Too hot to handle? How businesses can better manage data in a post-cookie world

With high profile brands being hit with GDPR fines, it’s essential brand performance is managed through the lenses of brand safety, privacy and compliance.

Using data responsibly is not just what good brands should do, it also makes for a more operationally efficient business, argues Louis Wedgbury, head of digital at media agency Hearts & Science…

Data is one the principal drivers of growth, so businesses need to get a handle on the data they hold – and fast. And with the deprecation of tracking cookies looming, the stakes have never been higher. 

Indeed, there’s plenty of evidence to suggest the reality hasn’t quite hit many brands, and is a likely reason we’ve seen some major businesses issued with significant GDPR fines for their failure to correctly handle personal data.

It is therefore essential marketing is now managed through the lenses of brand safety, privacy and compliance. Yet despite all the risks, the warnings – and the growing number of fines – too many businesses still do not have their data strategies in good order. 

What’s holding them back? 

The principal culprits are people, skills and knowledge. To that end, it’s worth looking at what brands can do to tighten their focus and ask the right questions to plug any gaps. Not only will this help develop a data strategy that minimises business risk, it will set them up to actively drive future growth. 

A complex post-cookie ecosystem

 The demise of third-party tracking cookies – under current timelines due late next year – is ushering in a host of alternative ways to target audiences and measure performance. Now is the time to road-test the numerous technologies and techniques on offer as there is, as yet, no single solution to replace the status quo. Potential solutions include contextual advertising, geo-planning, Google’s Privacy Sandbox, media mix modelling, seller-defined audiences and clean rooms. 

They all work differently, they all handle data differently, but they all offer new ways to target audiences and understand marketing performance. However, advertisers should be aware that risk varies substantially at the individual use case and vendor level, and privacy assessments will need to be made on a case-by-case basis.

Brands… bear responsibility for ensuring that activity complies with GDPR.

This exploration needs to happen, but the by-product of this new frontier is that brands will become data controllers (or joint controllers) for the majority of digital advertising use cases, which means they bear responsibility for ensuring that activity complies with GDPR. 

Yet compliance is hardly ever a clear-cut issue, which makes risk mitigation measures so critical when assessing any post-cookie solution. 

Break it down

To help manage and simplify their approach, brands should begin by splitting such measures into three distinct areas: 

1) Fairness 

Evaluating whether or not a consumer would expect a particular type of data processing. The less expected it is, the harder it will be to justify compliance. 

Remember, fairness sits at the heart of the GDPR. In practice, this means taking into account consumer expectations about how their data will be used, and making sure you understand how your consumers view different data types and use cases.

2) Transparency 

Simply telling people what is happening with their data – and expressing this in a way they can understand so they can exercise their rights in relation to it. 

3) Lawfulness

When it comes to identifying a legal basis, regulatory guidance says consent – rather than legitimate interest – is the only appropriate basis for behavioural targeting. 

Increasingly, guidance is also hardening in favour of consent for list-based targeting (for example, Custom Audiences) and even digital ads measurement. Never forget that only when consumers understand what is happening with their data, are they able to give their informed consent in relation to that processing.

Working differently and asking the right questions

It is also vital to establish closer working relationships between brand marketing and privacy teams, which will help you navigate the coming changes and how best to respond to them.

Some initial areas to evaluate include how much privacy teams understand about what personal data is shared with which companies to support common marketing use cases. This can then be correctly reflected in privacy notices and consent banners.

Similarly, are marketing and privacy teams aligned on where a brand will be a data controller or joint controller for advertising use cases? And do they have processes in place for documenting activity and assessing risk associated with particular use cases or vendors?

Fundamentally, businesses need to identify, or work with their partners to identify, what questions are most pertinent to them and in what order these should be addressed.

The focus, ultimately, should be around developing a clear strategy about using first-party data – because it is consented data that will drive the online marketing ecosystem once tracking cookies are retired. So brands should ensure they have identified which legal basis they will rely on for this activity.

Future developments

If brands require any further impetus to act, it’s worth noting that even more change is on the horizon; not just in relation to privacy, but also in the form of new legislation to address online harms and competition in digital markets.

Expect to see some major decisions for the big platforms this year, which could significantly impact marketing effectiveness.

On the privacy side, expect to see some major decisions for the big platforms this year, which could significantly impact marketing effectiveness, as well as more detail on how the UK government intends to re-shape data regulations post-Brexit.

But having a solid data strategy in place now, will help manage any risks these pose, and will shift business behaviours to move flexibly and sensibly in line with an evolving regulatory landscape.

Ultimately, it’s always worth reminding ourselves that investment in privacy – through people, skills and knowledge – benefits marketing. As well as reducing risk and supporting brand trust, businesses with a more mature approach to privacy can expect to see increases in key metrics like user consent and on-site conversion. Responsible, transparent brands are simply better functioning businesses.

They also benefit from improved operational efficiency, meaning they can get new solutions up and running more quickly, and are better able to adapt. So plan now for a future in which privacy is a key market focus, and take advantage of the changes.