In this article

Sign up for our newsletter

Share this article

Few other business functions touch as much consumer data as marketing. That means that whether they like it or not, marketers need to be among the more privacy-aware individuals in their organization.

So, what does that entail?

In addition to being familiar with the basics of modern privacy laws like the GDPR and CCPA/CPRA, privacy-aware marketers need to understand how those laws impact their day-to-day work. And one of the best ways to go about that is to know what metrics to pay attention to.

Keeping track of the right data can help marketers understand how to work with compliance professionals in their organization, what data privacy factors will impact their ability to do their job and how, and which of their tools and systems are sources of compliance risk.

6 key metrics for privacy-aware marketing

Jump to the below links for more information on each, and download a copy of the infographic to keep handy. 

1. Page speed

2. The number of cookies and scripts on your site

3. Consent rates

4. The number of vendors in your martech stack

5. Number of visitors by region

6. Decayed data

infographic-6 privacy metrics for privacy aware marketers

Download a copy here

1. Page speed

Any modern marketer knows that the experience of using their brand’s website has a huge impact on demand and lead generation. In fact:

  • One study found that a two-second increase in load speed results in a 103% increase in bounce rate.
  • The BBC lost 10% of its users for every additional second their site took to load.
  • 40% of users will abandon a website if it takes longer than three seconds to load.


There are a lot of factors that can affect your page load speed, and many of them relate to data privacy.

For one, a higher number of third-party cookies and scripts on your site will slow it down and increase your compliance risk. When your website’s page speed starts to tick upward, it may be time to audit your third-party scripts and cookies to see whether any are unnecessary.

Additionally, compliance solutions also have an impact on your website’s performance. If you implement a consent management platform (CMP), for instance, it will need to present a cookie banner, act on user consent preferences, record that preference, and block or permit scripts accordingly, all of which take up resources. Some CMPs are more or less performant than others, so it’s important to factor in a CMP’s impact on page speed during the evaluation process.

In order to evaluate page speed before and after an intervention like a cookie audit or CMP implementation, you’ll want to identify an objective website performance tool. Most commonly, website owners use Google’s Lighthouse tool.

2. The number of cookies and scripts on your site

It’s good to be familiar with the requirements of data privacy regulations, such as the need to ask for user consent before tracking their data or providing users with a means of opting out of data collection. But that knowledge won’t do you any good unless it’s paired with knowledge of what scripts on your website are actually tracking user behavior.

Specifically, you need to know: 

  • Which scripts are essential for your website to function
  • Which collect anonymized analytics data
  • Which improve functionality, but aren’t essential
  • Which are used for targeted advertising or other marketing purposes


We recommend classifying your website’s cookies and scripts into these categories (i.e., essential, analytics, functionality, and marketing) because they are treated differently under different data privacy laws. Some laws may not permit you to issue third-party marketing cookies unless the user explicitly opts in. Others might not permit the use of any scripts beyond essential ones unless the user opts in. There’s a wide variety of ways that laws treat these different categories of scripts and cookies, so you’ll want to get familiar with the specifics of your law. A good starting place would be our blog article summarizing the current data privacy laws.

There are a variety of ways to identify and classify the cookies and scripts on your website, ranging from highly manual to more automated approaches using compliance software. Whatever approach you choose, being familiar with the number and nature of the scripts running on your website is a best practice, even if privacy isn’t your top concern. As mentioned previously, this familiarity will help you maintain a tidier, faster website, and you’ll be able to act on the requirements of data privacy regulations.

3. Consent rates

Once you have a consent management solution in place — whether that’s third-party or developed in-house — regularly monitoring your consent rate can be a source of key insights.

For the unfamiliar, certain data privacy regulations require businesses to obtain their consumers’ consent before using data tracking technologies like cookies. You’ve probably seen cookie banners on websites before. Depending on your jurisdiction, you may need to ask users to click an “Accept” or “Reject” button on that banner, or you might just need to let them know that you are collecting their data and link to a page where they can opt-out of collection.

Whether your relevant regulation requires opt-in or opt-out consent, tracking the number of users that opt in or out respectively can tell you:

  • How effective your retargeting efforts will be (after all, you can’t retarget visitors that opt out of marketing cookies)
  • How much trust your customers have in your brand
  • Whether there’s an issue with your cookie banner or website design that’s hurting consent rates
  • And more


As a quick note, it’s important to not play around with your banner design too much in order to increase consent rates. Presenting a clear and informative banner is just good web design, but some individuals try to manipulate their website visitors into providing consent or making it more difficult to opt-out of cookies. This is the point where consent rate optimization ventures into dark patterns.

4. The number of vendors in your martech stack

The average martech stack features 28 different vendors, but if you were to ask your average digital marketer about their vendors on the spot, they’d probably only think to name their CRM software, Google Analytics, and maybe an email or social media tool.

Becoming familiar with the different vendors in your stack can help you be a better coworker to the compliance and legal professionals in your organization. If a consumer makes a data subject access request (DSAR), for instance, you’ll be better able to identify and track down all of the potential stores where their data might live.

If you live in a jurisdiction where you face downstream risk from your vendors (as in the EU, where you can be found liable for your vendors’ data privacy practices), then keeping track of which companies handle your leads’ data is doubly important. Marketers handle a lot of consumer data, and they pass that data around many different systems and tools — if one of those tools doesn’t adhere to healthy data privacy practices, then you could be introducing extra risk into your organization.

5. Number of visitors by region

You undoubtedly already track which regions your leads are coming from, but you may not have taken into account the data privacy implications that this metric possesses.

Many regions with a data privacy law on the books only regulate businesses that meet certain threshold criteria, which often include collecting data from a given number of local residents. For example, California’s CCPA/CPRA only applies to businesses that:

  • Are based out of California and have a gross annual revenue of over $25 million in the preceding calendar year, or
  • Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices, or
  • Derive 50% or more of their annual revenue from selling or sharing California residents' personal information


Tracking whether your business is approaching the threshold for a region’s data privacy regulation can help you prepare for compliance early.

6. Decayed data

In the 2000s and 2010s, businesses collected user data en masse and retained it indefinitely. Today, businesses often understand that they can’t collect data en masse anymore, but they don’t always realize that indefinite retention is an issue as well.

Most modern data privacy regulations include the concepts of purpose limitation and retention minimization. In essence, these concepts mean that businesses can only collect consumer data for a specific purpose, and once that purpose has been met, they should delete the data.

For marketers, their purpose is to drive demand and leads. At what point does a given dataset fulfill that purpose?

There’s no hard and fast rule, but there clearly isn’t any need to hang onto data for years and years. Working with old data isn’t very effective either, as email addresses stop being used, addresses change, employees exit their organizations, and so on.

It’s already a best practice to clean up your CRM database every now and then. Now, marketers who haven’t been as diligent in their data hygiene as they should have another reason: deleting old data reduces your compliance risk.

Determining how much deprecated data there is in your systems is simple. Most CRMs will feature a means of identifying:

  • Which contacts have hard-bounced
  • Which contacts have unsubscribed to your emails
  • Which contacts have low engagement (definable as contacts that haven’t opened an email in, for example, six months)


Search your contact database for individuals meeting these criteria and delete them — they aren’t going to become prospects, but they do carry unnecessary risks. While your CRM is likely the largest data store that marketing owns at your organization, you’ll want to conduct semi-regular audits of any other martech systems that store consumer data as well.

Left with more questions?

The need to comply with data privacy regulations is pretty new, and the role that marketing plays in compliance is an even newer idea. If this discussion on privacy-related metrics seemed to come out of left field or raised even more questions for you, you wouldn’t be alone.

Often, data privacy feels like a subject matter where you’re always out of your depth — there are lawyers and dedicated privacy professionals that specialize in this sort of thing, after all. 

The most significant way that marketers can wrap their heads around data privacy and get their organization closer to compliance is through cookie consent management.

Cookies are the most visible and actionable ways in which an organization collects data on its consumers. Marketers typically own the company website and work with the data that cookies gather from consumers, so they’re often the ones left in charge of implementing cookie consent. To learn more about how you can manage cookie consent, download our Cookie Consent Management FAQ.

Schedule a demo of Osano today

Privacy Policy Checklist

Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.

Download Now
Frame 481285
Share this article