How digital marketing is measured is currently in a state of great flux. This is due to widespread regulatory and technical changes that have restricted the data that is available to the digital advertising industry, leading to the decline of third-party data from browsers and device manufacturers. This data has been important for both measuring digital marketing activity and targeting advertising.

Consumers’ expectations around privacy also continue to rise, and they are increasingly limiting the amount of data they are willing to share and blocking cookies. This chapter will explore the changes in more detail and the impact they are having on measurement techniques.

Regulatory changes

Around the world there has been an increase in privacy-focused regulation, with companies needing to be conscious of what data is collected, where it is stored and how it is used.

Regulations in Europe

On 25 May 2018, the EU General Data Protection Regulation (GDPR) came into force across Europe. This regulation imposed much tighter controls on how companies can collect and handle information about individuals on the internet.

In the UK, the GDPR is retained in domestic law as the UK GDPR and any companies processing domestic data must continue to comply with the UK GDPR and the DPA (Data Protection Act) 2018.^[1] The UK GDPR also applies to processor and controllers based outside of the UK if offering goods or services to individuals in the UK or monitoring the behaviour of individuals in the UK.

UK organisations will need to comply with the EU GDPR if they operate in the EEA, offer goods and services to, or monitor the behaviour of, individuals in the EEA.

Further guidance on data protection in the UK is provided by the Information Commissioner’s Office.^[2]

In addition to GDPR is the ePrivacy Regulation, which when brought into force will set out specific rules governing electronic communications and will take precedence over GDPR in situations where both laws apply.^[3]

The ePrivacy Regulation aims to strengthen and update the online privacy rights of users.^[4] It will replace the current 2002 ePrivacy Directive and does not just apply to personal data, but also affects B2B marketing. While this was expected to take effect on 25 May 2018, alongside the EU GDPR, this did not happen. The agreed text of the ePrivacy Regulation has yet to be finalised,^[5] which will then be followed with an expected 24-month transition period.

A further regulation companies need to be aware of regarding user consent is the Digital Markets Act (DMA).^[6] The DMA requires that ‘gatekeepers’, identified as large digital platforms providing core services, such as search engines, messenger services and app stores comply with the obligations and prohibitions set out in the DMA, which came into force on 7 March 2024. In particular, they must be responsible for collecting user consent. The six ‘gatekeepers’ identified are Alphabet (parent company of Google and Android), Amazon, Apple, ByteDance (parent company of TikTok), Meta (parent company of Facebook, Instagram, and WhatsApp, along with others) and Microsoft (parent company of LinkedIn).^[7]

Despite the decline of third-party cookies, advertisers and publishers will still need to obtain user consent to process user data. Google, in particular, has stated it is strengthening the enforcement of its EU user consent policy.^[8] As of March 2024, any company using Google services such as Google Ads and Google Analytics must implement Google Consent Mode v2 to ensure Google complies with the DMA.^[9] This is an enhancement of the original Google Consent mode which has been designed to better align with user preferences and data privacy regulations. Those who are not using Google Consent Mode v2 by the deadline will not be able to capture any data about any new users in the EEA or personalise ad experiences for them. The impact of this being that it will be impossible for a company to re-engage users via remarketing in Google Ads, Floodlight and Display.

Alongside these developments, there are side rulings which point to the illegality of Google Analytics in an EU context. As described in one article, this is the view from the Austrian, French, Italian, Danish, Finnish, Norwegian, Swedish and other European Data Protection Authorities.^[10] The key reason being cited is that Google Analytics violates GDPR, as it is “subject to surveillance” by US intelligence services and providers can be ordered to disclose the data of European citizens. Under the Cloud Act, US authorities can demand personal data from Google, Facebook, Amazon and other providers, even when they are operating or hosting that data in another jurisdiction.^[11]

In January 2024, Apple announced planned changes to iOS, Safari and the App Store, which impact developers’ apps in the EU as part of compliance with the DMA.^[12] As a result of the changes required by the DMA, new capabilities have been introduced by Apple to protect users and developers from threats to their privacy and security. Further resources are available to developers explaining the changes.^[13]

Regulations in the US

In the US, regulations are determined at a local state level with a key piece of legislation being the California Consumer Privacy Act (CCPA) of 2018,^[14] which was enacted on 1 January 2020. This gave consumers more control over the personal information that businesses can collect about them. As detailed on the State of California Department of Justice website,^[15] the law secured new privacy rights for California consumers. These included the right to know about the personal information a business collects, how it is used and shared and the right to opt out of this, along with the right for a consumer to have their personal information deleted (with some exceptions).

On 1 January 2023, the California Privacy Rights Act (CPRA) took effect as an add-on to the CCPA. It gives consumers new rights in addition to those in the original regulation, such as the right to correct inaccurate personal information that a business has about them and the right to limit the use and disclosure of sensitive personal information collected about them.

This is the same date the Consumer Data Protection Act (CDPA) took effect in Virginia, which gives consumers the rights to view, obtain, delete and correct their data, and requires companies that conduct business in the state to get permission from users to process their data.

In addition to California and Virginia, further states across the US have comprehensive privacy laws in place or are proposing bills.^[16]

Regulations around the world

Many countries outside the EU have similar data protection regulation to GDPR. Some notable examples include:

• Australia: The Privacy Legislation Amendment Bill 2022, passed by the Australian Parliament in 2022, increased fines for data breaches and brought the country’s privacy laws further into alignment with competition and consumer remedies within the EU’s GDPR laws.
• China: China’s Personal Information Protection Law (PIPL) came into force on 1 November 2021, where previously data privacy had been governed by different laws. PIPL is designed to protect users’ privacy rights when they use the internet or buy their goods and services online. While much of the PIPL has been based on the EU GDPR, it comprises stricter standards and penalties, which therefore has far-reaching implications for companies that do business in China and handle cross-border data.^[17]
• Japan: Any business that holds personal data in Japan is required to abide by the APPI Amendment. It includes provisions around third-party transfers and protects the rights of individuals in regard to their personal data. The law (which replaced the former Act on Protection of Personal Information in 2017) has helped Japan to get on the EU’s ‘white list’ of countries with adequate data protection legislation.

The above highlights some key pieces of data regulation which have come into force, but there are many others in place. Depending on where companies are based, how customer data is being used, and across which territories and countries, they will need to comply with the appropriate regulations. Information by country is provided in a practical guide to data privacy laws by Case IQ.^[18]

Technical changes

In addition to the regulatory changes that have restricted what information a company can collect, a number of technical changes have impacted how companies can use third-party cookies and device IDs to both target consumers and measure their activities.

Decline in access to third-party cookies

The ability to target users with digital marketing and understand how well it is performing often relies on third-party cookies for cross-site tracking. Third-party cookies are small pieces of code that are created by a ‘third party’ such as a website or technology platform. They are then stored on a user’s browser to track their activity once they leave the website that installed it. This provides a view of the user’s online activity to be captured and used for tracking and targeting.

However, technical changes to the industry are being made by some of the largest technology platforms to protect user privacy. Since 2019, Apple, Mozilla and Google have all made, or are in the process of making, major changes to the availability of third-party cookies on their browsers. This has led to much industry talk of the overall decline of the third-party cookie as a means for measuring the effectiveness of digital marketing.

Apple and Mozilla’s browsers have already phased out third-party cookies. Mozilla Firefox has since further strengthened user privacy by implementing Total Cookie Protection, which includes protection against fingerprinting and ‘supercookies’. Mozilla describes supercookies as being similar to tracking cookies, which enable a tracker to stitch together visits to different websites, but notes how the key difference is that a user’s browser was not designed to store supercookies.^[21] Tracking companies have found ways to secretly place these in other browser features, such as hiding them in the cache, thereby making it harder for them to be blocked or cleared compared to normal cookies.

Google had planned to phase out support for third-party cookies in Chrome by the second half of 2024.^[22],[23] It began by switching on ‘Tracking Protection’ for 1% of Chrome users (30 million) in January 2024. However, following feedback from a wide variety of stakeholders, including regulators, publishers and advertisers, Google has changed tack.

In recognition of the significant amount of work the transition involved, and of the impact on participants in the online advertising industry, Google will no longer be deprecating third-party cookies. Instead, it will introduce “a new experience in Chrome that lets people make an informed choice that applies across their web browsing”.^[24]

While Google already gives users the ability to disable third-party cookies within browsers, the future plans may make this option a lot more visible and easier to apply universally, and therefore has the potential to further reduce their use. Chrome is the world’s leading internet browser with a global market share of 65% as of January 2024,^[25] making this reduction set to have significant implications for measurement.^[26]

Google’s Privacy Sandbox

In August 2019 Google announced the soft launch of the Privacy Sandbox initiative for Chrome, software which it described as “a secure environment for personalisation that also protects user privacy”.^[28] The aim of the Sandbox was to create a viable framework for advertising and measurement without third-party cookies. It is part of an industry-wide effort to develop new technology that will improve people’s privacy across the web and apps on Android by reducing the sharing of personal data.^[29]

The Sandbox includes a number of APIs. Advertisers will be able to use solutions such as Google Topics, the Protected Audience API, Attribution Reporting and Private Aggregation APIs. The proposed solutions limit the tracking of individuals and provide safer alternatives to existing technology on these platforms, while keeping them open and accessible to everyone. As an example, the IP Protection feature prevents IP addresses being used as ad targeting identifiers.^[30]

Google has stated that while it will no longer be deprecating third-party cookies, it will continue to make the Privacy Sandbox APIs available and invest in them to “further improve privacy and utility”.^[31] Google has also pledged to make additional privacy controls available, which will include extending IP Protection to Chrome’s Incognito mode. Google will continue to seek industry feedback while it further develops the Privacy Sandbox.

Apple’s Private Click Measurement (PCM)

Apple’s Private Click Measurement (PCM) is a proposed web standard for measuring the effectiveness of click-through advertising in a privacy-preserving way. It allows external websites to measure where external links, such as ads, result in a conversion.^[32] The external website decides what constitutes a conversion, such as a purchase or sign-up. With PCM, no user-identifiable information is sent to the external website, so it protects user privacy, while giving advertisers the ability to measure the effectiveness of their ad campaigns. For those apps running in iOS 14.5 or later, they are able to take advantage of PCM.

Decline of device IDs

Since the inception of the smartphone, third-party cookies have not worked on mobile apps. Instead in their place, manufacturers offered a device ID, which provided an anonymised ID that could be used to track user behaviour on these devices and allow marketers to see any actions related to marketing activity.

However, Apple kickstarted the demise of the device ID, called the IDFA (Identifier For Advertisers), in 2021 with the launch of its new privacy feature called App Tracking Transparency. This required consumers to actively opt in to allow the use of IDFA for each app they accessed, effectively giving them the ability to opt out of sharing their personal data with third parties.^[33] While this meant the use of fingerprinting was prohibited, there were no additional measures in place to fully police it.

As of May 2024, Apple has since introduced an app developer requirement that obliges companies wanting to access certain APIs to provide a reason. Developers need to select from one or more of the ‘approved reasons’, detailing how their app will use the API to allow it to do so for those stated purposes. Any apps and app updates that do not include a reason will be rejected.^[34]

Google has followed suit by announcing that the Privacy Sandbox initiative will extend to mobile and eventually replace Google’s GAID (Google Advertising ID).

The decline of the device ID will have a very similar impact on marketers’ ability to measure digital advertising across mobile as the decline of third-party cookies on desktop, making it more challenging to understand the behaviour of people online and attribute any marketing to that behaviour.

However, how third-party cookies were being used in order to recognise a user was not perfect before. Cookie match rates could range from anywhere between 40% and 60% in Europe,^[35] which does not take into account the challenge of those tracking cookies already being rejected by some browsers or deleted and blocked by users. From a consumer perspective, this meant they could often be shown irrelevant ads. From a business perspective, budgets were often being wasted on not reaching potential customers.

The technical and regulatory changes are taking place at the same time consumers are becoming more aware of their data rights. Companies need to ensure that upholding consumers’ privacy is a priority and that they are adapting their measurement approaches and the ways in which they collect and use data around this. Marketers must continue to monitor the impact the various changes are having on the way they measure their digital marketing activity and collect data.