The Future of Privacy-First, Cookieless Digital Marketing

Future of Privacy-First, Cookieless Digital Marketing

The world of digital marketing is undergoing a radical transformation. For the first time since the entire digital marketing industry began in the 1990s, marketers are increasingly finding themselves in a situation that is alien to what they have been used to for so long. That is, the sheer amount of data that has proliferated and increased in scale and availability over the past two decades, is now slowly going away.

To an industry that has become dependent on ever-increasing amounts of data about its prospects and customers, this change is unsettling. Just ten years ago, marketers could have only dreamed about the amount of data that they have access to today. And yet, as quickly as that data has become available to marketers, much of it is being taken away at a rapid pace.

The change is not one the industry has come by voluntarily. The disappearance of data is a direct result of digital privacy laws around the world which are coming into existence at an ever-increasing rate. These laws are catching both marketers and the platforms they use both off guard as they struggle to try and navigate the path towards a future in which they will have to make due with far less data than they have in many years.

Data Privacy Laws

In 2018, the introduction of the General Data Protection Regulation (GDPR) in the European Union ushered in the transition to providing individuals (referred to as data subjects) with more autonomy over how their personal data is collected, stored and used. Additionally, the GDPR outlines the responsibilities for entities that collect, store and use data (referred to as data controllers). The EU also has an earlier law, the ePrivacy Directive, which was passed in 2002 and adds supplemental guidance to the GDPR.

The GDPR is currently the strictest and most comprehensive law on digital privacy. It is the standard by which other privacy laws are taking shape around the world. The fines for GDPR violations can run into the tens and even the hundreds of millions of dollars.

While the GDPR covers many areas, the areas that most digital marketers are concerned with revolve around the use of third-party cookies as well as general data collection. The central tenet behind the GDPR and other data privacy laws is consent. Has the data subject given consent to having their data collected and stored by the data controller or have they not?

As of this writing, the United States currently does not have a national data privacy law. In 2019, U.S. Senators Amy Klobuchar (D-MN), Maria Cantwell (D-WA), Brian Schatz (D-HI) and Ed Markey (D-MA) unveiled a proposed national privacy law called the Consumer Online Privacy Rights Act (CORPA). However, as one might expect in the United States, strong lobbying by technology companies to the tune of $70 million has hindered the passing of the bill into law.

At the state level, as of mid-2022 just five U.S. states have passed any kind of data privacy laws—California, Colorado, Connecticut, Virginia and Utah.

In 2018, the state of California passed the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) in 2020. The basic elements of the CCPA give consumers in California the right to know the personal information a business collects about them and the right to delete that information as well as to opt-out of the sale of their personal information.

The Chinese Personal Information Protection (PIPL) law, which went into effect on November 1, 2021, contains many similar provisions as the GDPR regarding the data privacy of Chinese citizens. For digital marketers, the foremost of these is the need to obtain the consent of the individual when personal information is processed, the information is transferred from one data processor to another and when the information is transferred outside of China.

In Japan, the Act on the Protection of Personal Information (APPI) law was originally passed in 2003. The law has been amended a number of times since then. In 2021, a new set of requirements was enacted and the changes took effect in April of 2022. Under the recent changes, there is more serious regulation regarding opt-in consent for cross-border data transfers as well as new restrictions on how data subjects’ personal data can be stored, accessed and deleted.

Privacy Law Impacts on Marketing

Currently, the EU’s GDPR, China’s PIPL and Japan’s APPI differ from the U.S. state laws from each other in several different ways in terms of how data is collected, stored and processed. While there are several key areas of marketing that these laws address, the most visible area in which the laws have influenced marketing is in the realm of tracking cookies.

The most relevant and fundamental of these ways that pertain to digital marketers is this: the GDPR, PIPL and APPI require that the data subject opt-in to all cookies that are not specifically required to use a website while the U.S. state laws currently only require that a user to opt-out of cookies already set.

This key difference in how a user must consent to tracking via cookies is going to determine much of the future of digital marketing and, more importantly, for the platforms that profit from the use of collecting user data via cookies.

Since the rollout of the GDPR in 2018, marketers have been slowly coming to terms with the new realities of global privacy legislation’s effects. In the past decade or so, marketers could count on a steady stream of data enabled by third-party cookies from an array of advertising pixels and analytics cookies. But those days have come to a close in the EU, China and Japan. And for many other other parts of the world, including the US, it is only a matter of time before privacy laws evolve to place greater restrictions on how marketers can track and collect data in their marketing campaigns.

The privacy legislation landscape moves and evolves quickly. And anything that is written here will likely be out of date within a matter of months. Still, it’s almost certain that marketers will be impacted in the following ways:

1. Non-Essential and Third-Party Cookies Going Away

In the European Union, China and Japan, the ability for third-party cookies to be set by default when a user visits a website is now gone. Cookies that are not considered necessary to use the functionality website are now a violation of the GDPR, PIPL and APPI laws in those countries.

The lack of all non-essential cookies means that the advertising and analytics cookies that almost all marketers depend on will not be set when a user visits a website. Because cookies are the main way that state is persisted when a user interacts with a website, the loss of visibility for third-party cookies means that data that needs to be tracked in persistent, multiple interactions will not be possible.

2. Attribution Loss

A typical buyer’s journey involves multiple touch points on the way to becoming a customer. A prospect may first see a banner ad, perform a search on a search engine, click on either an ad or an organic listing, read some content on the site, download a white paper and sign up for an email list long before they ever become a paying customer.

Without the persistence of third-party cookies, marketers will be losing a lot of visibility into the buyer’s journey and the various channels that prospects use in the process to become customers. Multi-touch marketing attribution models will be much more difficult to determine going forward.

3. Key Performance Indicators (KPIs) Will Change

Because cookies are necessary to track certain KPIs, marketers have already and will continue to lose a lot of visibility into KPIs such as unique visits, return visitors, recency, pathing data and content consumption. These KPIs have always been dependent on cookies and the ability to differentiate users and to persist information about them.

4. Advertising Attribution Loss

Not all marketers buy digital advertising, but many do. If they didn’t, companies like Google, Facebook and increasingly Amazon, LinkedIn and many other advertising platforms wouldn’t make the staggering amounts of money that they do.

These advertising platforms absolutely depend on the data that third-party cookies and pixels provide for both them and their advertisers. Without cookies, a lot of data is lost and advertisers can’t justify spending a lot of money on clicks that they can’t directly tie to revenue.

There has been a lot of movement by advertising networks to come up with viable substitutes to replace third-party cookies. Perhaps most notably, Google originally proposed FLoC (Federated Learning of Cohorts), a technology that was met with criticism by privacy advocates. As of this writing, Google has recently replaced FLoC with Topics.

Digital advertising is a gigantic industry that is, to a large extent, dominated by the “gatekeepers” of the internet—namely Google and Facebook. However, there are numerous other advertising and analytics providers that rely on third-party cookie tracking technology for their functionality.

Advertising, both on the supply (publisher) and demand (advertiser) sides, is one of the most profitable and proven business models on the internet. How the advertising ecosystem adapts to the loss of third-party cookies will likely be a continual evolution that will be interesting to watch unfold.

The Future Past of Digital Marketing

In the early days of the web, the sophisticated tracking capabilities that marketers now take for granted had not really been created yet. Web analytics was often just one lone webmaster analyzing server-side logs. The current ecosystem of client-side JavaScript tagging had not evolved yet.

Advertising on the web officially began when HotWired magazine (the early website of Wired magazine) sold the original banner ad in 1994 and launched what has today become a multi-billion dollar business known as programmatic advertising with a huge number of players.

Search advertising began a few years later with the launch of invented at Bill Gross’s IdeaLab. GoTo later renamed itself Overture and then was acquired by Yahoo! in 2003. Google later “borrowed” the idea for placing ads in its search results and launched Google AdWords in 2000.

Social media and its advertising platforms came along for a few years later. None of the original social media companies were created with the intention to sell advertising. But they needed a business model. And when you have a large userbase, it turns out that bolting an advertising network on to your platform and selling clicks can be incredibly profitable.

These platforms have gradually enhanced and refined their tracking capabilities to such an extent that we are now seeing people and governments demand real change. There appears to be a growing resistance among people generally against what has been called surveillance capitalism.

Still, marketers need to market. The economic viability of the web does still depend on companies being able to sell and profit from economic activity. The reality is that people still bought things and responded to marketing long before these sophisticated tracking systems evolved. And while it has been incredibly helpful for marketers to have the sophisticated tracking of cookies and pixels, it is far from necessary to have these things in order to market and successfully prosper on the internet.

So what is the future of digital marketing? In my opinion, the future will be, in many ways, like the past and present but with some serious restrictions put on how data is collected, stored and ultimately used in marketing.

Content Will Always Be King

First, on the web, great content has always driven loyal fans and customers. Content that is designed to educate first and sell second will always be the cornerstone upon which great brands and loyal customers are built. Some very large companies have been built totally upon content without ever buying a single ad.

In both the virtual world and the real world, people are naturally resistant to the hard sell. Digital advertising is, in many ways, a hard sell. The proliferation of ad blocking technologies over the last decade has rendered quite a bit of digital advertising wholly ineffective. And the more personalized and individually tailored that advertising has become, there is a sense among many people that advertising has become creepier and more invasive. With both present and future legislation, it is clear that digital advertising is going to see some major shifts in the coming years.

While advertising will never disappear completely, in the next few years there will be a major shift towards new and creative ways of doing inbound marketing that relies more on first-party, opt-in, permission-based marketing to generate leads and customers. This will be a wholly welcome change, but it will require a shift in thinking that may take some time to adjust to. Companies will still use paid advertising to increase their reach, but their visibility will be limited by a growing crackdown on tracking technologies—most notably cookies and tracking pixels.

Since the earliest days of the web, companies have always loved to have relationships with prospects and customers that don’t cost anything. Marketing channels such as organic search (SEO) and email have long been considered the crown jewels of marketing channels. But because they require a lot more work to set up and have not always been as dependable or as measurable as paid ads have been, many companies have found paid advertising to be easier to understand. You spend a certain amount of money on ads, get wide exposure and hopefully some leads and sales as well. The results are fast and it’s easy to measure the ROI.

First-Party Data Will Be The Standard

As global privacy laws continue to evolve, a few trends are beginning to become clear.

First, the days of third-party cookies are numbered. In 2020, Google announced it was dropping support for third-party cookies by 2022. As of July 2022, that date has now been pushed to the second half of 2024. Apple’s rollout of iOS 14 has added substantial privacy protection to from tracking on the iPhone. These are just two examples of a larger trend away from being able to track users via cookies and pixels or de-anonymize them in other ways. This mainly affects paid advertising but there is other marketing technology that relies on third-party cookies.

Second, web analytics platforms are increasingly finding themselves in the cross-hairs of regulators for their data collection and storage practices. As I write this, over the past several months Google Analytics has been declared illegal in France, Italy, Austria and the Netherlands. The illegality stems not from cookies but from where the data is stored once it is collected. The European countries don’t want their citizens’ data sitting on servers of technology companies in the United States. This trend is only going to continue.

Both of these issues point to the fact that tracking anonymous visitors from both paid advertising campaigns as well in web analytics platforms is going to get more difficult—a lot more difficult. And if these types of privacy laws eventually end up in the U.S. (which they eventually will), look out. Hopefully, all of the advertising networks and web analytics platforms will evolve and come more in line with the new realities of digital privacy. Consumers are starting to demand it and it just makes good business sense.

In the future, the only data that website owners will be able to collect and store is data that they generate on their own web properties, commonly known as first-party data. First-party data has some caveats though.

First, a user must authenticate themselves via registration and sign in. This will work for some websites but not for others. But if a user does register and log in to a site, they can be assigned a customer ID.

Second, assigning a durable customer ID is only part of the issue. The data that an authenticated customer generates must also have some way of being stored in a secure way and also be made actionable for various marketing initiatives. The current solution involves a new wave of marketing technology called Customer Data Platforms (CDPs). There will be others as the laws and technology evolve over the next few years.


At the end of the day, marketing is about connecting with people and helping them solve their problems. The proliferation and evolution sophisticated ad tracking and targeting has just been an extension of marketers’ desires to know everything there is to know about their customers.

And while it can certainly be helpful to know a lot about your potential customers, there is a point at which more data does not equal better marketing or more sales. Eventually, people figure out they are being tracked and they either tune it out or actively try to avoid it. It harms rather than helps.

As someone that has worked in digital marketing and analytics for a number of years, I can’t honestly say that several of these changes leave me as unsettled as any other marketer. However, one thing I’ve learned from working in the industry is that evolution is inevitable and that change is the only constant. To survive in this industry, you must be willing to continually evolve and learn to do things differently. What worked well just a few years ago might not work today.

One thing is for certain. The legal and technological landscape of digital privacy will continue to evolve over the coming years and decades. It will be a delicate balance trying to reconcile the interests of all parties—governments, companies and consumers. The evolution is definitely going to be messy as this all gets sorted out. But hopefully, what emerges on the other side is an internet that is far more dynamic and safer for all people.