliance with state-level laws by utilizing the highest standard. 

Additionally, the GPP is designed to evolve and scale with further data privacy regulatory requirements in the US, and to enable companies to manage consent and preferences with vendor relations in a streamlined way. This will also be relevant as more and more platforms evolve their data privacy requirements.

Read more

How Usercentrics supports the Global Privacy Platform

Usercentrics currently supports the GPP and is working toward additional regulatory coverage. Direct support from the Consent Management Platform’s Admin Interface is also being developed, along with further enhancements. 

The Usercentrics CMP integrates with the GPP and generates the necessary GPP string to signal consent information.

Companies serving Google ads in the EU, EEA, or UK also continue to need a Google-certified CMP like Usercentrics CMP, which comes with the TCF v2.2 integrated, since, as noted, Google will continue to only support this format and is not accepting TCF strings sent through the GPP.

As complexity and requirements for data privacy continue to evolve, and as individuals become more invested in their privacy and choice, it’s never been more important to invest in reliable, scalable tools to obtain, manage, and signal valid consent — in every region where you do business. It’s becoming a key competitive advantage to grow trust and revenue.

As more and more digital platforms adapt to regulatory requirements as well, your company’s international advertising operations will increasingly depend on how well you’ve implemented consent and preference management with tools like Usercentrics CMP and the Global Privacy Platform. The era of Privacy-Led Marketing is here, and Usercentrics has the tools to help you embrace it and grow with confidence.

2024 saw the number of new data privacy regulations continue to grow, especially in the United States. It also saw the effects of laws passed earlier as they came into force and enforcement began, like with the Digital Markets Act (DMA). But perhaps the biggest impact of data privacy in 2024 was how quickly and deeply it’s become embedded in business operations.

Companies that may not have paid a lot of attention to regulations have rapidly changed course as data privacy requirements have been handed down by companies like Google and Facebook. The idea of “noncompliance” stopped being complicated yet nebulous and became “your advertising revenue is at risk.”

We expect this trend of data privacy becoming a core part of doing business to continue to grow through 2025 and beyond. More of the DMA’s gatekeepers and other companies are likely to ramp up data privacy and consent requirements throughout their platform ecosystems and require compliance from their millions of partners and customers. Let’s not forget that data privacy demands from the public continue to grow as well.

We also expect to see more laws that include or dovetail with data privacy as they regulate other areas of technology and its effect on business and society. AI is the biggest one that comes to mind here, particularly with the EU AI Act having been adopted in March 2024. Similarly, data privacy in marketing will continue to influence initiatives across operations and digital channels. Stay tuned to Usercentrics for more about harnessing Privacy-Led Marketing.

Let’s peer into the future and look at how the data privacy landscape is likely to continue to evolve in the coming year, where the best opportunities for your company may lie, and what challenges you should plan for now.

2025 in global data privacy regulation

For the last several years, change has been the only constant in data privacy regulation around the world. Gartner predicted that 75 percent of the world’s population would be protected by data privacy law by the end of 2024. Were they right?

According to the International Association of Privacy Professionals (IAPP), as of March 2024, data privacy coverage was already close to 80 percent. So the prediction had been exceeded even before we were halfway through the year.

“By our count, 137 countries now have national data privacy laws. This means 70% of nations worldwide, 6.3 billion people or 79.3% of the world’s population is covered by some form of national data privacy law.”
— IAPP staff

Data privacy regulation in the United States

The United States passed a record number of state-level data privacy regulations in 2024, with Kentucky, Maine, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, Rhode Island, and Vermont coming on board to bring the number of state-level US data privacy laws to 21. By contrast, six states passed laws in 2023, which was a record number to date then.

The privacy laws in Florida, Montana, Oregon, and Texas went into effect in 2024. The privacy laws in Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee go into effect in 2025.

Since the majority of US states still don’t have data privacy regulations, more of these laws are likely to be proposed, debated, and (at least sometimes) passed. It will be interesting to see if certain states that have wrangled with privacy legislation repeatedly, like Washington, will make further progress in that direction.

April 2024 saw the release of a discussion draft of the American Privacy Rights Act (APRA), the latest federal legislation in the US to address data privacy. It made some advances during the year, with new sections added addressing children’s data privacy (“COPPA 2.0”), privacy by design, obligations for data brokers, and other statutes. However, the legislation has not yet been passed, and with the coming change in government in January 2025, the future of APRA is unclear.

Data privacy regulation in Europe

The European Union continues to be at the forefront of data privacy regulation and working to keep large tech platforms in check. Two recent regulations, particularly, will continue to shape the tech landscape for some time.

The Digital Markets Act (DMA) and its evolution

With the Digital Markets Act in effect, the first six designated gatekeepers (Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft) had to comply as of March 2024. Booking.com was designated in May, and had to comply by November.

Map showing companies

There is a good chance that additional gatekeepers will be designated in 2025, and that some current ones that have been dragging their metaphorical feet will start to accept the DMA’s requirements. We can expect to see the gatekeepers roll out new policies and requirements for their millions of customers in 2025 to help ensure privacy compliance across their platforms’ ecosystems.

More stringent consent requirements are also being accompanied by expanded consumer rights, including functions like data portability, which will further enhance competitive pressures on companies to be transparent, privacy-compliant, and price competitive while delivering great customer experiences.

The AI Act and its implementation

While the entirety of the AI Act will not be in effect until 2026, some key sections are already in effect in 2024, or coming shortly, so we can expect to see their influence. These include the ban on prohibited AI systems in EU countries and the rules for general purpose AI systems.

Given that training large language models (LLMs) requires an almost endless supply of data, and organizations aren’t always up front about getting consent for it, it’s safe to say that there will continue to be clashes over the technology’s needs and data privacy rights.

Data privacy around the world

There was plenty in the news involving data privacy around the world in 2024, and the laws and lawsuits reported on will continue to make headlines and shape the future of privacy in 2025.

There have been complaints reported and lawsuits filed throughout 2024 regarding data scraping and processing without consent. Canadian news publishers and the Canadian Legal Information Institute most recently joined the fray. We don’t expect these issues to be resolved any time soon, though there should be some influential case law resulting once these cases have made their way through the courts. (Unlikely that all of them will be resolved by settlements.) The litigation may have significant implications for the future of these AI companies as well, and not just for their products.

Social media and data privacy

As noted, laws that dovetail with data privacy are also becoming increasingly notable. One recent interesting development is Australia passing a ban on social media for children under 16. In addition to mental health concerns, some social media platforms — including portfolio companies of Alphabet, Meta, and TikTok parent company ByteDance — have run afoul of data privacy regulators, with penalties for collecting children’s data without consent, among other issues. It will be very interesting to see how this ban rolls out, how it’s enforced, and if it serves as inspiration elsewhere for comparable legislation.

The latest generation of data privacy laws and regulatory updates

The UK adopted its own customized version of the General Data Protection Regulation (GDPR), the UK GDPR, upon leaving the EU. It has recently published draft legislation for the UK Data (Use and Access) Bill, which is meant to further modernize the UK GDPR and reform the way data is used to benefit the economy. We will see if the law does get passed and what its practical effects may be.

Further to recent laws and updates for which we are likely to see the effects in 2025, in September 2024, Vietnam issued the first draft of its Personal Data Protection Law (PDPL) for public consultation.

Malaysia passed significant updates to its Personal Data Protection Act (PDPA) via the Personal Data Protection (Amendment) Act. The PDPA was first passed in 2010, so it was due for updates, and companies doing business in the country can expect the new guidelines to be enforced.

Also, the two-year grace period on Law No. 27 in Indonesia’s Personal Data Protection law (PDP Law) ended in October 2024, so we can expect enforcement to ramp up there as well.

Asia already has considerable coverage with data privacy regulation, as countries like China, Japan, South Korea, and India all have privacy laws in effect as well.

Just as the regulation of data privacy is reaching an inflection point of maturity and becoming mainstream, so are solutions for privacy compliance, consent, and preference management.

Integrated solutions for compliance requirements and user experience

Companies that are embracing Privacy-Led Marketing in their growth strategy want solutions that can meet several needs, support growth, and seamlessly integrate into their martech stack. Simply offering a cookie compliance solution will no longer be enough.

Managing data privacy will require solutions that enable companies to obtain valid consent — for requirements across international jurisdictions — and signal it to ad platforms and other important tools and services. In addition to consent, companies need to centralize privacy user experience to provide customers with clear ways to express their preferences and set permissions in a way that respects privacy and enables organizations to deliver great experiences with customized communications, offers, and more.

Customer-centric data strategies

It may take some time for third-party cookie use and third-party data to go away entirely, but zero- and first-party data is the future, along with making customers so happy they never want to leave your company. Rather than trying to collect every bit of data possible and preventing them from taking their business elsewhere.

We may see more strategies like Meta’s “pay or ok” attempt where users can pay a subscription fee to avoid having their personal data used for personalized ads, but given EU regulators’ response to the scheme, similar tactics are likely to have an uphill battle, at least in the EU.

Delivering peace of mind while companies to stay focused on their core business

SMBs, particularly, also have a lot to do with limited resources, in addition to focusing on growing their core business. We can expect to see further deep integration of privacy compliance tools and services. These solutions will automate not only obtaining and signaling consent to third-party services, but also notifying users about data processing services in use and data handling, e.g. via the privacy policy, responding to data subject access requests (DSAR), and other functions.

Further to international compliance requirements, as companies grow they are going to need data privacy solutions that scale with them, and enable them to easily handle the complexities of complying with the requirements of multiple privacy laws and other relevant international and/or industry-specific polices and frameworks.

Frameworks like the IAB’s Global Privacy Platform (GPP) are one way of achieving this, enabling organizations to select relevant regional privacy signals to include depending on their business needs.

Usercentrics in 2025

Our keyword to encapsulate data privacy for 2024 was “acceleration”. For 2025 it’s “maturity.” Data privacy laws and other regulations that include data privacy (like AI). Companies’ needs for solutions that enable multi-jurisdictional compliance and data management. The widespread embrace of data privacy as a key part of doing business, and strategizing Privacy-Led Marketing for sustainable growth and better customer relationships. The financial and operational risks of noncompliance moving beyond regulatory penalties to revenues from digital advertising, customer retention, and beyond.

The Usercentrics team is on it. We’ll continue to bring you easy to use, flexible, reliable solutions to manage consent, user preferences, and permissions, and enable you to maintain privacy compliance and be transparent with your audience as your company grows. With world-class support at every step, of course. Plus we have a few other things up our sleeves. (Like this.) Stay tuned! Here’s to the Privacy-Led Marketing era. We can’t wait to help your company thrive.

Start free trial

Usercentrics CMPs were among the first consent management platforms certified by Google when it launched its CMP Partner Program in September 2022. Usercentrics CMP and Cookiebot CMP have now been awarded Google’s Gold Tier certification in the company’s CMP Partner Program.

This certification guides Google customers to select a consent management platform with outstanding customer support, meeting certain technical requirements and that Google customers can easily set up with Consent Mode.

As user privacy expectations continue to evolve, Google has recently updated its data privacy and consent requirements in Europe, the UK, and Switzerland. Consent mode receives your users’ consent choices from your cookie banner or widget and dynamically adapts the behaviour of Analytics, Ads and third-party tags that create or read cookies.

In addition to the Gold Tier certification, Usercentrics CMP and Cookiebot CMP are two of a small number of direct integrations currently available within the Google tag user interface inside of Google Ads, Google Analytics, and Google Tag Manager to provide this straightforward and user-friendly functionality.

“Privacy is a core part of marketing now. The Gold Tier certification means customers can choose a CMP with confidence to meet consent management needs in conjunction with their use of Google Services. The Usercentrics CMPs, accessible through all Google interfaces, make it more seamless than ever for SMBs to meet Google’s EU user consent policy requirements and grow digital marketing operations,” said Eike Paulat, Director of Product at Usercentrics.

As of July 31, 2024, Google has announced a significant expansion of its EU User Consent Policy to include websites and apps with traffic/users in Switzerland. This update has important implications for publishers and advertisers operating within the European Economic Area (EEA), the UK, and now Switzerland.

In this article, we delve into the details of this policy expansion, its impact on businesses, and what’s needed for compliance.

The expansion of Google’s EU User Consent Policy signifies a broader application of consent requirements to safeguard user data privacy. It mandates certain disclosures and consents from end users in the EEA, the UK, and Switzerland. This applies to websites and apps using Google products and services, such as AdSense or Google Analytics, outlining the responsibilities of publishers and advertisers regarding user consent for:

Failure to comply with this policy may result in limitations or suspension of the use of Google products, or even termination of the agreement.

Google’s EU user consent policy – what’s changed and what does it mean for advertisers?

Google policy requirements for publishers and advertisers

Publishers and advertisers marketing to audiences in the EEA, UK and now Switzerland using Google products are now subject to specific obligations to ensure compliance:

Obtaining valid user consent

Publishers and advertisers are mandated to obtain legally valid user consent for the use of cookies or local storage where required by law, as well as for the collection, sharing, and use of personal data for ad personalization.

Transparency and user control

Clear instructions on how users can revoke their consent should be provided alongside the request for consent. Furthermore, a record of any granted consent must be maintained to demonstrate compliance with the policy.

Identifying data sharing partners

Publishers and advertisers must transparently disclose any third parties that may collect, receive, or use user data as a consequence of their use of Google products. This includes providing users with easily accessible information about how these third-parties use the data.

New scenarios

The policy also addresses scenarios where user data from a third-party property (website or app not controlled by the publisher or advertiser) is shared with Google due to the use of Google products. In such cases, publishers and advertisers are required to make commercially reasonable efforts to ensure the third-party property operator complies with the user consent obligations outlined in the policy.

Start your 14-day free trial

Google requirements for publishers marketing to Switzerland

Since last year, Google has implemented a requirement for publisher partners to utilize a Google-certified Consent Management Platform (CMP) such as Usercentrics CMP, integrated with IAB Europe’s Transparency and Consent Framework (TCF) for serving ads to users in the EU/EEA and the UK. After the July 31 deadline, Swiss publishers using Google monetization products targeting Swiss traffic must also adhere to the following:

Google’s directive for Swiss publishers to adopt a CMP from their partner program represents a notable shift in Swiss digital practices. This decision, primarily focused on ensuring TCF usage for Swiss traffic, reflects Google’s proactive approach to aligning with legislative dynamics, namely with the Swiss Federal Data Protection Act (FDPA), which came into effect in 2023.

While the GDPR doesn’t directly apply in Switzerland, Google’s enforcement of TCF in the Swiss context indicates an acknowledgment of the FDPA’s alignment with GDPR standards.

You might also find this useful:

FADP checklist: your toolkit for compliance

Learn what you need to know to comply with Switzerland’s FADP privacy law.

Google requirements for advertisers targeting Swiss audiences

Companies using Google adtech products will need to obtain consent from Swiss users where legally required. For now, advertisers won’t be expected to send a verified consent signal for Swiss traffic through Google Consent Mode V2 — the requirement in force for EU/EEA audiences —, but this might change in the future.

To learn all about Google Consent Mode, watch our explainer video:

Even if Consent Mode is not required for now, if you’re advertising using Google products, the most efficient way to collect and manage user consent in a legally compliant way is to implement a consent management platform (CMP) like Usercentrics consent solutions for websites and mobile apps.

Usercentrics CMPs are both Google-certified, fully supporting Transparency and Consent Framework (TCF) and Google Consent Mode v2.

Although Consent Mode activation is not required for now, it’s enabled by default in the tools, so you’ll be one step ahead should the requirements in Switzerland align with the rest of Europe. Plus, by implementing Consent Mode v2 you can benefit from analytics and conversion modeling, and avoid losing marketing data due to rejected consent banners.

Learn about marketing data management now.

Google policy update: impact on marketing strategies

The updated Google policy prompts marketers to prioritize obtaining valid user consent for data collection and ad personalization to align with building trust and respect for user privacy. This involves the implementation of transparent and user-friendly consent mechanisms to ensure compliance with the policy’s requirements.

Here’s what’s essential for marketers to consider under the updated policy:

Prioritize user consent

Making the acquisition of valid user consent for data collection and ad personalization a central element of your marketing strategy in these regions is imperative.

As per Google’s recommendation, their certified CMP Partners, such as Usercentrics Web & App CMP and Cookiebot CMP, have been thoroughly assessed and meet certain technical requirements to ensure the best possible experience for advertisers.

Transparency is crucial

Clearly conveying to users how their data is collected, used, and shared is vital. Equally important is providing easily accessible information and options for users to manage their consent preferences.

Partner compliance

If your operations involve third-party platforms that integrate with Google products, ensuring their compliance with user consent requirements is essential.

By aligning with the EU User Consent Policy, marketers can demonstrate a commitment to respecting user privacy and cultivating trust with audiences in the EEA, UK, and Switzerland. Ultimately, this can lead to a stronger connection between their brand and audiences, heightened user engagement and more successful marketing campaigns.

Before you go: the importance of compliance

The expansion of Google’s EU User Consent Policy to include users in Switzerland underscores the growing emphasis on data privacy and consent management. Publishers and advertisers must proactively adapt to these changes, ensuring compliance with the updated policy to maintain a positive relationship with Google and uphold user privacy.

In summary:

You may find these useful:

Start your 14-day free trial

Navigating the GDPR and ad tech regulation is an ongoing challenge for app publishers, especially when delivering targeted ads to consumers.

The Internet Advertising Bureau Europe (IAB) launched the updated Transparency and Consent Framework version 2 (TCF v2.2) in May 2023, bringing with it a slew of new obligations and guidelines. The update is a response to criticism of the TCF v2.0 and has significant implications for how online advertising works for both publishers and advertisers.

In this guide, we’ll share what the TCF v2.2 is, how it impacts your app, and provide best practices for a smooth transition to the updated framework.

What is IAB TCF v2.2?

IAB TCF v2.2 is the latest set of Transparency and Consent Framework (TCF) changes and guidelines. The Framework was launched in 2016 to enhance transparency and customer control over personal data processing by publishers and advertisers in the digital advertising ecosystem.

This updated version gives consumers more control over their personal data, particularly in the context of advertising and content personalization.

Here are key policy changes brought by TCF v2.2:

  • Legal basis for data processing: User consent is now the exclusive legal basis for advertising and content personalization, eliminating the option for legitimate interest.
  • User-friendly descriptions: All in-app explanations and disclaimers about data use must be clearly written and easy to understand.
  • User control: Individuals have more control over how app publishers may use data processing features like geolocation data.
  • Vendor disclosure: App publishers must disclose all vendors that will access personal data, along with details on the type of data they collect, how long they keep it, and their reasons for data use.
  • Transparency: App publishers using the framework must reveal the data they collect and use in their ad campaigns.
  • Consent management platform (CMP) design: Publishers must ensure that the number of vendors is displayed on the first layer of their CMP UI and that users can easily opt out of data processing.

With these changes, app publishers should be cautious, not only about how they collect and share users’ consented data but also how their vendors and technology partners process that data.

TCF v2.2 deadline

The deadline to comply with the updated TCF v2.2 was originally September 30, 2023. This was delayed two months to November 20 to give companies more time to meet the requirements.

If you missed the deadline, now what?

If you still haven’t updated your app to comply with the new framework, you need to act now.

Noncompliance will not stop your CMP from working correctly, however, not being able to signal valid consent per recent requirements could result in restrictions or losing access to important platforms, like Google’s advertising services. In today’s data-conscious digital markets, you can’t simply sweep rogue mobile advertising placements or poor data privacy practices under the rug.

Vendors and other third parties that rely on valid consent for their services to operate will take notice. Noncompliance may damage your business or customer relationships and reduce potential ad revenue.

If you missed the deadline, update your consent practices to align with TCF v2.2 requirements as soon as possible. The quickest way to do this is to implement a reputable CMP, like Usercentrics Apps CMP, that’s tailored to these requirements right out of the box, and is also registered with the IAB.

By demonstrating your adherence to current data protection and privacy standards, you’ll help restore your vendor functionality and build user trust.

How does the TCF v2.2 affect app publishers?

The TCF v2.2 gives power back to users who can share, refuse, or revoke consent at any time. To avoid the risk of noncompliance, app publishers must adhere to standards when collaborating with third-party vendors.

App publishers need to pay close attention to the following areas.

User consent management

Under the TCF v2.2, app publishers are required to explicitly mention what technologies they use to collect personal data, and how they process it.

App developers must disclose the user data they collect, for what purposes, and what third parties it may be shared with, among other requirements.

Publishers also need to provide users with the ability to refuse consent or to change or withdraw previously granted consent at any time. This needs to be as easy to do as to give consent.

Publisher restrictions

Thanks to the TCF v2.2, app publishing companies can now exercise more control over how their vendors and tech partners access and handle user data.

For example, publishers can set custom requirements specifying how every vendor can process the user data collected on their website. App companies can also limit the purpose of data processing to a single activity, such as ad personalization or visitor analytics.

Vendors can register as capable of operating under multiple legal bases, and publishers can specify their preferred legal bases for partnering with vendors. This enables vendors and publishers to navigate markets with varying legal requirements for processing personal data.

Enhanced transparency

The TCF v2.2 requires publishers to provide a full list of all vendors (third-party partners) involved in data collection and processing operations, with links to their privacy policies. Additionally, for consent requests to be valid, users must be provided with the following information for each vendor:

If a publisher is using legitimate interest as their legal basis, they must provide a full list of all vendors (third-party partners) involved in data collection and processing operations, with links to their privacy policies, as well as the following information for each vendor:

By providing this information in advance of data processing, individuals are empowered to make informed decisions about their data.

Vendor compliance

While not an absolute legal requirement, app publishers are advised to work with vendors that comply with the TCF v2.2 and are on the IAB’s vendors list. By doing so, all parties involved agree to adhere to the same standards, which reduces the overall risk of noncompliance.

Refer to the TCF v2.2-compliant CMP list to verify whether your CMP provider meets to the TCF v2.2’s requirements.

Usercentrics is a leading Google-certified CMP that complies with TCF v2.2 standards and is on the IAB’s list. Thousands of apps in 180+ countries rely on our platform to support them in achieving compliance with the GDPR, CCPA, LGPD, POPIA, and other laws and frameworks.

Impact on revenue

The TCF v2.2 can impact app companies’ revenue. If informed users decide to opt out of personalized ads, app publishers could lose programmatic ad revenue.

Publishers that get most of their traffic in the EU could experience this revenue drop the most due to the region’s regulations and requirements being levied by large digital platform providers. Even so, it’s best to adopt the TCF v2.2 no matter where you operate, since most programmatic ad platforms will eventually stop advertising on websites and applications that haven’t implemented it.

Not meeting the latest standards and requirements could result in an even greater revenue hit from critical third parties. For example, Google now requires European advertisers to use a certified CMP that integrates with the TCF v2.2, or else they will not be able to do personalized advertising.

Let’s explore the benefits and challenges that app publishers face with TCF v2.2.

Opportunities and challenges for app publishers

App publishers face both opportunities and challenges as the ad tech ecosystem adopts these TCF policies. The benefits of implementing the TCF v2.2 framework include:

Some challenges app publishers must keep in mind while migrating to TCF v2.2.

Tackling these challenges becomes easier when publishers team up with a TCF v2.2-compliant CMP partner to handle user consent collection, storage, and management.

A CMP makes it easier for publishers to obtain the consent they need once they’ve determined which of the processing activities they do requires it. It can then find preferred vendors, or publishers can select them up manually, and display data processing purposes in multiple languages.

A CMP also securely stores user consent choices, enabling users to change them or withdraw previously granted consent. It also equips companies to provide the required information in the event of an audit by data protection authorities or a data subject access request.

Transparency and Consent Framework v2.2 best practices

Achieving privacy compliance with the TCF v2.2 may seem challenging, but it is achievable. All you need is the right tools to set up an ecosystem that enables you to seamlessly connect with and manage vendors and users. Follow these best practices to stay compliant in the TCF v2.2 era and beyond.

These best practices will help you provide transparency to users while delivering personalized experiences based on the data you collect.

Use a consent management platform to achieve compliance

The TCF v2.2 is a broad framework that introduces strong standards and focuses on many areas of data privacy, including users’ right to object to data processing, UI requirements for CMPs, and other transparency measures.

Implementing a CMP that integrates with the TCF v2.2 helps simplify the complexities and enables companies to meet current and future regulatory and industry requirements.

Usercentrics Apps CMP meets that need. This customizable, all-in-one CMP for apps and games publishers makes it easy for you to obtain, manage and optimize consent while meeting data privacy requirements from regulators and industry partners.

Contact sales

Data privacy has become critical to doing business, touching regulatory compliance, digital marketing strategy and customer relations. For millions of companies, Google — and its products like Google Ads and Google Analytics 4 — is becoming central to privacy compliance and revenue generation.

Today there are three primary influences on the requirement for companies to obtain users’ consent for access to and processing of personal data:

Some companies continue to ignore consent requirements, but they are increasingly risking not only fines and other penalties, but also loss of brand reputation, user trust, and potentially revenue if they are denied access to third-party platforms, like Google’s advertising services.

Ignoring the revenue potential of consent-based marketing initiatives will quickly leave change-resistant companies behind in highly competitive and rapidly changing markets.

Consent requirements by governments and data protection authorities

  • Global data privacy laws: Privacy laws, like the GDPR, aim to protect data; 75% global coverage expected by 2024
  • Diverse regional impact: Laws vary, from the EU’s GDPR, to country-specific ones like Brazil’s LGPD and state-level ones like California’s CCPA in the United States
  • Enforcement and compliance: Authorities enforce data privacy with fines, requiring compliance of data-reliant organizations

Governments have been passing data privacy regulations around the world to protect citizens for many years. Modern comprehensive privacy laws started showing up over a decade ago, and have ramped up with the influence of the European Union’s General Data Protection Regulation (GDPR), which came into effect in 2018.

Prior to that, however, there have been other privacy laws passed, a number of which have been updated, like Switzerland’s FADP, or are in the process of being updated, like Canada’s PIPEDA and the Privacy Act in Australia.

Some privacy laws, like the GDPR, cover entire regions. Others cover just the country that passed them, like Brazil’s General Data Protection Law (LGPD). Still more only cover a far smaller area, like each of the United States’ state-level data privacy laws passed to date, e.g. California’s Consumer Privacy Act (CCPA) and Consumer Privacy Rights Act (CPRA).

Gartner has predicted that 75% of the world’s population will have its personal data protected by at least one data privacy law by the end of 2024. With China (PIPL) and India (DPDP Act) — the world’s two most populous countries — now on board with data privacy laws, this seems like a reasonable expectation. As does the likely passing of more national privacy laws, and more targeted laws, like those taking artificial intelligence (AI) or children’s online privacy into account. Or addressing the evolution of the ever-growing mobile industry, with mobile gaming alone (also very popular with children) being worth over US $140 billion in 2022.

In addition to passing laws, authorities are also ramping up enforcement efforts. Big tech companies receiving billion-dollar fines may garner headlines, but it’s not just Facebook, Google and Amazon in regulators’ crosshairs anymore. Organizations of all sizes that rely on user data, and that want to maintain users’ goodwill, need to comply with data privacy requirements.

Consent requirements by large tech partners

  • Third-party compliance: Big tech companies mandate privacy adherence for business partners and customers, amplifying their influence
  • EU’s Digital Markets Act impact: Google requires third-parties to use Google-certified consent tools and the latest version of Consent Mode.
  • Industry-wide shift: Privacy moves by dominant players like Meta and Amazon drive widespread data consent practices.

In order for big tech companies to achieve regulatory privacy compliance, they need to ensure third parties they do business with are also compliant. This includes advertisers, merchants, data analytics services, and more. When platforms and services have audiences of billions of people, and are relied upon for revenue, data, and access to those audiences by millions of companies, big tech companies’ privacy compliance requirements for third parties come with significant clout.

Laws like the Digital Markets Act (DMA) are coming into effect in the EU, and gatekeepers, including Google, are implementing new requirements for third parties. As of January 16, 2024, in the EU/EEA and UK, Google is requiring publishers and developers to implement a Google-certified CMP, like Usercentrics CMP, which has Google Consent Mode and the TCF 2.2 integrated, as Google requires.

Start free trial
Google CMP Partner

This is to ensure companies obtain and can signal valid user consent if they want to continue to monetize websites and/or apps with advertising using Google AdSense, Ad Manager, or AdMob.

Additionally, if companies are serving ads to audiences in the EU and/or EEA using Google Ads, Google Marketing Platform or Google Analytics (GA4), they need to activate Google Consent Mode v2. The best way to meet this requirement is by also implementing a Google-certified consent management platform (CMP), like Usercentrics CMP, that supports Google Ads Consent Mode, and sending verifiable consent signals to Google to maintain ad revenue from personalized campaigns in the EU and EEA.

Given that companies like Meta (parent of Facebook, Instagram and WhatsApp, among others), Microsoft, ByteDance (parent of TikTok) and Amazon have comparably large platforms and audiences, compliance-related requirements they launch are also likely to cause significant shifts and adoption of data privacy initiatives and uptake of consent management solutions.

Learn more
Google CMP Partner

Consent requirements by consumers

As the source of personal data, consumers are becoming increasingly concerned about and savvy regarding who gets access to what data, and how they are allowed to use it. They are also starting to expect to get more for their consent in order to hand over their data, rather than just accepting that it will be hoovered up everywhere they go when accessing websites, apps and other connected platforms.

New regulations like the Digital Markets Act are also enabling consumers to exercise greater flexibility and choice regarding the products and services they use. Data portability requirements make it easier to switch platforms for better features or more competitive pricing. This should serve to spur innovation on companies’ part and make them work harder to retain their customer base.

There have also been enough high-profile data breaches, and enough consumers have been personally affected, that people no longer have much patience for companies that don’t protect or respect the data that consumers have entrusted to them. The mobile space is particularly notable, where users are more than willing to delete apps if they don’t feel like they have adequate security and respect for their personal information.

  • The role of the CMP: CMPs help to ensure legally valid user consent and manage notifications about data collection purposes.
  • Diverse consent laws: Privacy laws differ; the GDPR mandates “opt in” consent, while US laws require “opt out” options.
  • Multi-jurisdiction compliance: CMPs handle various global laws, integrating consent across platforms for marketing operations.

At the core of all these privacy requirements is user consent. But like any legal requirement, you have to obtain consent the right way, and be able to prove it. This is what a consent management platform (CMP) enables. Most privacy laws also require notifying users about relevant laws, users’ rights, what data is being collected and for what purposes, and more. This is also done via a CMP’s consent banner.

Every privacy law has its own specific requirements for consent. Many require prior consent, or “opt in”, where valid user consent has to be obtained before any data is collected. Some laws, like the ones passed to date in the US, are “opt out”, and require consent for specific uses, like sale of data or using it for profiling, but don’t require it to collect and process data. Different laws also have specific requirements for what constitutes valid consent. Art. 7 GDPR, for example, has become probably the most influential guideline for that.

Adding complexity, companies that do business in more than one jurisdiction may well need to comply with multiple different laws with varying requirements. A CMP streamlines this otherwise very tricky and complex operation. A high performance CMP will also enable geolocation rules so that not only is information displayed about the right regulations, but also in the user’s preferred language for better user experience and transparency.

Marketing operations today also require an ecosystem of platforms and tools, which means that consent requirements have to be applied and communicated across various systems. A good CMP solution also enables this, integrating with many platforms, and enabling signaling of consent information to third parties, like via Google Consent Mode v2, which is integrated into Usercentrics CMP. This way, organizations can obtain valid, granular user consent for relevant regulations, and communicate it to all relevant third-party partners, enabling seamless operations for digital advertising and more.

Learn more

Increasingly, yes. In jurisdictions where you need to obtain prior consent from users before collecting user data, you need consent for any non-essential cookie use, including for advertising or analytics purposes. In Europe, companies will have to prove consent to be able to use Google Ads for functions like personalization, retargeting and conversion tracking. Consent is required to collect users’ data from their online browsing, shopping, etc. to power GA4.

Cookies and other trackers also need to be blocked by the CMP until user consent is obtained under many regulations. All of this precedes serving ads or other advertising functions, or collecting user analytics data. Over the past year or two there has been increasing scrutiny on Google Analytics use in Europe, and its compliance with the GDPR.

Google Consent Mode is an API that enables consent management for Google Ads and other platforms to pass consent data to Google Tag Manager in a recognizable format. This enables businesses to modify how Google tags function based on user consent decisions related to cookies for ads and analytics. Google updated Consent Mode to v2 in late 2023.

Originally, Consent Mode mainly enabled anonymized tracking of data when user consent was not obtained. However, the tool and its role have evolved, and now its primary function is as a tool for signaling, as outlined above regarding the use of a CMP. Consent Mode also helps website owners with conversion data from advertising, enabling greater accuracy in their insights for optimization.

In the latest version of Consent Mode, the key settings are ad_user_data and ad_personalization, which are based on the same trigger as ad_storage.

Consent Mode is not exclusively used with Google Ads, but their use is becoming increasingly intertwined and required in light of requirements of regulations like those under the DMA. In relevant jurisdictions like the EU and UK, Google is requiring third parties to use a CMP that they have certified, which supports Consent Mode, to obtain and signal user consent if they want to continue to serve personalized ads as of January 2024.

Be aware that Consent Mode does not itself enable compliance with data privacy laws. For that, valid consent needs to be obtained via a consent management platform for the use of cookies and other tracking technologies on websites and apps.

As with ads, Consent Mode enables modification of how Google tags function based on the consent decisions users make. Importantly in this case, that includes preventing data collection or processing until consent for analytics cookies is obtained.

Consent Mode enables management of cookies for analytics use in GA4 based on users’ consent choices via the analytics_storage tag. If a user consents to analytics cookie use, GA4 can collect the full complement of data for analytics and/or statistical purposes. If a user does not consent to analytics cookie use, then the data GA4 has access to is limited. For example, the user cannot be personally identified, though non-identifying data is still collected, like operating system or browser in use, referrer, etc.

A correctly implemented consent management platform detects (and blocks) all cookies and tracking technologies in use. It should also provide information about all of them to users, available in the consent banner. Usercentrics CMP’s scanning functionality and database of thousands of data processing services streamline this process and save considerable time and resources.

Users can then make consent choices to consent broadly to data processing, or at a granular level. E.g. a user could consent to analytics cookie use, but not advertising cookie use. Consent Mode then enables signaling this information to GA4, which proceeds with collecting and analyzing the consented data.

Read about consent for ads personalization now

Google is requiring third parties using its platforms and services in the EU to use the latest version of Consent Mode to signal valid user consent, i.e. that obtained through the use of a consent management platform into which it’s integrated. Consent Mode’s original value was also in providing additional information and insights through modeling when users did not provide consent, which continues to be the case.

Organizations intending to collect and use consumers’ data for marketing, analysis, and other purposes very likely need a CMP and Consent Mode if their visitors, users or customers reside where they are protected by a data privacy law with opt-in requirements. This includes the EU, Brazil, South Africa and many other places. Today and into the future, data privacy best practices will involve obtaining valid prior user consent for advertising, analytics, and other functions. Consent will be particularly important as it contributes to enabling revenue generation.

Find out more
Google CMP Partner

What Google services does Consent Mode support?

Consent Mode supports the following Google services:

Consent Mode is also a valuable tool for organizations that want to enhance their consent-driven marketing and move away from outdated and questionably privacy-compliant strategies.

In addition to the legal requirements, Consent Mode brings benefits for data and revenue. Great user experience through a user-friendly UI and transparency consent information help optimize opt-in rates. This means more data, which is used to develop conversion insights to better understand user interactions, including those who do not provide consent.

For website operators using Google Analytics, Google Tag Manager or Google Ads, Consent Mode means on average getting over 70 percent of ad-click-to-conversion journeys back for advertisers.

Usercentrics CMP meets all of Google’s latest requirements and has been certified for use by Google customers operating in the EU, EEA and UK. Usercentrics CMP was one of the first certified by Google in May 2023 to meet their new requirements, and it was upgraded to support Consent Mode v2 in November 2023 when Google rolled out the change. Usercentrics CMP is also integrated with the TCF 2.2, another requirement by Google and for regulatory compliance for advertisers in Europe.

Usercentrics helps companies to achieve and maintain data privacy compliance with global regulations. However, it’s not just important to avoid fines, loss of brand reputation or damage to user trust today. The tech and legal landscapes are always changing, and Usercentrics is committed to ensuring companies are futureproofed as tools, requirements and user expectations evolve.

Companies need to stay focused on their core business, and Usercentrics CMP provides the user-friendly, flexible and scalable solution to provide privacy compliance peace of mind as your company grows.

Contact sales

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

On October 30, 2023, Meta announced their decision to offer ad-free versions of Facebook and Instagram on a subscription basis to users in the European Union (EU), European Economic Area (EEA) and Switzerland.

From November 2023, users in these regions could either pay a monthly subscription fee for an ad-free experience or continue to use the platforms for free and receive personalized ads. Users who choose the free version implicitly agree to have their personal data used for tailored advertising.

We examine Meta’s ad-free subscription model, its compliance with European data privacy regulations, and what it means for users and advertisers.

Understanding Meta’s subscription model for EU users

Meta’s new subscription offering for Facebook and Instagram access in the EU and Switzerland has specific variations on pricing and access. The cost of this ad-free experience depends on the platform used for purchase:

Additionally, until March 1, 2024, a single subscription covers all linked Facebook and Instagram accounts within a user’s Accounts Center. After this date, a charge of 6 per month for each additional account will apply for web users, while iOS and Android users will face an 8 monthly charge per additional account.

Meta, previously fined for multiple instances of unlawful advertising practices, has changed its approach. The company moved from using legitimate interest as the legal basis for data processing to using consent (Art. 6 GDPR). The aim is to align their advertising practices with European regulations, including the General Data Protection Regulation (GDPR) and the European Digital Markets Act (DMA).

Meta cites a July 2023 ruling from the Court of Justice of the European Union (CJEU) as the basis for its decision to charge a fee for ad-free access, claiming that it provides users with a genuine choice while complying with European regulations. The ruling stated that users must be free to decline consent for data collection without having to completely stop using the offered service. As a result, users should be given an equivalent alternative, “if necessary for an appropriate fee”, where their data is not processed.

Is Meta’s subscription model compliant with the GDPR?

Meta’s introduction of a subscription option, often referred to as the “PUR Model” or “pay or okay”, mirrors strategies used by many publishers in the EU. This model typically involves giving users access to content either through a subscription or by consenting to their data being processed.

Meta’s ad-free subscription model has raised concerns among privacy activists and is facing legal challenges.

The model’s compliance with the GDPR is a topic of ongoing discussion and scrutiny. Several European data protection authorities (DPAs) have weighed in on such subscription models as a way to continue advertising, as well as on related concepts like cookie walls and paywalls.

Denmark

The Danish DPA Datatilsynet in February 2023 shared guidelines suggesting that companies could use a cookie wall if they also offered a reasonable alternative, which could be payment-based for users who did not wish to consent to data processing. The guidelines stated that companies can set a fee for subscription at their discretion but stressed that they must not set “an unreasonably high price for the payment alternative”.

The DPA guidelines also require companies to prove that processing data for statistical or personalization purposes is essential for offering access without payment as an alternative to the paid subscription.

Germany

Even if there have been cases before where a “pay or okay” model was deemed illegal in Germany, the German Data Protection Conference (DSK), evaluated subscription models and concluded in March 2023 that they could comply with GDPR and ePrivacy regulations, assuming all requirements for informed, specific, and voluntary consent were met.

Subscribers and non-subscribers must also have access to equivalent content, and providing granular consent must be possible if personal data is processed for multiple purposes. If granular consent is not possible, then consent cannot be considered fully informed and freely given and is thus invalid.

France

The Commission Nationale Informatique & Libertés (CNIL) also considered this issue in May 2022, stating that paywalls — where users must pay to access content if they refuse cookies — were not inherently prohibited since they offered an alternative to consenting to tracking technologies. Like the Danish DPA, they cautioned that the cost must not deter users from making a true choice, emphasizing the need for a “reasonable price”.

Challenges against Meta’s subscription model for EU users

The Austrian DPA has been approached to assess whether the subscription cost is excessively high, potentially making it a questionable practice under European privacy laws.

A separate legal challenge has been filed before the Consumer Protection Cooperation Network by the BEUC, The European Consumer Organisation and 19 member states to assess whether the subscription model constitutes an “aggressive practice” and contravenes EU consumer laws.

The verdict on Meta’s planned model

The verdict is still out on whether Meta’s model aligns with European regulations like the GDPR and will largely depend on two factors:

  1. Whether users are offered the option to consent, and, if so, whether this consent is deemed granular.
  2. Whether the subscription fee is deemed reasonable so that it provides users with a real choice.

It’s a dynamic issue that’s still unfolding as European regulators assess the subscription model’s compliance with legal standards. The Usercentrics team will keep a watch on these developments and provide updates as the situation progresses.

What changes for Meta users in the EU, EEA and Switzerland?

With the announcement of the subscription model, Facebook and Instagram users have three options:

  1. pay for a subscription to enjoy an ad-free experience
  2. continue to use the platform(s) without paying, have their personal data processed, and be served personalized ads
  3. leave the platforms altogether if they don’t want to pay or have their data processed

Users who choose to subscribe will have a distraction-free experience, enabling them to focus on connecting with others and consuming brand content that interests them.

However, we must consider the potential trade-offs of this subscription model. Users may enjoy an ad-free experience, but they now need to pay for platforms that were previously available for free and widely used — Meta reported 255 million monthly active users on Facebook and 250 million on Instagram in Europe at the end of 2022. The move to a subscription model might exclude European users who cannot afford the subscription fee.

Users who can’t or don’t want to pay a monthly subscription must decide if they want to part with their data for access to the social media platforms or stop using them, when they may have built up content and communities over a decade or more of use.

Advertising on Facebook and Instagram: What marketers can expect

With Meta’s new subscription model, advertisers will have to adapt to significant changes in the digital advertising ecosystem.

Potential reduction in audience

Subscribed users pay a monthly fee for a subscription service with no ads on Facebook and Instagram, so they’ll not be targetable by advertisers. There could be a further reduction in audience size if users who are unwilling to subscribe or consent to data use leave the platforms. Experience with PUR models in other platforms tells us there’s normally not a significant decrease in user base. But if it does become considerable over time, it may impact advertisers’ reach, potentially impacting their marketing campaigns and return on ad investment.

Increased competition for Meta ad space

With a portion of the audience now unreachable, the competition for the remaining ad space may intensify. This might lead to higher costs for advertisers as they vie for the attention of a smaller user base. At the same time, non-subscribed users may be less engaged (or more resistant) than paid ones, so less receptive to advertising generally.

Retention of targeted advertising opportunities

Despite these challenges, advertisers retain the opportunity for targeted advertising with non-subscribed users who remain active on the platforms. This segment still allows for data-driven, targeted campaigns, enabling advertisers to maintain precision in their marketing efforts, even if to a narrower audience.

Reevaluation of marketing strategies

These changes in the advertising landscape urge advertisers to reevaluate their marketing strategies. A holistic approach to digital marketing that includes a variety of platforms and channels can help mitigate risks and strengthen overall advertising efforts. Embracing consent-based marketing strategies will also help future-proof organizations’ digital marketing efforts.

These impacts largely depend on how many users choose to subscribe, consent to access to their data, or leave the platforms. Nonetheless, advertisers will need to adapt their strategies to these changes.

Ad transparency under the Digital Markets Act (DMA)

The implementation of the European Digital Markets Act brings a significant shift to businesses advertising on Facebook and Instagram. The DMA mandates that Meta — which is one of the designated gatekeepers under the European regulation — must provide advertisers with more comprehensive ad performance metrics.

This requirement for greater transparency can offer advertisers a clearer view of how their ads perform among the non-subscribed audience segment on Meta’s platforms.

Increased transparency can also translate to deeper insights for advertisers. They can now access more detailed information about the reach, engagement, and overall effectiveness of their ads. This clarity is valuable in understanding how their content resonates with the audience that continues to see ads, and if perhaps shifts in strategy are needed to align with any changes in audience.

New to the Digital Markets Act (DMA)? Learn more in our Digital Markets Act FAQ

Despite a potentially slightly reduced data pool because of the subscription model, the enhanced metrics available under the DMA put advertisers in a position to develop more informed and targeted advertising approaches.

So DMA advertising rules still enable access to more detailed performance data, there’s the opportunity to shift towards a deeper analysis of ad performance and user engagement patterns. Advertisers can examine the nuances of how different audience segments interact with their ads, leading to more precise and effective campaign strategies.

This approach is not just about reaching the audience but engaging with them more meaningfully, tailoring messages that resonate and drive desired actions.

Preparing for the future of digital advertising

As the communication around DMA compliance continues to emerge and the scrutiny of Meta’s subscription model unfolds in front of data protection authorities, marketers need to monitor developments for potential changes in Meta’s policy and EU regulatory enforcement.

Staying informed and responsive to changes will be key to maintaining effective and compliant advertising practices within this evolving regulatory framework. Subscribe to our data privacy newsletter to receive monthly updates on this and other topics straight to your inbox.

Sign-up today