Digital marketing in the age of GDPR and ePrivacy

The latest court ruling issued by the Court of Justice of the European Union (CJEU) on 1 October 2019 is loud and clear. It stipulates that an active, explicit and informed opt-in is required before setting cookies or collecting other personal data. Tacit consent is no longer valid. This means that the popular phrase “If you continue surfing now, you agree to your data being processed”, which still appears, can no longer be used.

Until now, many online marketing operators have taken advantage in a cavalier fashion of the lack of any clear regulation. Incredible amounts of data have been collected in an effort to keep an ever closer eye on website visitors. This triggered a situation where digital channels have been littered with ads, spam, bots and cookies. Therefore in 2016, the European Union imposed the General Data Protection Regulation (GDPR) as an attempt to curb this activity. This stipulates that companies must list all files containing personal data. But it was only scandals such as those involving the company Cambridge Analytica, which was supposed to have influenced the US presidential election using Facebook data, that made a wider public aware of the careless or even criminal manner in which data is often handled.

In many places, there was great dismay after the verdict, because warnings are now possible in the opinion of some courts and will increase as a result of this clear verdict. For this reason, every website operator should immediately address this issue and, as a first step, acquire a suitable consent management platform (CMP) which prevents cookies being set before user consent is given and clearly documents opt-ins.

Until now, there were three different ways to obtain consent from website visitors:

  • Direct, explicit consent: This method involves explicit consent being given by the user – usually by clicking on an “Agreed” button.
  • Implicit consent: In this case, consent is given if the user scrolls down the landing page or clicks another button on the landing page.
  • Indirect consent: In this case, consent is considered to have been granted at the moment when the user accesses another page on the same website.

These various methods have a major influence on the respective opt-in rates. Since the GDPR was published, website operators have had plenty of time to try out the methods. However, the years since 2016 have largely passed without any action being taken. In most cases, people have hidden behind dubious legal opinions, looked for loopholes in the law and left users with very limited options to choose from.

The game of legal hide-and-seek is moving to the next stage for many companies, but the CJEU ruling leaves some issues unresolved:

  • Could the setting of cookies be justified on other legal grounds, for example, based on legitimate interests (Article 6(1)(f) of the GDPR)?
  • Who is responsible for setting third-party cookies under data protection law?
  • When are so-called “necessary” cookies available which do not require separate consent (Article 5(3) of the ePrivacy Directive)?
  • Do users have to actively agree to individual online marketing service providers or at least service provider groups (categories, for example, “analysis”)? This question is of paramount importance. Naming all the service providers involved in the online marketing ecosystem would be a virtually unachievable task.

Does this mean that we can quietly wait until the company’s lawyer or the external data protection consultant has been turned down by a warning or a new court ruling on these matters?

Impact of the CJEU judgment on online marketing

Contrary to what usually happens, marketing managers must act now! Carrying out marketing activities with traditional, cookie-based methods is now very difficult. Anyone implementing the CJEU’s cookie ruling needs to keep their eye on more things than before. Cookies requiring consent must no longer be set before consent is given. According to the law, consent must be active, informed, explicit, specific, voluntary and documented. The process for amending and deleting given consent must also be as simple for the user as that for giving consent.

The impact of the ruling will soon become apparent to many marketing managers, who are now trying to switch from implicit to explicit consent. Commanders Act found in a study that implicit consent has so far reached up to 95% approval, while explicit consent has reached only 37%. In other words, anyone who relies on tracking cookies and is only now switching to explicit consent may lose quite a considerable proportion of their online marketing data unless this activity is professionally supported.

Do Not Track features in the browser and ad blockers make life even more difficult for online advertisers. Google wants to equip the new version of its Chrome browser with special features to protect against cookies and trackers. The browser already has an extension which allows users to set an expiry date for their personal data.

With “Intelligent Tracking Prevention” (ITP), for example, Apple has implemented an anti-cookie strategy in its Safari browser which near enough nips targeted advertising in the bud.
Version 2.2 of its ITP feature reduces the duration of tracking cookies from 30 days to 24 hours. ITP is a program which is integrated into the Safari browser to protect against user tracking. Many CMP providers still rely on local storage, i.e. the option to store data on the user’s computer. But from ITP version 2.3 onwards, this should also be prevented, according to Apple.


This situation has many different consequences for online marketing managers. It will make performance tracking more difficult unless it is considered a legitimate interest (Article 6 GDPR). In addition, it makes recognizing users of certain browsers (Safari, Firefox) more difficult, as it does web analysis, which lacks precision. More than this, some forms of online marketing (retargeting, real-time bidding, affiliate marketing) are not only made complicated, but even impossible. This significantly reduces the data advantages which the online channel has over offline channels.

According to a recent study by the World Advertising Research Center (WARC), 61.4% of the global digital advertising budget will go to Google and Facebook alone. This leaves online marketing managers with only few options for action in terms of using audiences in a different way. At the same time, the younger age group of 12- to 17-year-olds is turning away from Facebook, as the analysis company eMarketer has confirmed. Their number will decrease by 9.1% year-on-year, resulting in a loss of around 170,600 users. This age group’s refusal to use Facebook is expected to continue in the coming years.

Conversely, this means that the shortage of stock at Google and Facebook, as well as more providers bidding for this stock, with fewer alternatives available, will dramatically increase the costs of reach marketing and performance marketing.

Consequences for the digital economy

These developments entail the following consequences. EU operators are losing touch with the US and China – which is also due to a lack of growth prospects and privacy issues they are facing (no more API access for EU operators to data from the Big Tech companies). The only option still left to them is to sue Google, Amazon, Facebook, Apple and Microsoft (under antitrust law), but this involves lengthy litigation and meagre prospects of success.

When it comes to ePrivacy, politicians are still reluctant to make clear rules and statements – especially when it comes to the EU-US Privacy Shield. The EU-US Privacy Shield Framework provides companies with a tool for transferring personal data from the European Union to the United States in a way that is compatible with EU law.

As early as autumn 2018, the European Parliament called on the European Commission to review the agreement. In this regard, EU companies may soon face high risks if they still rely on SaaS providers whose servers are located in the US.

Tips and tricks for achieving the best opt-in solution

Tip 1: Think big!

Think big when it comes to the consent banner. The average consent rate is 65% (across all consent types), but there are variations both up and down. The differences between desktops, smartphones and tablets can be explained primarily by the size of the banner. This automatically takes up more space on smartphone and tablet screens. Thirty-seven per cent of all opt-in banners were displayed on a desktop computer, 51% on smartphones and 12% on tablets. As a result, the approval rate for smartphones is 76%, while the rates for tablet and desktop computers only reach 59% and 56% respectively.

Tip 2: Don’t hide your content

The correlation between banner size and opt-in rate is, of course, limited. As soon as the page content is no longer visible behind or under the banner, users tend to cancel their visit instead of giving their consent. This behaviour is particularly pronounced when the banner in the form of a pop-up greys out and covers the entire background, i.e. the contents of the page.

Tip 3: Nobody cares about privacy statements and cookies

Website visitors see the message requesting consent on average 1.8 times before making a decision. This average rate always remains the same, regardless of the final decision (opt-in or opt-out) or the consent method used (direct, indirect or implicit). In other words, users halt their decision-making process the first time they see the banner or pop-up. Just 0.1% of visitors – yes, you have read the figure correctly! – go one step further in a two-step process and look at the privacy statement or more detailed information about the cookies used. However, this percentage is expected to increase in the coming months as more users deal with the issue of data protection.

Tip 4: Keep a close eye on your visitors and industry

Every industry has its own methods of obtaining consent. Legislation (the ePrivacy Regulation is currently under negotiation), technology (e.g. browsers deployed) and user behaviour are in a constant state of flux. They can contribute to design decisions previously made being reconsidered and possibly adapted in the coming months.

Tip 5: Carry out a test!

Carry out an A/B test with the consent banner, with slightly amended functionalities or text each time. Don’t change too much at once in the two variants so as not to make it difficult to measure the effectiveness of individual metrics in a clear way. The A/B test will enable you to find out how to achieve the highest possible opt-in rates.

Tips for selecting providers on consent management platforms (CMPs)

There are different CMPs and procedures for obtaining consent.

In the technological approach, cookies are usually suppressed retrospectively, while tags are suppressed in advance. Consent is stored via cookies (first- or third-party), local storage, data layer and server. Consent can be obtained through various ways: explicit or implicit, direct or indirect, and before or after the pageload. The conceivable button options are opt-in, opt-out and a neutral approach.

The Consent Management Platform should meet some basic criteria. It must enable privacy banners, privacy centres and provider and cookie categories to be created, managed and adapted. In addition, user consent and consent types must be documented in detail. Not to mention that the system should be able to meet the following criteria:

Checklists before purchasing a CMP:

  • Adjustments to banner designs, texts and buttons (WYSIWYG editor)
  • Control by country and language settings
  • Consent metrics (details, KPIs, comparison of different banner variants)
  • A/B tests to optimise consent banners
  • Consent at different levels (provider, cookie)
  • Cookie crawler (detection of piggybacking)
  • White- and blacklisting of cookies/providers
  • Deleting/renewing consent after a certain period of time

Technical requirements:

  • Secure suppression of unauthorised cookies before consent (TAG-based)
  • Multi-CDN or self-hosting for displaying banners
  • Export function or API for transferring consent to third-party systems
  • Plug-in or native integration with tag management systems
  • Privacy Centre integration into privacy statements
  • IAB compliance (for advertising on publisher pages and Google)
  • Support and technical documentation

The legal requirements must ensure that storage takes place on ISO-certified EU servers. There should also be ePrivacy certification (or a similar scheme). In the case of security processes, managers must focus on incident management and disaster recovery, while in the case of contractual components, the focus is on a service level agreement (SLA), data protection based on technical and organisational measures (TOM), order data processing (ODP) and privacy by design.

Furthermore, CMPs must be combined with tag management systems. This is the only way to set cookies after the opt-in process and to categorise them clearly.