Digital Marketing in the Age of the GDPR

What does marketing look like in post GDPR world where everyone is compliant?

Last June, to the surprise of many, a Tweet was widely shared online, showing the ICO admitting that their own cookie policy “doesn’t meet the required GDPR standard”.

In early July, this was followed up with new guidance on cookie usage that clearly exposes the way the industry has been mistreating customer data, and the ways we need to change.

Digital Marketing Today

First, let’s take a look at some ways digital marketers collect data:

This is by no means an exhaustive list and brands and marketers continue to innovate in the ways in which they can acquire your data without your express knowledge or consent.

Taken in combination, you can see how a business can quickly start to build an incredibly detailed view of an individual, how they can start to access that data directly as a first party or even start to target individuals through data held by third parties, such as when running advertising campaigns.

Ostensibly, marketers like to tell themselves that this is all above board – data is collected usually but not always for specific purposes and this data provides value to the business and hopefully (we like to tell ourselves) to the individual. The problem is in the opaqueness of the processes involved and the lack of consent or even knowledge by the end-user about the scope of the data collection taking place

So what are we doing with all this data?

This is by no means an exhaustive list and is merely used to demonstrate some common scenarios in which data is used for marketing.

We’d all like to think all this data is being handled carefully and responsibly, but ask any marketer and they’ll have stories to tell about customer data being shared across the company through CSV files or the business CRM, without any oversight or mechanism to protect an individual’s private information.

So where does that leave us?

Thanks to this new guidance, some things have become abundantly clear:

This is a BIG deal. Websites currently assume you consent to cookies until you tell them otherwise and will gleefully suck up as much data as they can collect until you stop them. This new guidance makes it explicitly clear that this is no longer allowed and that a business must obtain consent before they engage in these activities.


Dead. Switch to a log-based analytics system and strip out PII. You might be able to obtain consent for your analytics cookies but hey, who am I kidding, we’ve trained people to hit the big ❌ button on popups so they’ll close your popup immediately without giving you consent.

Programmatic advertising

You’ll still be able to target people based on the website you wish to place an advert on, but advertising brokers will no longer have monolithic profiles of profiles you can target based on interests, demographics, etc. This is a big loss for businesses and a HUGE win for individual privacy.


Dead. Deader than dead. Good luck obtaining consent when you have to explain to your users that you want to stalk them around the web for products they spent all of 3 seconds looking at on your site. Good fucking riddance.

Targeted Advertising

Dead. No one will want to give you consent to send off their personal data to third parties. Advertisers will also struggle to obtain interest and demographic data making lookalike audiences much less valuable.


Legitimate interest isn’t good enough, you need to obtain consent for marketing emails2 and unless you have explicitly collected consent for tracking you cannot track how individuals behave within your emails.


Like email, you’re going to need to collect consent to use SMS for marketing. There’s some real opportunties to demonstrate the value of SMS to customers here, you’ll just have to think creatively.

Push Notifications

You’ll need consent, but you already needed that. Push notifications are probably going to suffer the least because there have been solid mechanisms in place for years to prevent misuse from marketers.


Do you really want to be paying Facebook or YouTube given what they’re up to?

What happens next?

The big winners are going to be the channels which can most clearly communicate an obvious value exchange between the individual customer and the business. Unsurprisingly, given what I do, I think these are channels like email, SMS and push notifications. Once you’ve built an existing relationship with an individual, they are more likely to see the benefit in giving you permission to message them via these channels.

Advertising(⚰️) in all forms is the clear loser - this new cookie guidance effectively put the nail in the coffin of digital advertising as we know it. You’ll no longer be able to target individuals based on what pages of your website they’ve visited or their interests, geographical location or demographic data. DuckDuckGo already demonstrates how we can move towards a more compliant and a more ethical take on advertising. Budgets will inevitable suffer as performance decreases across digital advertising channels.

Customer acquisition optimisation is going to suffer. Without clear analytics across the board we’ll have to do a lot more work done to understand how individual campaigns have performed. There are plenty of ways we can do this, for example having personalised landing pages per campaign and measuring the aggregate number of visits to that page (ie without PII to identify unique visits) vs the number of purchases or form submissions. I think we’ll see more investment in this area as gauging the effectiveness of our marketing spend becomes increasingly challenging.

Marketers are going to have to adapt to these changes and we’re going to have to take a very close look at how permission is currently obtained in mobile apps. It’s clear that they’re leading the way in this area and understand that progressively obtaining permission (consent, in our case) based on specific interactions (for example, asking for camera permissions when the app user wishes to take a photo in the app) is the way we’re going to have to go.

To this purpose it behoves all of us in marketing to propose a new framework for ethical marketing and more purposeful and transparent data collection. It is a position of extreme arrogance on the behalf of marketers and businesses to believe that our bottom line is more important than an individual’s privacy. What the EU has achieved with the GDPR is making it clear that this is absolutely not the case.

In an age in which marketing data is used to enable electoral fraud and strip our civil liberties, we need to do better.

Notes and References

  1. Taken from TargetInternet
  2. there are of course other types of email and reasons other than marketing to send emails which I won’t cover here