How GDPR and the new cookie law will redraw the marketing landscape

The new cookie law and the European General Data Protection Regulation (GDPR) is a regulation that will have a big impact on marketers. Cookies can be considered as personal data and therefore requires an explicit ‘consent’ via an ‘affirmative act’, like checking a checkbox or clicking a button. To understand the cookie consent and how this will impact digital marketing, it’s important to understand the purpose and use of cookies on the web.

New proposal to simplify the cookie rules

A cookie is a small data file placed on your computer by a website that you visit. This is a very common technology that is used for several purposes from essential functional, to Analytics and advertising cookies.

The European Commission recognizes that the so-called ‘cookie provision’ would result in an “overload” of consent requests for internet users and that the rules needed to be streamlined. The new proposal would simplify the cookie rules. The simplification of cookie rules, is a welcome relief to the business. It is important to note that not all cookies store personal data; only those which can be used in a way that could profile the users and identify them.


The following type of cookies are exempt from the consent requirement and do not require a consent.

  • Essential cookies, are first-party cookies (set by the domain name that appears in the browser address bar). These cookies are required to handle functionalities like language recognition, authentication, user-interface customization, session ID’s etc.
  • Analytics cookies (like Google Analytics) that are set as a first-party cookie. However, keep in mind that there are certain limitations with first-party analytics cookies:
    - If you want to enable remarketing features and demographical insights, you need to set a third-party (DoubleClick) cookie. Therefore: a consent is required if you want to enable these features
    - Registering IP addresses enables better location insights but an IP address is considered to be personal data and requires a consent as well
  • Social plug-in cookies for content sharing or for logging in are considered to be necessary in order to provide the requested service. They might be set as part of a side resource load like an image load, JavaScript or iframe. These type of cookies are third-party cookies – a cookie set by a domain name that is not the domain name that appears in the browser address bar – but (probably) don’t require a consent.

Other third-party cookies are mostly advertising or remarketing cookies from parties like DoubleClick, Facebook, LinkedIn etc. These type of cookies do require an explicit ‘consent’. There are different reasons why advertisers install third-party cookies:

  • It enables advertisers to position targeted ads in front of a defined audience that had previously visited your website as they browse elsewhere around the internet. This practice is better known as ‘retargeting’.
  • It enables advertisers to collect more data and show more “relevant” ads based on browser behaviour.
  • It enables advertisers to define the return on investment (ROI) of an ad or campaign by reporting on the browsing behaviour after clicking on a specific ad.

Browser settings will (probably) be treated as consent

The new rule also proposes to centralize user consent in software, such as internet browsers, and to prompt users to choose their privacy settings across the board.
The new Apple update will include a new default feature for the Safari web browser dubbed ‘intelligent tracking prevention’. This update prevents third-party trackers from capturing cross-site browsing data. The update can be compared with the functionality of traditional adblockers like Ghostery, AdBlock Plus, etc. The reason why this feature is rather disrupting for the online advertising sector is that it’s installed by default for all (mobile) iOS 11 users.

This is a very important precedent for the advertising sector because Apple is more or less doing what will (probably) be the requirement for GDPR: web browser vendors must reject all third-party cookies by default. In other words, this update will offer a preview of what can happen in the coming months. You can already see a shift in the market: Google Adwords conversion tracking already shifted from third-party to first-party as a respond of the recent iOS change.

If one connect all the dots, one could say that remarketing will probably fall apart with GDPR because an explicit consent will be required from the end-user.

Single Sign On

Remarketing is a big source of income for advertising companies (like DoubleClick, Facebook, Appnexus, etcetera). It is to be expected that the market will shift strategies from a cookie driven approach to different tactics. A common alternative for (third-party) cookies, is shifting to a Single Sign On (SSO) strategy. With SSO, a user logs in with a single ID and password to gain access to connected systems. By creating an account, the user must give his explicit consent and the organization will therefore be GDPR compliant. An extra advantage with SSO is that user behaviour can be tracked across different devices (which isn’t the case with cookies). A few examples of SSO:

  • You can use the same login for Chrome, Google Maps, Google Contacts, YouTube, Gmail and other Google Products.
  • Using a Facebook login on external websites or application is a quick way to login but comes with the price of giving a piece of your information away.
  • Content where a login is required will become more common. (Example: a login is required to read a news article or watch the latest episode of a TV show).
  • Large media corporations are expanding their ecosystem with new acquisitions to expand the incentive of SSO and to connect different data sources with each other.


Adjust your marketing strategy

There are still a few assumptions and “probablies” in this article. However, one thing is clear: you need to be GDPR compliant and your marketing strategy should be ready as well. I personally think that focusing on workarounds to collect personal information shouldn’t be your top priority. Creating valuable content, developing creative campaigns, developing a mobile-first strategy, optimizing user experience, building brand advocacy, etc. are the tactics that your customers appreciate. Online advertising is a powerful way to support these tactics, but shouldn’t be the foundation of your marketing strategy.

At the Reference we encourage the protection and regulation of the consumer’s privacy. However, it has become very clear that there are a lot of technical and organizational challenges, for ourselves, our partners and our clients. We will keep promoting GDPR by helping our customers down the road of GDPR compliance and to shift to a good marketing strategy that is ready for a new era of privacy regulations.


Don't miss out

It's more than digital, it's your business
The Reference is nothing without its customers. Carglass is the car window repair and replacement specialist for whom we've built a fully responsive Sitecore website. Read more about this client.