In this article

Sign up for our newsletter

Share this article

For marketers, the rise of data privacy regulations like the GDPR and CCPA/CPRA can feel like the end of an era. Marketers once had access to rich, individual-level data they could use to target and measure every dollar of spend across digital channels. But suddenly, collecting that data puts businesses out of compliance and threatens consumers’ trust in the brand.

Nobody, however, thinks data-driven marketing should or will go away. Marketers just need to find an approach to collecting and working with data that respects consumers’ right to privacy.

In short, marketers need to become proficient in privacy-first marketing.

A privacy-first approach allows marketers to access the data they need to make insightful decisions but bakes in data privacy principles throughout the marketing process. It respects consumers’ personal rights, complies with major data privacy regulations, and safeguards consumer data from mismanagement or security breaches.

Let’s dive into privacy-first marketing, explore its key features, and identify the benefits it can have for a modern marketer.

Table of Contents


How we got here and why privacy-first marketing matters

While it was by no means the first data privacy regulation, the GDPR was the first comprehensive, modern data privacy law. Enacted in 2016, the law was a response to a slew of data breaches and the unethical use of consumers’ personal data and was followed swiftly by other data privacy regulations like California’s CCPA/CPRA, Brazil’s LGPD, and more.

Crucially, you may be subject to these laws even if your business isn’t based out of the associated jurisdiction. If you provide products or services to enough residents of a covered jurisdiction, then you need to comply with the associated law. As an example, you might be a Texas-based business that sells a digital product all across the US. If you process the personal data of at least 100,000 California consumers, then you’re still subject to the CCPA/CPRA even though you’re headquartered in Texas.

Complying with these laws means fundamentally recognizing consumer data as the property of that consumer — if your business wants to use it, then you have to ask for it first. The result is greater trust and reduced legal risk. The question on marketers’ minds, however, is whether that trust and reduced risk come at the expense of marketing insights.

When practiced rigorously, privacy-first marketing strikes a balance between compliance and actionable data. Marketers that understand how data privacy works maximize their ability to collect data in an ethical way and minimize their risk of damaging their companies’ reputations, upsetting their consumers, and running afoul of the law.

Cookies and privacy-first marketing

What are cookies?

If there is any one technology that marketers need to understand before taking a privacy-first approach to marketing, it’s cookies.

Cookies are small text files placed in a visitor’s browser by the website they’ve chosen to visit or by a third-party partnering with that site (though the latter may be going away — more on that later). If a website owner wants to analyze their visitors’ behavior, they can do so by seeing what cookies have been stored in their visitors’ browser.

So, this could include which website they were on previously, whether they’re a new or repeat visitor, what buttons they clicked on, what pages they visited previously in the same domain, and so on. Advertisers can also use cookies to automatically serve up ads based on prior search and browsing history. Retailers can use cookies to save which items a consumer clicked on in their digital storefront, thereby enabling them to show those same items in the shopping cart.

For marketers, cookies mean they can retarget consumers who previously visited their website, can measure the effectiveness of new campaigns, see how changes to their website impact user behavior, and more. In essence, cookies provide the data that digital marketers need to do their job.

Storing consumer data and exposing it to website owners is essential to how cookies work, so there isn’t a way for a marketer to use cookies without collecting consumer data. However, some types of cookies provide consumers with more or less privacy, and there are practices marketers can deploy that make collecting cookie data compliant and ethical.

Securing cookie consent

Under cookie laws like GDPR and CCPA/CPRA, placing cookies on consumers’ browsers and tracking that data indiscriminately isn’t in compliance. Companies can and do receive fines for improperly collecting consumers' data through cookies. Under the GDPR, for instance, companies have been fined anywhere between €28 and €748,000,000.

Fortunately, you can compliantly drop and track cookies on consumers’ browsers: you just have to ask for consent in the right way.

Do you need consent?

Every data privacy law requires you to ask for consent, but you might sell to customers in a jurisdiction that doesn’t have a data privacy law. If so, you don’t have to ask for consent before dropping cookies on a consumer’s browser.

However, this practice can’t really be called “privacy-first marketing,” since issuing cookies without consent doesn't really respect the consumers’ privacy even when it’s legal. Privacy regulations are becoming more common, and respecting consumer privacy is just the right thing to do anyhow, so we recommend asking for cookie consent regardless of whether you’re legally required to do so.

Is consent opt-in or opt-out?

Under regulations like the GDPR, businesses need to ask consumers to explicitly opt in to cookies. This can be done by, for example, clicking a button, ticking a box, or otherwise proactively demonstrating that they’re comfortable with being tracked by cookies.

Under most US data privacy laws, such as the CCPA/CPRA, businesses only have to offer opt-out consent. So long as the consumer is informed in a conspicuous way (such as by a pop-up banner) and given the option to opt out of cookies, businesses can assume that consumers consent to cookies if they continue to use their site.

Data privacy laws are changing all the time, however, and if a business wants to err on the side of caution, it’s best to default to offering opt-in cookie consent as it’s considered to be the practice that’s more in line with consumer rights.

Managing cookie consent

Whether you offer opt-in or opt-out consent for cookies, user consent management is essential. Marketers and website owners can’t merely show a cookie banner with “Accept” and “Reject” buttons that do nothing. Whether consumers consent to cookies and what sorts of cookies they consent to needs to be recorded and acted upon, which will require either in-house development work or a third-party solution.

It can be frustrating to have to fiddle with the backend of your website to ensure that the only cookies that fire are the ones your website visitors have consented to. Furthermore, you need to keep a long-term record of consent in case you get audited by a data protection authority. While it’s possible to do this work in-house, most marketers purchase a consent management platform (CMP) to simplify the technical aspects of cookie consent. That way, you’re one step closer to the actionable, compliant data you need to do your job better.

Avoid dark patterns

Naturally, if you’re asking for consumers’ consent before collecting data from them, the total data available to you will drop. As a result, marketers might think that their task is to maximize the number of website visitors who give consent. This practice is known as consent rate optimization.

While using clear language and design in your cookie banner is a good practice that may increase your consent rates, it’s essential that you don’t try to “game” your cookie banner. Some organizations require additional clicks for users to opt out of cookies, or make the “Reject” button less noticeable than the “Accept” button — these are examples of dark patterns (i.e., manipulative design practices). Some data privacy regulations explicitly prohibit the use of dark patterns, but this manipulative practice goes against the spirit of all data privacy laws, whether it's explicitly mentioned or not.

Third-, first-, and zero-party data

Cookies come in different flavors, each of which has different implications for marketing and for consumer privacy. We’ll explain the differences between third- and first-party cookies, as well as how zero-party data can supplement them.

Third-party cookies

Third-party cookies are tracking codes generated by a company other than yours (i.e., a third party). Advertisers and social media companies use these cookies to track users’ movement from website to website, enabling them to build a profile for targeted advertisements. So, if your business partners with an advertising network, then that company uses cookies to identify which consumers are most likely to be interested in your product or service and then displays your ad to that consumer.

This can feel pretty creepy for the consumer. What if they don’t want their search and browsing history to follow them around on the internet? Moreover, advertising networks can gradually build up a scarily in-depth profile of a given user. This is both a security risk and a major invasion of privacy.

Data privacy regulations say that it’s fine to use third-party cookies so long as the consumer consents to them. Even still, consumers may not realize that these cookies follow them around as they navigate to different sites, and while the privacy issue of third-party cookies is solved by consent, the security issue remains. That’s part of the reason why third-party cookies are going away.

Google Chrome announced that it will stop supporting third-party cookies in mid-2024, joining other browsers like Safari and Firefox.

What does this mean for marketers? Essentially, it means that ad retargeting will become a lot less effective. Without third-party cookies, tracking users that had previously visited and interacted with your site and then serving up your ad to that user will be a challenge. However, marketers can adapt by leaning on other data collection methods — like using first-party cookies and zero-party data.

First-party cookies

When it comes to privacy, there’s a world of difference between first-party cookies and third-party cookies. Rather than track consumer behavior across websites, first-party cookies track behavior solely on one domain. Marketers can gather information about their visitors based on how they interact with their website, but they won’t be able to identify where visitors were before they visited their site or where they go afterward.

With this information, marketers can still craft a targeted marketing strategy — they just won’t be able to have that strategy follow consumers around.

Zero-party data

While not technically cookies, zero-party data is an essential part of a privacy-first marketing strategy. Rather than use tracking technology to gather data about consumer behavior and preferences, marketers can do the easy thing and just ask.

Zero-party data is information that the consumer explicitly shares. To a certain extent, marketers are already collecting zero-party data — whenever a consumer shares their email address on a form or fills out a contact card, for instance, they’re providing zero-party data.

But zero-party data can encompass more than just an email address. You can gather data on communication preferences, purchase intentions, areas of interest, and any other information that will provide the consumer with a better experience.

When done well, zero-party data collection gives something back to the consumer. It might be access to a valuable resource like an ebook, tailored product recommendations, or more relevant communications.

With third-party cookies being phased out, privacy-minded marketers will want to launch personalization strategies that rely on both first-party cookies and zero-party data.

Putting it all together for a privacy-first marketing strategy

So, how can marketers actually put all this information into practice? When implementing a privacy-first marketing strategy, there are three basic steps you should follow.

1. Focus on your privacy policy first

As a marketer, your company’s privacy policy might not seem relevant to you. But if you’re going to be collecting and working with consumer data, then this couldn’t be further from the truth.

Some will have the opportunity to collaborate with legal counsel or privacy professionals on their company’s privacy policy; others may need to assess an existing policy to determine whether it complies with regulation and meets the unique needs of a marketer at the same time. In either case, it’s essential that you extrapolate your privacy-first marketing program from your privacy policy.

For one, you need to adhere to what your privacy policy says when collecting and working with consumer data. Your policy will be designed to keep your company in compliance with data privacy regulations. In that sense, it’s as much a way to gain consumer trust as it is a way to guide your own data practices.

Furthermore, building a privacy policy will educate you on what you can, cannot, and must do in regards to your consumers’ data. Privacy policies can seem intimidating on first blush, but they’re much simpler once you understand their basic components. For a quick overview, check out our Ultimate Privacy Policy Checklist.

2. Establish a compliant data strategy

Once you’ve developed an understanding of your company’s privacy policy, you’ll want to craft a privacy-minded strategy for accessing marketing data.

At times, emphasizing data privacy in marketing can feel at odds with consumer and market demands. Consider the fact that:

  • 64% of executives strongly agree that data-driven marketing is the key to competitive success.
  • 74% of consumers are frustrated by irrelevant advertising.
  • 79% of Americans say brands must actively demonstrate “they understand and care about me” before they consider purchasing.


Don’t these statistics seem contradictory with the demand for privacy? How can marketers gather the data that personalization and targeted advertising requires while still respecting consumers’ right to privacy?

Unfortunately for marketers, consumers want to have their cake and eat it too; as marketers, it’s our job to make that possible. Success in the modern business world and in privacy-first marketing means that marketers need to source the requisite data for personalization, targeting, and attribution while protecting user privacy at the same time.

With an understanding of your company’s privacy policy, you can develop a data strategy that meets both requirements. The exact nature of your data strategy will depend on your industry, but there are some general tips to keep in mind.

Get creative when collecting zero-party data

For one, make sure you’re maximizing your ability to collect zero-party data. As an example, industries with complex customer lifecycles can exchange educational content for customer data, which can then be used in your marketing and sales efforts.

Or, if your product or service has a lot of variations, you might develop a digital questionnaire to help prospective customers self-select the product or service that fits their needs and that asks for consent to collect that data. You can and should get creative here, so long as you stay in compliance.

Act on your own and others’ first-party data

Make sure you’re maximizing the collection of first-party cookie data as well. If users spend a lot of time interacting with your website and app, then asking for consent to collect their usage data through a cookie banner can yield a lot of actionable information.

You can also benefit from the first-party data that other organizations are collecting, too. Large publishers and platforms like Google, Facebook, and others have the benefit of massive user bases with high engagement — that means they have tons of user data. Under the “walled garden” approach, you can provide them with ads for your brand and basic information about your company. Using internal ad platforms, walled gardens target your ads for you. At the cost of some control and insights, you’ll still get to target and personalize advertisements to the most relevant audiences on those third-party platforms — all in a compliant way.

3. Pick the right marketing software to act on your data strategy

With an understanding of both your compliance requirements and your data strategy, now you just need the tools to help you carry it out. Here’s what you need to keep in mind when evaluating these tools.

Review martech vendors’ privacy practices

Data privacy and martech aren’t always guaranteed to go together, so it’s important to evaluate how third-party martech vendors are treating the data you collect. After all, if your vendors are mishandling your customers’ data, then it won’t matter whether you’re compliant on your end; data privacy regulations still hold you liable.

If you work with a privacy professional, then evaluating vendors for their data privacy compliance will be a big part of their role. If not, then you’ll want to identify a vendor monitoring solution to ensure you can quickly get a sense of your martech solutions’ compliance track record.

Balance a solution’s compliance capabilities with the impact it will have on your role

Data privacy tools for marketers need to do more than enable compliance — they also need to have a minimal impact on your role.

Marketers are often put in charge of the company website, which means that many data privacy concerns fall in their lap too, whether it’s related to marketing or not. Thus, it’s important for marketers to get involved in the vendor evaluation process, since there’s a good chance they’ll be interacting with whatever data privacy software the organization settles on.

When evaluating data privacy software, you’ll want to ask questions like:

  • How will this tool impact website load speed?
  • Does it require tedious integrations with data tracking systems like Google Tag Manager?
  • Does it provide out-of-the-box cookie consent functionality, or will you have to manage consent banners on a per-jurisdiction basis?
  • Does it facilitate other privacy tasks (like data subject access requests, or DSARs) that you may become responsible for down the line?

Prioritize a CMP

There are a number of privacy or privacy-adjacent software solutions out there, like tools to support DSARs, records of processing activity (RoPAs), data processing agreements (DPAs), and any number of compliance minutiae.

Arguably, however, the most important solution for a marketer is a cookie consent tool. This will enable you to secure consent to data collection, which in turn means you can assess consumer behavior on your website, track which content resources consumers are converting on, identify preferences and tailor content to those preferences, and more. Moreover, you’ll be able to offer consumers the right to opt into or out of data collection for all cookies or just marketing, personalization, and/or analytics cookies, ensuring consumers have granular control over what data they permit you to track.

How Osano can help

A privacy-first approach to marketing may be a dramatic shift from the indiscriminate, bulk data collection of the 2000s and 2010s, but it’s one that ultimately enables a safer, more respectful internet for your customers. Marketers that learn how to support that experience and perform their jobs without violating their customers’ privacy rights will benefit.

But enabling that experience requires data privacy solutions designed with marketers in mind. When vendor selection is left up to the development and legal teams, marketing can get stuck with a solution that makes their job more difficult.

That’s exactly what happened to Mailgun. Mailgun’s marketing department was saddled with a solution that was overly strict and blocked basic metrics like anonymous page views for over half of their web traffic. Frustrated, the team turned to Osano.

The Osano CMP:

  • Takes just one line of Javascript to install on your website and gets you and your organization compliant with every cookie consent law on the books.
  • Features a constantly updated vendor monitoring solution that uses a proprietary, 163-item ontology to assess more than 14,000 vendors’ privacy practices.
  • Provides additional features like DSAR support, ensuring your organization’s privacy professionals also benefit.


Privacy-first marketing requires a strong foundation. Let Osano be that foundation for your organization. Schedule a demo today.

Schedule a demo of Osano today

Privacy Policy Checklist

Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.

Download Now
Frame 481285
Share this article