It’s been a time of considerable uncertainty for marketers and the digital marketing discipline as a whole. With GDPR and other data-privacy focused regulations introduced (and often shifting), roadblocks en route to implementing the e-Privacy Regulation in the EU, lack of clear guidance on adtech practices, and a lot of back and forth on whether third-party cookies are on the way out or not, there are more questions than answers. But the bottom line for marketing teams is whether there is a sweet spot where they can balance personalization with privacy and consent with compliance.
Rather than attempt to cover all of Europe or the world, let’s take a look at the digital marketing landscape in Europe’s largest advertising market: the United Kingdom. Consultancy PWC estimates that marketing spend in the UK will reach the 44 billion GBP range by 2028, which means it’s a market in dire need of regulatory clarity… which is strangely lacking. And if a market this large struggles with regulation and the management of consent and cookie handling, surely other markets struggle with the dearth of guidance as well.
Organizations that want to do digital marketing well – and ethically – as well as in compliance with regulations have to walk a tightrope to achieve a balance between personalization and privacy.
Repeated surveys and studies show that consumers want contextually relevant but not intrusive personalization. Up to 79% of consumers report that they are likelier to trust brands with their personal data if it is clear exactly how that data will be used. But at the same time, many companies fail to strike this delicate balance and fail to be transparent about the data they collect and its intended uses.
As privacy starts to be top of mind for consumers, the idea of privacy-centric personalization has become a competitive advantage for those brands that can tap into consent – giving consumers control of their own data – and compliance. A combination of anonymized data and offering clear opt-in options helps to build consumer trust and a foundation for the privacy-protecting measures consumers want and that protect brands as well.
Digital marketing as a practice evolved from the transformative power of data analytics… the ability of companies to collect and analyze a nearly unlimited array of data about users. This data not provided useful insights but ignited the ability to very specifically target people, and potentially sell this data to third parties.
Naturally, we have moved on from this “wild west” of buying and selling data and moved into not only a more advanced technological space but also one in which individuals expect, and regulators require that evolving data privacy apply to all data collection and use. In this increasingly tightly controlled data landscape, marketers face several considerations in preserving data privacy despite aiming to build a personalized experience, including:
Guarding against the overcollection of data, which increases both risk and exposure, violating the spirit and letter of data privacy laws
Making the use of data and their intentions as transparent as possible
Seeking explicit consent not only for collecting and using user data but also guarding against unauthorized sharing with third parties
Following through on consent management – it’s one thing to collect consent, but it’s also critical to be able to prove it and be able to produce a record of consent and data collected. This is more than a checkbox exercise.
Focusing on security, as data breaches grow more frequent and devastating (the more data you have, the greater the damage that can be done)
While digital marketing encompasses many different factors, cookies could be considered the front door, where consent begins. We have seen evidence that indicates that while most companies comply with the requirement to display cookie banners and consent choices for opting in and out of cookies, this is very often little more than gloss on the surface. Whether cookies are configured improperly, not recording user consent preferences properly, or simply not offering all the options that are required, different public sector and watchdog organizations are finding that cookie banners appear – but do not actually enable the meaningful choice they are meant to.
In 2024, the UK’s Information Commissioner’s Office (ICO), which is tasked with monitoring compliance in the UK, wrote to 53 of the UK’s top 100 websites to caution them that they faced enforcement action if they failed to make changes to advertising cookies on their sites to align with data protection laws. The ICO indicated at the time that this was only the beginning of their “call to action” initiative, with cookie compliance and giving consumers a meaningful choice in how they are tracked being key priorities for 2025.
Prioritizing choice and consent puts power back into consumers’ hands – which ultimately benefits marketers and their efforts, regardless of whether third-party cookies eventually get phased out, as has long been threatened. While most large companies like Google and Apple had planned to move away from third-party cookies, a move which remains unclear, regulation is adapting and shifting to encompass other technologies for which consent must be sought from users, i.e., “storage and access technologies” rather than the limited “cookie” concept. All tracking technology, according to Britain’s ICO, is subject to regulatory oversight, including fingerprinting, scripts, tagging, and link decoration and any emerging tracking technologies that appear.
While the UK has been in focus here, it’s important to remember that a lot of digital marketing’s reach is global. Thinking of GDPR and the collection of personal data, any business worldwide that does business in Europe needs to comply. The same holds true for other location-specific regulatory frameworks.
Despite lacking specific laws on cookies, the US has seen a rise in class action suits alleging that the collection of data via cookies, and the subsequent sale of such collected personal data, is unlawful, using legislation on wiretapping to make their case. In the face of the litigation risk posed, the use of cookie banners and consent management is on the rise in the US, even without a blanket law requiring such technology.
While in the UK, the ICO has issued warnings, the European Union’s regulators have been much more actively interventionist, fining those who infringe on regulations. These penalties can be hefty – with the Irish DPA fining online careers website LinkedIn more than 300 million EUR for violations connected with targeted advertising in 2024 and the French DPA fining telecoms operator Orange 50 million EUR for displaying advertising in emails without having proper consent. This is just a high-level sampling, as many businesses have come under scrutiny for their practices.
Continued non-compliance has led data protection agencies throughout Europe to focus squarely on cookie and consent as a cornerstone of data privacy. Several DPAs have launched initiatives to combat misleading cookie banners, including public education projects and proactive cookie compliance supervision and monitoring as part of the need to enforce data privacy regulations.
What does all of this mean for digital marketers and their practice? Here are practical steps to take to rethink your approach to data privacy, consent, cookies and compliance.
Review consent banners and data sharing practices with third parties. Ensure that there is clarity for users and that all options are presented. Many companies face criticism and penalties for failing to make it as easy to reject cookies as it is to accept them, for example. Transparency and clarity are key to compliance and user acceptance.
Review your approach to cookies. Cookies are only set when valid consent is obtained. As we have repeatedly highlighted and industry research confirms, something like three-quarters of all Europe’s top websites collect consent but then fail to implement users’ opt-in requests properly. Using a proper consent management platform can ensure that consent is appropriately recorded and implemented, that updates in regulations are accounted for to help you remain in compliance, and hat audits are easily done to confirm your compliance.
Consider consent beyond cookies. Most regulatory guidance has explicitly dealt only with cookies, but advice is moving toward expanding consent requirements to include other data collection and tracking technologies. Regardless of whether this is covered by regulations right now, this is likely to become a part of data privacy regulations and should be taken into account.
Think about the end-to-end user consent journey.
Regulatory change is inevitable, and companies seeking to respect user data privacy while maintaining the ability to personalize digital marketing efforts can look to consent and compliance as proactive pathways to privacy-first marketing. This can shield companies from the growing landscape of financial and user trust-related penalties and set them up for greater success in their future digital marketing initiatives.
©2025 CookieHub ehf.
