Google’s decision on third-party cookie deprecation—and what is still at risk for your brand.

Google's latest move doesn't signify a step back in prioritizing consumer privacy. Instead, it emphasizes giving users more individual control over their data. Similar to Apple's App Tracking Transparency (ATT) framework that rolled out in 2021, consumers will be given a more prominent opt-in/opt-out choice within Chrome. This functionality already exists within the browser’s settings, but will be surfaced in a “new experience” in the future, according to Google.

For brands who have not made significant progress in mitigating the impact of third-party cookie deprecation, this announcement might seem like a lifeline. However, even without a specific cut-off date from a centralized body like Google, there will still be a decline in use by consumers. With a gradual erosion as consumers opt out, the bigger danger is that many brands won’t realize that the third-party cookie pool is getting smaller and smaller, and therefore less useful for their ad strategy.

We expect the majority of third-party cookie signals to shrink, regardless of Google’s decision.

The digital industry has seen this scenario play out in the past, and the data shows the impact will still be huge, if just gradual. When Google switched to a third-party cookie for Google Analytics over ten years ago, Sayf Sharif, SVP Data, says that his analysis showed “some sites were losing over 80% of their traffic, depending on the industry, due to the adoption of ad blockers.”

This trend has repeated itself over the years; based on the impact from Apple’s ATT rollout, we’d expect to see cookies “capture maybe 15% of the available universe,” according to Liz DeAngelis, SVP Digital Strategy. Even if third-party cookies will continue to exist as an option within major browsers like Chrome, consumers have shown time and again that when made aware of their options, the majority will opt out.

Moreover, third-party cookies have proved increasingly ineffective in today’s digital landscape. Sharif points out, “We still face numerous challenges for measurement, activation and attribution (such as a high use of ad blockers, consent rules and fast cookie expiration), which make a focus on a cookieless approach to measurement and attribution a priority.” This shift to consumer choice underscores the reality that brands should continue to avoid over-reliance on third-party cookies.

Regulatory and consumer influences on third-party cookies helped shape Google’s decision.

The journey to Google's latest decision has been shaped by a blend of regulatory pressures and evolving consumer expectations. “Google has been caught in the crosshairs between evolving global privacy regulations and competition laws in a range of markets, most notably Europe,” says Benjamin Combe, Sr. Director, Data Optimization and Personalization. Similar regulations like the Australian Privacy Act have gained steam elsewhere, reinforcing that this is a global trend, not a regional or cultural one.

Meanwhile, consumer behavior has shifted toward greater consent and control over personal data. The move toward giving users the ability to set their preferences in Chrome, then, is well aligned with the experiences consumers seek online—and their changing attitudes and expectations toward digital privacy. Combe adds, “It merely reflects a more gradual end to a long-running, multi-factored trend. Google will no longer be the executioner, but third-party cookies are dying regardless—and their utility as the foundation of digital advertising’s targeting and attribution capabilities will not return.”

Still, cookies haven't been the only source of scrutiny in recent years. Google's Privacy Sandbox, a privacy-safe alternative to third-party cookie tracking, has faced several challenges since its announcement in 2020: the initiative has struggled with lack of adoption, anti-competitive scrutiny, conflicting industry feedback, mixed testing results and regulatory pressure. “Google’s Privacy Sandbox raised anti-competition issues with the UK’s Competition and Markets Authority (CMA), while simultaneously raising privacy concerns with the European Centre for Digital Rights and the UK’s Information Commissioner's Office,” Combe adds.

In short, both the regulatory landscape and consumer demand for greater data control led us here. So, what are brands supposed to do next?

Your brand’s first-party data strategies still need to evolve, or put your visibility and efficacy at risk.

Google's decision to give users control over third-party cookies rather than enforcing a complete deprecation has different implications depending on where brands stand in their preparation journey.

For businesses who may have used previous postponements of third-party deprecation as an excuse to delay action and conserve their resources, Tyler Stewart, Media Solutions Architect Lead, sees challenges down the line: “Smaller businesses may not have had the luxury of being on the front foot. In the longer term, this may only widen the gap between haves and have-nots as larger enterprises find themselves better positioned to compete in the privacy-first future.” Our advice to them: start prioritizing a cookieless approach now by focusing on first-party data and robust measurement strategies. Investing in AI-powered solutions and privacy-preserving technologies remains critical for future-proofing your marketing efforts.

Brands that have already embarked on their third-party cookie deprecation and privacy roadmap initiatives, meanwhile, have no need to pivot. “Strategies like the judicious use of first-party data, consent management, modeled measurement solutions and conversion recovery mechanisms will continue to be future-proofed strategies worth investing in,” says Stewart.

If you’re in this camp, don’t feel as if your efforts were in vain. “Those that have invested in reducing the impact of third-party cookie deprecation should take pride in being ahead of the curve with respect to utilization of first-party data, increasing compliance with global privacy regulations, innovating in measurement capabilities, and respecting their customers’ preferences,” says Combe. Staying the course will help future-proof your business’s data as the industry standards continue to evolve.

Better solutions for measurement will be customized for your business.

As an industry, the fragmentation and complexity we’re seeing across the digital ecosystem indicates we’re unlikely to move back to a uniform standard. “If you want to reach your customers wherever they are digitally, you need to be looking for new solutions for targeting, buying, and measurement. We can no longer rely on a consistent tactic that the entire industry adopts; brands need to move on from awaiting the next cookie alternative, and work on the solutions that are best for your company,” says DeAngelis.

The right strategy for your brand will depend on the complexity of your digital footprint and the data that’s most valuable for you to capture. To measure efficacy of your marketing activity, an important first step is to establish server-side tracking for your advertising, and take advantage of any event APIs from ad platforms, such as Meta’s Conversions API (CAPI). But in the long run, deterministic (user-level) measurement models will continue to weaken over time. Probabilistic models that assess changes across your entire business and media mix for causal contribution will be a necessity in the future, not an option. Strategies like Market Mix Modeling (MMM), or a Cookieless Multi-Touch Attribution (MTA) model offer viable alternatives to those challenges.

Similarly, identity resolution and user graph technologies are still viable for targeting, but a clear winner has yet to arise across the many providers that brands can choose from. As part of the announcement, Google emphasized that Privacy Sandbox will continue to be supported and developed as brands look ahead toward adapting their strategies beyond third-party cookie reliance—a goal that will remain important should users choose to opt out of third-party tracking en masse.

Move forward with a privacy-first marketing strategy.

No matter where your brand stands on the spectrum of cookie deprecation readiness, the path forward remains clear: continue to prioritize privacy-first strategies and the development of robust first-party data practices.

While third-party cookies have a new lease on life for now, they will never be as functional as they once were. They have already been deprecated in most non-Chrome browsers, and with Chrome indicating it will implement greater user permissions and controls, their availability is likely to continue declining—think of opt-in rates for ATT on iOS as a comparable scenario.

Brands should see this as an opportunity to stay ahead of the curve by continuing to invest in first-party data practices, consent management, and alternative measurement solutions—for teams that need advisory and executional support here, our data experts are ready to talk. The shift towards a privacy-first future is inevitable, and those who adapt proactively will be best positioned to thrive.

To enhance user control over data collection and personalization, Google has introduced two new parameters in the Consent Mode arsenal. These parameters allow for more granular consent settings, specifically related to advertising data passed to Google:

• ad_user_data: This parameter manages consent for passing user data to Google for advertising purposes.
• ad_personalization: This parameter controls consent for personalized advertising.

In the following paragraphs, we delve deeper into the importance of Consent Mode Version 2 (V2) and its implications for user privacy and data management.

Why is it important?

Google stresses the importance of obtaining consent from end users in the European Economic Area for the use of their personal data, as required by law, when incorporating these new parameters. It is important to note that these requirements also extend to cases where Google Analytics data is shared with Google Marketing Platform (GMP). For example, if you are sending Google Analytics 4 (GA4) to GMP or importing GA4 conversion to optimize ad campaigns on the GMP side, you should collect these new consent parameters.

For customers who have implemented Consent Mode, the ad_storage parameter will be automatically mapped to the new ad_user_data parameter starting March 2024. This means that when consent is granted or denied for ad_storage, ad_user_data will respect the same setting, ensuring that the performance measurement capabilities of your original implementation continue to work as expected.

No changes will be made to the new ad_personalization parameter configuration, but it is necessary to integrate the new consent mode parameters to maintain access to tag-based audience and personalization features through Google Ads, GA4 or GMP. This can be done either directly in your Google tag (gTag) or through a consent management platform (CMP) that has successfully migrated to the new version of consent mode (for example, OneTrust recently confirmed they completed the updates for two new consent parameters in new integration).

Understand Consent Mode V2’s impact on data collection.

Deciding not to implement/upgrade to Consent Mode V2 will impact audience collection in your GA4 property. The size of audiences you use for remarketing will likely decrease since there is no user consent collected for the ad_personalization parameter.

And as we mentioned above, should you fail to collect the ad_user_data parameter, which is necessary for sharing conversion data from GA4 to GMP, Google ensures that it will be appropriately mapped to the existing ad_storage parameter. This means that at least a Basic Consent Mode implementation is mandatory.

It’s equally important to emphasize that obtaining user consent extends to data tracking in mobile applications as well as data uploads to Google. Make sure that you send consent parameters with this data. Otherwise, if data sent to GA4 is not labeled as consented, it will negatively impact conversion tracking and audience size for remarketing. You will not be able to share conversion data with Google Ads for campaign optimization and will not be able to leverage data modelling. And in the case of audiences, you might see a decrease in the size of your remarketing audiences if you do not collect ad_personalization consent.

Validate your Consent Mode V2 setup.

To validate Consent Mode V2 setup, you should check the network requests tab in the browser’s developer tools. In the Network tab, the gcd parameter should appear in all requests sent to Google (GA4, Google Ads, etc.)

Important: If you are sending data to the server side container, you should look out for a parameter called ‘sst.gcd’ in the same Network request. Its value should be the same as the gcd parameter value.

Each value starts with the number 13 and ends with the number 5. In between, you’ll find a string of letters separated by the number 3. These letters correspond to different consent states (either default or updated), and their sequence corresponds to the following signals: ad_storage, analytics_storage, ad_user_data, and ad_personalisation.

If this sounds confusing, don’t worry. Using the table below, we’ll decode an example gcd string together:

Let’s decode the example 13v3u3v3v5:

• ad_storage = granted (both by default and after update)
• analytics_storage = denied (granted by default and denied after update)
• ad_user_data = granted (both by default and after update)
• ad_personalisation = granted (both by default and after update)'

Recap 

Google's release of Consent Mode V2 is crucial for businesses operating in today's privacy-focused landscape, ensuring:

• Enhanced User Control: It empowers users with granular control over their data. This transparency builds trust and fosters positive user experiences.
• Compliance with Data Privacy Regulations: Consent Mode V2 helps businesses comply with evolving regulations like GDPR and CCPA. 
• Accurate Data Measurement: For businesses, Consent Mode V2 provides a clearer picture of collected data. This allows for more accurate measurement and analysis in advertising and digital analytics. This, in turn, helps optimize marketing campaigns and improve user targeting strategies.

Future-Proofing Data Practices: As data privacy regulations continue to develop, Consent Mode V2 positions businesses for the future and helps companies demonstrate a commitment to responsible data collection.

One key feature that will play a crucial role in ensuring compliance and maintaining effective marketing practices is Google's Consent Mode. In this blog post, I will explore—with insightful contributions from my colleagues Asli Yidiz, Deborah Widdick and Valentina Villino—the impact of the DMA on digital marketing and delve into the details of utilizing Google’s Consent Mode.

Understanding the DMA.

The Digital Markets Act is a legislative framework developed by the European Union to address the challenges posed by dominant online platforms—or, gatekeepers—and ensure fair competition in the digital market. It aims to regulate the behavior of tech giants, prevent unfair practices, and safeguard user rights. The DMA will introduce stricter rules for digital services, including requirements for transparency, interoperability and non-discriminatory access.

Specifically on consent for marketing, recital 37 of the DMA states that “When the gatekeeper requests consent, it should proactively present a user-friendly solution to the end user to provide, modify or withdraw consent in an explicit, clear and straightforward manner.” In other words, collecting user consent should now better inform how gatekeepers respect choices in collecting and processing user data and offering personalized online experiences.

The act’s impact on digital marketing. 

The DMA will have a profound impact on how businesses approach digital marketing strategies. One of the main areas of focus is users' privacy and acting with valid consent defined in GDPR. The act places a stronger emphasis on user consent and control over personal data, especially when it comes to personalizing online experiences based on user data and preferences. It requires businesses to obtain explicit consent from users for data processing activities, ensuring transparency and empowering individuals to make informed decisions about their data.

One can see the DMA as an extension of the GDPR, where the gatekeepers, also known as “the Big 6” (Google, Amazon, Apple, ByteDance, Meta, Microsoft), need to guarantee that they will provide the right options for consent collection and processing of personal data.

What does this mean for my advertising campaigns?

The DMA mandates that without appropriate measures, our capacity as marketers to retarget within advertising campaigns could be significantly restricted. Due to this regulation, each phase of our audience strategy funnel could suffer. The absence of retargeting lists implies:

• Many customers, who use exclusion retargeting lists to avoid targeting already converted users, might end up wasting a portion of their budget.
  
   
• The restricted segmentation options hinder our ability to deliver diverse personalized experiences. Consequently, marketing messages become generic, which results in decreased click-through rates and reduced engagement in ad campaigns.
  
   
• The lack of retargeting lists also presents challenges for businesses aiming to identify cross-selling or upselling opportunities by analyzing purchase histories and customer interactions.
  
   
• Without retargeting lists, leveraging similar audiences in social media, for instance, becomes infeasible.

Ultimately, this may impact the ROI we can achieve from our advertising campaigns, making it more challenging for marketing departments to demonstrate the value of their paid media campaigns in driving results for their business.

Given that our ability to retarget our audiences based on website activity signals will be affected, we need to consider how audience strategies should evolve in 2024 to ensure that we:

• Continue to test methods to generate value for our businesses through paid media campaigns, despite the new limitations on existing audiences.
  
   
• Actively plan for how to adapt reporting and establish new benchmarks that accommodate these regulatory changes.

The importance of Consent Mode in these times.

Google introduced Consent Mode as a privacy-friendly tool that enables businesses to adapt to the changing landscape of user consent requirements. This API provides a framework for obtaining and managing user consent across various Google advertising products, including Google Analytics 4, DV360, SA360 or CM360.

In a digital marketing ecosystem where brands use Google products for marketing performance measurement and advertising, the Consent Mode tool offers the following benefits:

• Enhanced user experience: Consent Mode allows businesses to deliver personalized and relevant ads to users who have provided consent. This targeted approach enhances the user experience, ensuring that ads align with the user's consent, interests and preferences.
  
   
• Improved compliance: Consent Mode enables businesses to meet the stringent requirements for user consent outlined in the DMA. By implementing this feature, businesses can ensure that their marketing practices are compliant with the legislation, avoiding potential penalties and reputational damage.
  
   
• Optimal performance and measurement: With Consent Mode, businesses can optimize their ad campaigns and accurately measure their performance while respecting user consent preferences. It allows for the use of aggregated data that maintains the anonymity of individual users, striking a balance between effective marketing and privacy protection.

Preparing for the Digital Markets Act. 

To prepare for this significant shift in March 2024 and work towards compliance, businesses can take the following steps:

• Familiarize yourself with the DMA: Gain a thorough understanding of the legislation's requirements, particularly regarding data privacy, user consent and fair competition. Stay updated on any changes or guidelines issued by regulatory bodies.
  
   
• Implement Consent Mode: Integrate Google's Consent Mode into your digital marketing strategy. This will enable you to adapt to evolving user consent preferences, deliver personalized ads, and stay compliant with the DMA. This is best achieved with Google Tag Manager or the Google Tag (gtag.js).
  
   
• Review and update privacy policies: Ensure your privacy policies are clear, transparent and aligned with the DMA's requirements. Provide detailed information on data processing activities, user rights, and how consent is obtained and managed.
  
   
• Educate and train your team: Educate your marketing and advertising teams about the DMA and the importance of complying with the new regulations. Train them on the proper use of Consent Mode and how to navigate the changing landscape of user consent.

In short, the DMA represents a significant milestone in the regulation of the digital market. As businesses prepare for its implementation early next year, understanding the impact on digital marketing strategies is crucial. Ultimately, leveraging tools like Consent Mode can help brands adapt to the changing privacy landscape and build trust with their audience in the digital realm.

Download our whitepaper below to get a quick guide on navigating the new DMA legislation.

These techniques are exciting, as Google has published data demonstrating that double-digit percentage uplift in conversion value is possible. Results clearly depend on having the very best data, the best modeling capabilities and the best activation strategy, which is where Media.Monks teams play an essential role.

Who is this for? Everyone!

Are you in digital marketing as an “analytics person”? Primarily data focused? Technical? You’ll know about enhanced conversions (EC) and value-based bidding (VBB), but beyond the tagging, do you know what’s going on in the media systems and what it’s actually for?

Or are you a “non-technical” marketer? Your talents for campaign setup and management don’t overlap with tagging. Again, you’re across EC and VBB but where does the data come from? Why’s it so tricky to get right? What’s the hold up with the tags?

Regardless of our role specifics, we all need to have as full understanding of the solutions as possible. We need to get a handle on what happens “on the other side” so we can deliver the very best solutions for clients, and for users. Here’s the scoop you need. This is relevant to people on the Search Ads/Display & Video/Campaign Manager side as well as those on the Google Analytics/Google Tag Manager side. Here’s an opportunity to share knowledge… LFG.

Set the scene.

Cookie atrophy is a poorly kept secret. Browser tech continues to erode cookie usage. Third-party cookies are being deprecated from Chrome in 2024, which holds a dominant market share that’s significant for marketers. That doesn’t mean we are on safe ground when it comes to first party cookies though; just check through the details on Cookie Status to see the reality.

As data volume diminishes with sufficient signal quality, we can still use modeling techniques to mitigate for gaps in data, but that’s not a robust solution in isolation. We continue to make every effort necessary to maintain data volume, whilst evolving our tactics to improve efficiency.

This is where EC becomes a playbook entry to maximize observable conversions, while VBB drives greater efficiency by enabling optimization for value rather than volume.

Maximize observable data.

If we have less data, we must have better data quality. By that, we mean clean and clear data where we can clearly see conversions and channels. This means that the data still has utility even if it’s not complete. Where we may have holes due to browser tech and cookie loss, for example, we can still use first-party data to get better conversion accuracy. Enhanced conversions help us see more conversion data, but in a privacy-safe manner.

What it does.

Basically, on the conversion/sale/thank you page, a tag will fire—let’s say a floodlight tag for simplicity. The user’s email address is hashed (encoded using the SHA-256 algorithm), and then added to the tag data which is then sent to Google. This hashed value is then used to match the user with Google’s data to recover conversions that are absent from your data set.

You can use a range of values in addition to, or instead of, the email address. The email address is normally fine. It’s hashed, so no third party (not even Google) sees the data and it’s deleted after use. Google has published in-depth details on how the data is used, and this is essential reading for your teams.

Use best practices for tagging.

Ideally, you’d expose pre-hashed personal identifiable information (PII) on the dataLayer variable which can be picked up easily by Google Tag Manager (GTM) and added to the floodlight.

You can scrape the Document Object Model (DOM) to extract the data, but this is not a robust, long-term solution. You can use Google tag instead of GTM if a tag management system is not available. For offline conversions (leads), you can also upload conversion data via an API.

Collaboration is key.

Tech, data media and legal teams should work closely in order to correctly implement and then validate changes in data volumes.

This is not legal advice, so you need to get buy-in early from your legal team. Advise your teams to make sure EC usage is covered in your privacy policy and cookie policy and that consent is fully informed with a clear opt-out option.

Make sure you know the conversion page path, and that the PII variable is available. Scraping the DOM might be okay for a proof of concept, but don’t rely on it as a permanent solution.

Media teams need to make simple configuration changes and then report accurately on conversion volume changes. Use your data science teams to establish causality and validate EC is working. Liaise with your media teams regularly after rolling out EC to maintain scrutiny on the data volumes and changes. Be impatient for action (get it done!), but patient for results—manage expectations regarding timing, change may take weeks.

Using value-based bid optimization.

As we progress along the path of digital maturity, our tactics adapt and evolve. Where it’s normal and fine to optimize for click volume in the early days, the optimization KPI changes as our business grows. We aim to reduce cost, grow revenue, build ROI and ultimately optimize for long-term profit.

Optimizing a campaign for click volume was a brute-force budget tactic. Optimizing for value (profit stems from value) is a more precise allocation of budget. How the budget is allocated is the clever part.

Optimize for value.

Consider an ecommerce site where the obvious valuable outcome is a sale. There are other outcomes that serve as signals to indicate a user may be a valuable customer: viewing a product detail page, adding to cart, starting a checkout. All actions lead to the conversion, all with varying degrees of value. As each outcome is completed, fire a floodlight to inform GMP that the user has performed a “high-value action” worth €x. These actions and values are then used to automatically optimize the bid for the user.

Previously, defining the values associated with an action was a matter of experimentation. Now you can use an online calculator to refine these numbers.

This approach to value-based bidding needs a level of data volume and quality that is delivered by using EC with VBB—and is extremely powerful. It has few moving parts, but the values are static, commercial values that don’t always reflect the user’s likely behavior. To address this, let’s look back at an older solution to see how we can level up this approach.

Using coarse-grained optimization.

Previously, we’ve used machine learning to build a predictive model that will output an answer to “how likely is it for user X to convert”? At scale, the data is imported into GMP as an audience, and we use this to guide where the budget is spent. A simple approach here is to build a set of audiences from the model output to drive bid optimizations:

• “No hopers” with the lowest propensity to convert: €0.
• “Dead certs” with the highest propensity to convert: low or €0
• “Floating voter” with medium propensity; needs convincing: €maximum

This technique has delivered great results in the past. There are shortcomings, however. With three audiences, the segmentation by propensity is quite coarse. As the number of audiences ramps up, there is more to compute and more to maintain in terms of infrastructure. The user needs to revisit the site to “get cookied” and be included in a remarketing audience.

There is a more modern approach that addresses the shortcomings from these techniques.

Modeled VBB optimization goes even further.

We’ll now blend these two solutions with server-side data collection (sGTM). Server-side data collection has a number of key features that make it very appropriate for use here:

• First, it allows data enrichment in private—we can introduce profit as a value for optimization without exposing margin data to third parties.
• Additionally, first-party cookie tenure is enhanced by server-side data collection. Your first-party cookies are set in a way that prevents third-party exposure—browsers like this and take a less harsh view of them. This is better for your first-party data quality.
• There is no need to revisit the site to establish audience membership; all cookie-ing is done in the pixel execution.

So now, we can fire floodlights for our sales conversions, attach per-item profit data at the server level and optimize bids based on user profitability. Awesome, but what about the predictive model output?

At the server-side data collection point, sGTM can integrate with other Google Cloud Platform (GCP) components. As well as extracting profit data, we can interrogate a propensity model, and for each high-value action per user, ask what the propensity is for the user to convert. The predictive score is then attached to the floodlight to drive VBB.

This has fewer moving parts than the older solution. It solves for the coarse-grained audience feature by delivering per user scoring as the data is collected. Again, we team this up with EC to maximize conversion visibility and drive powerful marketing optimizations.

Optimize your marketing with EC and VBB.

These techniques have existed in isolation for some time. With a broader understanding of the data requirements, and the activation of the data, we’re all in a better position to use privacy-first marketing optimizations to deliver efficiencies for clients, and ultimately, a better, more useful online experience for consumers.

On the one hand, according to KPMG research, 40% of consumers are skeptical of companies’ ability to protect their personal data and privacy online. However, BCG and Google and IAB surveys indicate that 75% of respondents only want to see advertisements that are relevant to their preferences. This is why it is critical to have solutions in place that address these two priority needs: privacy and relevant content.



As a senior digital analytics expert and team lead, I have conducted several privacy audits over the years, and through the process have identified some pitfalls that I believe are more common than others and can jeopardize data protection. Fear not, for this article unveils these treacherous traps! Prepare to learn about the top four things to avoid when configuring privacy settings in your digital analytics deployment.

The "Track Everything" Temptation

Ah yes, the allure of “Tracking Everything” that will inevitably cross our minds: “There is no priority or business case, we want to track everything.” But wait, dear data adventurers, let us not abandon the noble principle of “privacy by design.” Casting this principle aside brings great peril to our ethical data practices.



The Track Everything temptation is frequently felt by teams with large budgets that are using multiple analytics tools to track the same data points, spending the majority of their time arguing about which tool is registering the correct numbers. They want to be able to answer any question, when what they should be focusing on is finding the right questions to ask.

This is because the Tracking Everything approach puts privacy at risk: in fact, this statement directly contradicts the principles of privacy by design. It will put the brand in the position of collecting information they don’t need, breaching the privacy of the final user. Essentially, you would be spending a lot of money to risk paying a large fine. 

Regardless of privacy concerns, this behavior is costly in other ways. It reveals some data immaturity, which can lead to difficulties in keeping your data sets tidy and cost-effective. As a result, data consumers may become skeptical of your analytics product.

This prioritization can be accomplished through a well-defined measurement strategy. To define said strategy, consider which signals you would most likely expect to see in your data set when users are engaged (or not).



As a preliminary step, I recommend hosting a workshop with all stakeholders to define priorities and leverages. Then—and only then—start collecting data. This will help you develop a reliable and trusted source of truth that includes all relevant stakeholders.

You can always add data points as you go through your analysis and come up with new intelligent questions, but tracking data simply for the sake of having it is wrong. Your stakeholders will be grateful. People who need to kill ants should not be sold bazookas. Help them grow at a pace they are ready for.

Implicit Consent by Default

I frequently see implicit consent set as the default setting, and other regulations such as GDPR applied on a regional basis. If your CMP's geolocation is blocked for any reason (yes, I've seen this happen), you run the risk of implicit consent being applied to countries where stricter regulations should be applied instead.

If the company operates primarily in a region where implicit consent is permitted, it may make sense for the DPO to accept the risk and leave it alone. However, if you want to be privacy champions, the default setting should be the safest option available—that is, the stricter regulations should be applied by default, while the more lenient regulations should be applied on a country-by-country basis. Consider that most regions that do not have a regulation are evaluating its enforcement, and it is never too early to demonstrate to your users that you care about them.

The Regional Tag Triggers

A common misconception is that marketing tags do not require blocking triggers if they only fire on region-specific sections of websites. 

Because this type of deployment is "tag specific," it will necessitate extensive maintenance and is more prone to human error. Furthermore, even if implicit consent is assumed for a specific region, it is critical to follow privacy regulations such as ePrivacy and GDPR when individuals in other regions (e.g. the EU) access an app or a website.

Instead of relying on tag management system triggers, ensure a scalable and privacy-compliant deployment by centralizing the decision on implicit or explicit consent in your CMP. Ensure that all marketing tags have the same consent set-up, regardless of where they should fire (e.g. fire only if ad_storage is set to granted). If they're marketing tags, they'll always be marketing tags, no matter where they fire!

In Google Tag Manager 360, employing a zone-based approach to group tags with the same purpose can be highly effective. This enables you to configure consent compliance only once for a specific zone (say, "marketing tags") and apply it to all tags that belong to it.

Misunderstanding the Scope of Google Analytics Tags

It is a common misconception that GA tags only set cookies for analytics purposes. However, both GA3 (Universal Analytics) and GA4 make use of features such as Google Signals and Remarketing, which require user consent to use personalization and remarketing identifiers.



Fear not, for Consent Mode arrives on the scene, championing compliance effortlessly. When properly set up, Consent Mode takes care of consent-based features automatically. Yet, if it's not in sight, we must devise an explicit setup.

When Consent Mode is not in place, you can disable Google Signals and/or the Remarketing features programmatically. All advertising personalization features can be disabled by setting the "google_signals" parameter to "false" by default and "true" only when the user consents to being identified for marketing purposes.



In short, consider these common pitfalls and proposed solutions to ensure compliance with privacy regulations when deploying privacy settings for digital data collection. Prioritizing privacy not only protects individuals' personal information, but also contributes to brand trust and, ultimately, improves your customer experience.

Finally, please keep in mind that this is not legal advice, but rather my ethical position on the subject. When making privacy-related decisions, we recommend that you consult with your DPO and legal team.

Modeled Value-Based Bidding addresses these challenges for marketers:

• Third-party cookie deprecation and tightening privacy regulations pose significant headwinds for brands looking to connect with consumers.
• With first-party data sources and data volumes growing at breakneck speeds, many marketers are overwhelmed by managing data manually.
• Companies that have large data sets can’t manage manual bid strategies with one person or even a team.
• More and more advertisers are looking to understand how AI and machine learning can fit into their digital advertising and data strategies to help drive efficiencies.

Working as a Senior Data Specialist, I’ve come across a series of common mistakes that prevent enterprises from leveraging this tool to its full potential—and consequently, accessing the true value of their data. During a series of panels at Melbourne MeasureCamp, I was lucky enough to host a session on these observations and some recommendations so that brands can bank on actionable insights into user behavior and application performance. If you missed it, continue reading for the main takeaways.

Learning #1: Only one Firebase project can be linked to one GA4 property.

An important thing to consider when it comes to integrating Firebase with GA4 is that only one Firebase project can be linked to one GA4 property. This means that if there are multiple Firebase projects, it’s necessary to transfer all applications—regardless of operating systems or development cycles—into one project and link it to the main GA4 property. 

This requires careful planning and a deep understanding of how Firebase projects are set up.  Keep in mind the potential technical challenges and limitations in migrating apps from one project to another. For example, certain app developers may have their own preferences in terms of project setups, so you need to talk to your development team and understand what that looks like. 

Also, be aware of dependencies such as Crashlytics or BigQuery exports setup when moving apps from one project to another. Each Firebase project can have multiple stack integrations, and we should be ready to reconfigure all of them. Make sure you have historical data and map out timelines for these app migrations.

Learning #2: Standard naming unlocks customer insights. 

The main reason why you’d want to integrate Firebase with GA4 is that it provides valuable insights about user journeys across web and app platforms. However, the only way to unlock those insights is by ensuring standard naming conventions for web and app events. 

First, you’ll need to create a Google Sheet or an Excel spreadsheet to standardize the naming of events and parameters. Here’s an example:

As you can see, we recommend having standardized event names and parameters across web and app platforms in GA4. It may seem simple, but it's not uncommon for organizations to use different conventions on different platforms, making it harder to cross-reference the data.  

Other tips to make the process easier include:

• If you have a website, but no app implementation yet, rely on your web and GA4 Recommended Events to name the event and implement these for the app.
• If you already have an app implemented with Firebase, use the mapping sheet to understand which events from the app can be mapped to web. It is easier to rename web events with GTM than doing so for the app.
• Align with both web and app development teams for naming conventions. For example, using camelcase (e.g. SignUp) vs snake case (sign_up)

Learning #3: Be Aware of Data Collection Limits.

When you use Firebase to collect data from your apps, it’s important to be mindful of the data collection and configuration limits. Firebase Analytics does not log events, event parameters, and user properties that exceed certain limits—which means that the platform will drop the events and stop tracking valuable data even if you exceed the limit by a few characters. 

In my experience, this mistake is especially common among developers who implement the Firebase SDK without really knowing about the limits. These are some of the main caveats and my respective recommendations for them:

• Event parameters limits: 25 parameters per event may seem a lot, but it may add up if you’re sending ecommerce events. GA4 and Firebase will drop the events and event parameters if you exceed this limit.
• Be careful not to go over the maximum length of the event parameter value, which currently stands at 100 characters. Be aware of user-generated values (e.g. listing name in marketplaces)
• Remember that Firebase does not accept array type parameters.
• When setting up BigQuery export for GA4 (with both app and web streams), check the usage in advance so that you don’t get shocked with the cost for the storage and querying the data. Pro tip: Set up daily aggregated tables for important metrics instead of querying directly from raw export tables.

In conclusion, it is essential to be aware of limitations around linking Firebase projects with GA4 property and plan ahead for your migration. Create a mapping sheet to map the events across the website and apps and standardize app and web events naming. Take note of Firebase data collection limits and make sure you are not going over the limits and risk losing your data. Finally, learn how to debug apps using Firebase Debug Mode, a bonus tip that can save you time and headaches.

What are the core capabilities of this technology? First up, CDPs support data aggregation, giving you a better and more unified view of your (prospective) customers. Second, they help you unify multiple data sources through a single ID manager, thereby facilitating ID resolution and management. Third, CDPs help you understand how customers act on different channels and thus enable you to predict consumer behavior. Finally, CDPs support customer activation. They’re first-party data tools that focus on making sense of different data sources, while executing effortless activation. 

Essentially, CDPs can help you diversify your brand’s targeting strategies and reach audiences at scale, all by leveraging your first-party data. If you ask our Associate Director of Customer Data Elia Niboldi, first-party data is your most valuable asset, not only because it’s durable and exclusive to your company, but also because it will be central to any future targeting strategy—and Customer Data Platforms are here to help you leverage this data. Niboldi sat down with Ian Curd, Global Consumer Data Director at Diageo, Martin Kihn, SVP Strategy, Marketing Cloud at Salesforce, Jackie Rousseau-Anderson, Chief Customer Officer at BlueConic, and Chris Thomson, Account Director, Strategic Finance Accounts at Treasure Data, to talk all things CDPs and why now is the time to dive into this complex technology.

These are not off-the-cuff suggestions, as the impact of ignoring or misinterpreting these recommendations is plainly visible. With privacy currently being the fastest moving field in our industry, we’re reaching the point where most—if not all—professional discussions have a privacy angle. While that’s great in terms of profile, it’s not really good in terms of quality.  

If you ask me, most cookie banners are subprime usability blockers that annoy users and turn them away. At worst, they’re dark patterns obscuring malice. When the most common denominator is so prevalent—that being lousy banners—we get what is called banner blindness, a phenomenon where web users (un)consciously ignore any banner-like information. When that symptom kicks in, it’s a downhill race to the bottom.

A likely sequence of events then plays out: marketers settle on a nice and easy bottom feeding tactic, the whack-a-mole game of privacy merry-go-round spins through another orbit as either tech, public opinion or regulators (or all of the above) make a new move to counter it. Recently, for example, it was Brave’s turn in the game of ignoring the privacy elephant in the room. The company announced it was going to block cookies by default and roll out a cookie pop-up blocking feature to Android and desktop users, which is arguably a step backwards. Rather than adding any clarity around what data is collected and why, the browser actually acts on behalf of consumers and removes choice from the user. It’s important to highlight that regulation is not anti-business, but it’s pro-consumer. Privacy-enhancing technology needs to respect this narrative. 

My former colleague (and still just as wise) Myles Younger powers his crystal ball with some nostalgia to suggest consent pop-ups are dead. “Someday soon we’ll look back on cookie consent pop-ups the same way we look back on “300 hours of free AOL” CD-ROMs littering our sidewalks. The farcical dying gasp of a dying way of transacting a digital thing,” Myles argues—and he is not wrong. It’s been seen before, as observed by the analytics supremo Simo Ahava, who argues that Do Not Track was a failure from the start. Diving into the implications of Safari’s Intelligent Tracking Prevention, better known as ITP 2.1, on web analytics, Ahava says that “Funnily enough, ITP 2.1 removes support for the Do Not Track signal in Safari, denoting the end to this miserable experiment in WebKit. Had more sites respected DNT when determining should visitors be tracked or not, perhaps we wouldn’t have seen ITP 2.1 in its current shape.” 

Consent management is anti-user.

Why are these well-meaning initiatives failing? Google surveyed over 7000 people across Europe in 2021 and found that users want to have control of their data. Recent follow-up research quantified the degree to which the feeling of control influenced customer confidence in brands. The conclusion? A positive privacy experience on a site has a measurable positive impact on a brand.  

So, how can you create such a positive privacy experience and avoid the pitfalls that we’ve seen with Do Not Track (DNT) and the current crop of Consent Management Platforms (CMP)? If it’s up to Google, brands should make the experience:

• Meaningful by showing people what they get in return for sharing their data
• Memorable by reminding people what data they shared and when
• Manageable by providing tools for people to manage their privacy

The demise of third-party cookies means the future of first-party cookies. 

For many, applying this mnemonic to first-party cookies is a work in progress. Cookie consent banners are still relatively new, even though third-party cookies have been under threat for many years. We know which browsers restrict their use and we expect these restrictions to extend to Chromium browsers in 2023.

If digital marketing can’t function without third-party cookies, this has the potential to hit big tech in the coffers, and we cannot allow this to happen. There’s a clear motivation to solve existing use cases by utilizing privacy-enhancing technology—this is where The Privacy Sandbox comes in. According to a Google statement, “Privacy Sandbox for the Web will phase out third-party cookies and limit covert tracking. By creating new web standards, it will provide publishers with safer alternatives to existing technology, so they can continue building digital businesses while your data stays private.”

We’ll see the next phase of testing kick off in 2023 when the Privacy Sandbox API is publicly available for testing on Android. Right now, this is API testing, which means that they’re testing for developers rather than users. The user testing phase is where it gets real for real people. This is the opportunity to succeed, think of Google’s mnemonic, instead of failing like DNT and CMPs.  

Cookie management sitrep.

Right now, you can open the settings in your browser on each device and scroll through the list of cookies for each site, and decide to delete them. You can then visit the site and repeat the exercise in the “manage cookies” section of the CMP.  However, this current process doesn’t fit in terms of being manageable. In fact, the term laborious doesn’t even begin to describe it.

When it comes to qualifying as meaningful, cookie management has a low score because it’s so opaque—how can you tell who else is getting access to the cookies and for what purposes? As for memorability, most users only remember the frustration and tedium, but little else regarding their choices.

So, considering the future of cookie management, how might the Privacy Sandbox address the choices users have to make with regards to “tracking” and their privacy? While this section is entirely speculation and therefore not an official roadmap, it’s aspirational with the aim to be realistic and pragmatic. My thoughts are as follows. 

• Users get to decide what topics they are interested in and willing to share with third parties.  
• Users allow the browser to build a list of topics, but the user reviews and controls the list periodically asking to be reminded on a set schedule.
• Users can choose to set their topics to apply across all sites they visit. Any advertising they see on any site they visit will use and respect these settings.
• Users can choose to review their topics preferences on a per site basis. Users get to curate (and review) their own whitelist/blacklist for sites or types of sites.
• Users ask to be reminded to check their preferences every so many days, weeks or months.
• Users can choose to reset all data in the browser automatically every so many days, weeks or months.

Now, let’s apply similar controls to first-party cookies:

• Users will be able to tell the browser what type of cookies they will accept, and whether they want to be measured—anonymously or otherwise.
• Users can specify this applies to all sites, some sites (whitelist) or types of sites.
• These settings are reviewed on a scheduled basis.

What are the right default values to apply on first use? The good news is, there are no default values. On first use, and on a frequent basis, the user must explicitly set their own first use values. In other words, no values are suggested or automatically preselected.

How is this different from a CMP banner? Set it once, and make a conscious set of decisions with no intrusive user experience on every site or app you use. This could actually be set at a “profile” level across all devices and all browsers. This requires less mark-up and coding to be done by site owners. In short, there’s less to maintain, less to go wrong, less to slow down and less to cause friction.

How is this different from DNT or Brave? A more granular approach and a genuine user-controlled choice are the fundamental differences that make this approach manageable and meaningful. The range of choice is meaningful and the act of making a choice is manageable as it is made as friction-free as possible. Moreover, having to make a choice is memorable, as well as the ability to set reminders to review these choices at your convenience.

Now is the time to apply these lessons for the future.

The challenge for The Privacy Sandbox is to reduce friction, increase transparency and enhance authority. The privacy improvements will cater for existing use cases as well as provide a manageable, meaningful and memorable privacy experience for users.

That said, what’s the takeaway for digital marketers? Google said that “The Privacy Sandbox on Android will be a multi-year effort,” so what to do right now? Circling back to the start of this article, it’s important to:

• Take control of your data
• Embrace the regulatory spirit
• Go beyond the bare minimum
• Make it meaningful, memorable and manageable

Though we accept the looming end of the third-party cookie, this doesn’t mean we have to stop digital marketing. New privacy-enhancing tech changes the methodology, as the same use cases are catered for with new tech to enable better ad serving. Having learned from the success of these technologies applied to the end of third-party cookies, we can confidently focus the lessons on our first-party data collection. What works across sites and apps must also have the same utility on individual sites and apps. Keeping that in mind, the end goals remain:

• Build a relationship with your customers
• Be transparent
• Be useful
• Be responsible with data

All in all, achieving these goals and aiming to provide a better experience has immense value for your customers and your business.

When it comes to the reason why Google has chosen to deprecate third-party cookies to begin with, an increase in users’ demand for more control of their data is only the start.

Google must also comply with a long list of regulations surrounding privacy, the most notable being the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These regulations ensure that there are certain standards for what constitutes valid consent when collecting personal data, as well as giving consumers more control over the personal information that businesses collect about them.

The phaseout of third-party cookies will support these legislations and ensure the success of the privacy-first era. From an overall perspective, the deprecation of third-party cookies will impact how campaigns are implemented and managed by brands and their partners. Previously, brands relied on third-party cookies to learn about a target audience and their online behaviors. Without this information, we can expect significant impacts on remarketing, frequency management, personalization, attribution and measurement. 

New ways to identify are on the horizon.

Third-party cookies facilitate cross-site audience identification, which essentially allows marketers to “follow” users across the web, collecting data about their interests and online behavior. Each of the tactics above rely on this form of cross-site audience identification, and without third-party cookies, marketers will be unable to access this information about their target market so easily. 

But that doesn’t mean marketers will no longer be able to conduct successful remarketing campaigns, control the amount of times a user views an ad, deliver highly personalized ads, or identify a user’s touchpoints along the customer journey—provided they prepare for the cookie-less future now and minimize its impacts on their digital media activities. 

Since the announcement of the deprecation of third-party cookies, Google has been working on a range of solutions to continue to show relevant content and ads. FLEDGE and Topics are two examples of current Privacy Sandbox solutions for showing relevant content to audiences.  

FLEDGE’s purpose is to serve remarketing and custom audience use cases, without using third-party cookies. It enables interest-group-based advertising by asking the browser to choose which ads users see based on the sites they’ve previously visited. To keep this data secure, the browser conducts an on-device action to select relevant ads. 

Topics is a proposal that enables interest-based advertising without tracking the sites a user visits. It provides topics that a user may currently be interested in, based on their recent browsing history. These topics can supplement contextual information to help select appropriate advertisements. 

However, trials for FLEDGE and Topics are still a work in progress and the solutions are continuously changing, so we must focus on what we can do now to be able to navigate in a world without third-party cookies. Don’t take a “wait-and-see” approach. Those who look to prepare now will increase their chances of success and advancement in the privacy-first era. Here are some strategies to help you on your way to post-cookie marketing success.

Prioritize and invest in a first-party data collection strategy.

To prepare for the deprecation of third-party cookies, marketers should focus on growing quality customer data that informs both strategy and tactics. Utilizing the data from customers who have shown interest in your brand is more reliable and powerful than buying and selling access to third-party data. 

First-party data gathered from your websites, apps, physical stores (including offline transaction data), or other places where customers interact with your business, are all examples of first-party data that you passively—but directly—collect from consumers. Earning this data relies on building a fair value exchange, so that consumer data is understood to contribute to a better experience. Customer trust is built on transparency, hence it's always important to explain how you’re going to collect and use the data in your cookie consent banner or consent management platform. When collecting data about your customers, you must also make certain that you are compliant with regulations such as the GDPR, ensuring you are getting valid consent when collecting personal data and not collecting personally identifiable information (PII). 

With first-party data, brands can evaluate local touch points and preferred paths, while customizing interactions for a superior customer experience. Now is an excellent time to look inward and begin to build the foundations of your data strategy—one that will power your marketing with clean, unified and actionable data. Collecting first-party data and linking it together allows you to have a persistent, cross-device recognition for a single view of your customer, and an overall understanding of your audience. Mondelēz, for example, understood that digital marketing is most effective when you know how to play to consumers’ personalized taste. After helping them along the road to clean data, we achieved a +70% global return on investment.

Focus on collecting information and data you have access to.

As a marketer, you have access to a plethora of data about your customers, whether it be purchase data, device information or email engagement. Having an identification-first approach to customer data will give you an upper-hand to targeting effectively without third-party cookies. With data from third-party cookies being cut off, the priority should lay with first and second-party data, audience partners such as walled gardens, prominent publishers and media platforms, retailers and strategic partners. 

After prioritizing your first-party data and collection strategy, you should focus on building experience with reputable, trustworthy second-party data partners. Second-party data is essentially someone else’s first party data that you purchase access to from partners like Google, Amazon, or large publishers. You should focus not only on historical data, but real-time behavioral data such as users’ devices, interactions with your website, their carts, purchase history, media consumption, as well as the categories and products they visited while browsing on your website. By leveraging second-party data from trustworthy partners, you will have more data transparency and access to more precise and niche audiences which are crucial after the deprecation of third-party cookies.

Conduct a measurement audit. 

Conducting a measurement audit will consist of analyzing everything you’re currently tracking and identifying if it is necessary to be measuring it. It will help you to identify potential gaps and develop a roadmap to achieve measurement excellence that drives business results in a world without third-party cookies. A measurement audit includes the evaluation of current measurement tools and systems, as well as the alignment of key goals to further develop the practice. When conducting the audit, you’ll want to identify the necessary data, reporting and analysis methodology to improve measuring marketing effectiveness going forward to help with planning and forecasting.

Key considerations when conducting the audit are to understand the need and whether you can drive more value from your analysis and analysis partners. You want to develop a robust framework that will be effective and efficient to leverage in your decision making. You also want to ensure the roadmap provides added value, and is adaptive and not difficult to implement. By conducting a measurement audit, you hope to identify opportunities for maximizing the value of your measurement, strengthening your analytic capabilities and performance, and understanding how to holistically link together different techniques for marketing effectiveness in a world without third-party cookies. 

Evaluate your ad tech stack and partnerships. 

It’s important for you to evaluate your ad tech stack and partnerships to identify technologies and practices at risk of deprecation in the near future. Having a strong, well-engineered ad tech stack will create seamless, relevant, and meaningful experiences for consumers and give you a deeper insight into those interactions. When evaluating your tech stack, you must analyze how much control you have over fee transparency, brand safety, streamlined operations, data ownership, targeting and ad serving. Your tech stack should also be able to enable current operations and be able to incorporate future ones. 

A partner risk assessment should be undertaken to evaluate how reliant partners are on non-compliant tactics, data and technology; what their new publisher and media partner offerings are, and opportunities beyond basic ad units. Those partners who rely on non-compliant tactics, data and technology should be making it clear what they are doing to prepare for the third-party cookie deprecation. Marketers should carefully consider their platform partners and ad tech stack and focus on those that can deliver results without third-party cookies.

Consider a dedicated testing budget. 

Marketers should allocate a dedicated testing budget for first-party data practices, audiences and strategies across thousands of variables. These areas should be tested and leveraged, becoming an integral part of the targeting strategy where successful. One way to do this is by  testing and targeting customer experiences to improve digital performance using optimization and personalization. You’ll want to design net new campaigns and tests running without cookies, leveraging experimental design. 

As the data agency of record for Molson-Coors, we’ve spent the last year helping the brand undergo a data transformation that ranges from data acquisition, data activation and optimization. With hands-on-keyboard talent and an in-house team, Molson-Coors is able to use that data to better understand creative and media performance, then make tweaks to drive long-term growth.

By testing audiences and strategies across thousands of variables to build detailed customer profiles and to increase ad performance, scaled experimentation is the best alternative to third-party cookies when it comes to personalized customer experiences, and the performance benefits have consistently been shown to outweigh the costs of investment. 

Don’t wait to get your digital house in order.

Third-party cookies have played an instrumental role in the immense growth in online advertising. Yet their often-intrusive nature is misaligned with current attitudes toward privacy and transparency—so moving beyond our reliance on cookies, while maybe painful in the short term, is a net positive in building stronger brand-consumer relationships. That said, we can expect more changes to data collection and privacy on both the platform and legislative level in the long term; the only thing that’s certain about privacy is that there will continue to be uncertainty. A privacy partner can help you navigate the always evolving world of data privacy with ease, and our Data Foundations offering is designed to help brands build data maturity to meet the demands of a new era, including increased privacy scrutiny.

In a broad sense, laying the foundation of a first-party data strategy will enable a clearer understanding of your audience. Meanwhile, new solutions on the horizon like Topics and FLEDGE will help brands mitigate risk and continue to deliver relevant content to their audiences. But marketers shouldn’t wait for tech giants to implement new solutions before they act. Those who build and enhance the core components and practices of a customer-centric marketing strategy will be better positioned for a world without third-party cookies and thrive in the privacy-first era.