Data in a Cookieless World: Your questions answered by our panel of experts

Published on October 30, 2023 by Alex Eade

In October, we hosted an event in partnership with law firm, RPC, looking at how marketers will be able to use data in a cookieless world.

Our panel consisted of five industry experts – Kiran Dhoot, Associate at RPC; Sarah Edwards, Director at Make it Clear; Sarah Willcocks, CEO at Screen Pages; Kate Brinkley, Head of Digital Planning at The Specialist Works; and Tom Cox, Relationship Manager at Footprint Digital.

After the panel, we opened up the floor to questions from our attendees, and they had lots of things that they wanted to ask. Below are some of the audience’s questions…


Q: Are there any specific platforms that you’d recommend apart from Google Analytics to make sure that I’m tracking customer data as effectively as possible?

Sarah W: In an eCommerce context, what a lot of our merchants don’t realise is that there are data mining tools within their back office systems, so they are already able to do recency, frequency, and monetary analysis of their actual buying customers. This is first-party data that can be utilised, so that would be where I would start. If you don’t have that kind of analytics tool in your business somewhere, there are lots of third-party systems you can bring in that will allow you to do that. I know that a lot of email marketing platforms also allow you to do that analysis.

Kate: I’d also say – think about your CRMs. They’ll become more and more powerful, so think about what they can connect to, where is that data stored, and how secure it is. CRM, in terms of housing your own customer data, will become so valuable going forwards. Think about what its future-facing capabilities are in terms of business analysis, using its power for future advertising, retention strategies – all of that. There’s a lot of scope within CRMs – and it’s where your data is going to be.


Q: How important is it to personalise user journeys on a  website and how possible will personalisation be without third-party cookies?

Sarah E: So there will be some contextual opportunities to personalise those journeys. There are some machine learning techniques that can help with that customisation – then if you do have any first-party data you can start using that to customise. Things like chatbots can also be harnessed to collect first-party data, and you can start customising how you’re solving problems and how you’re creating a relationship with the customer through tools like that.


Q: How can we balance privacy and personalisation?

Kate: I guess it depends on what part of a user’s journey you’re looking at. That balance has got to be struck on an individual business level based on what you need consumers to know. There has almost been a tendency towards over-personalisation where marketers were trying to make everything so personalised that there would be dynamic creative tech pulling in hundreds of data points, and actually, none of it would match up, so the consumer would just get the generic ad. I’d say from an outward-facing, media acquisition perspective – think about the one thing you want that person to take away. That doesn’t need to be 100% personalised to the person – we just need to think about the mindset that person’s in when they’re consuming that content.

Sarah W: These cookies are also stored on a device that might be used by multiple people. It could be you, it could be your children, it could be your partner. So all of that content a marketer has been serving up, that they think is super personalised, might not be. It’s not been the perfect world of personalised content that it’s been made out to be. We’ve always had an imperfect system. We should really go back to basics.

Kiran: It’s a big question, isn’t it? A lot of it comes down to transparency. Personally, I wouldn’t be put off if I knew the secret sauce of why I’ve been shown a particular advert. We have cookie and privacy policies. I’d query how many people actually read them in practice, but having the option to be informed is actually quite key to the regulators. They are keen to avoid invisible processing that happens opaquely, and that delivers up sometimes imperfect ads. So you can do a lot of that balancing just by providing information in an accessible way.

And just a side point to that – the ICO has said we don’t want you to info dump, because that can be just as bad as providing no information. Context is key and some of the best privacy notices I’ve seen are literally in plain English with no legal jargon whatsoever. That really does wonders for improving transparency and balancing that interest out.

Sarah W: I agree. If you tell people why you want an answer to a question, or why you want their data, and you give them a ‘because’, they’re much more likely to answer the question. It’s probably in their interests for you to know this about them, and if it isn’t, they’ll just say no.


Q: Do you see any risks with using contextual data and how do you convey the change in approach to building trust with consumers? 

Kate: From a media perspective, contextual is about relevance and making sure that the ads you are putting out are as relevant as possible to those who are likely to see them. If you go back to the basics of contextual advertising, that’s what it is, it’s all about relevance. It’s then a planning decision about what is relevant to your audience and who you’re targeting. What’s relevant to a new mum is totally different to what could be relevant to an over-60 retiree looking at holiday packages. It’s really about the people that you want to bring to your business and looking at relevance from that aspect, always keep bringing it back to the people and then you can find the right contextual signals to go from there.

Kiran: It’s a little bit of an art to work out how little data you need to get the right context. Being able to justify why you’ve got each bit of data is actually key in making sure you can justify why it was collected in the first place.


Q: From a legal and regulatory perspective, of the privacy-enhancing technologies (PETs) that are already available, which do you think offer the most longevity?

Kiran: The thing is, it’s all very context-dependent. PETs is actually a very broad term. It’s any technology that could in theory increase the security of measures around data or limit its use to what’s strictly necessary.

There are quite a few PETs out there, but in the context of security and processing (which is where we tend to see PETs pop up most), something we haven’t talked much about in this panel is the security of processing and storing data. You can collect all the data you want, but if your systems are porous, you’re going to open yourself up to massive data breaches – and suddenly you’re in a world of fines and regulatory intervention.

So, PETs are actually quite important. As for longevity, it’s quite a technical question and is a bit beyond the legal sphere, because the obligation is that you have appropriate safeguards that are relevant and proportionate to the level of risk that you’re taking on with your collected data. So, for example, if you’ve got fairly innocuous data – somebody’s phone number, name, email address – you could use fairly standard PETs or ‘normal’ technology, encryption, which is a fairly common technology that we’re already aware of. Whereas if you’re trying to market something to pregnant women, you’re taking onboard health data – data to do with sexuality possibly. These are special categories of sensitive data and they attract a much higher level of necessary protection. So, you might want to use several technologies in conjunction with each other – some of which may be PETs, but let’s not underestimate the existing secure technologies that we’ve got in the mainstream as well.

The ICO does have its own guidance on PETs. They’re very keen for them to be developed, but see if they work for your use case. Take them with a pinch of salt.

Sarah W: Most breaches that we’ve seen are down to people sharing passwords or having silly passwords. They have the right systems but they don’t use them. They know that they need to be securing their data, but they’re not using two-factor authentication or the built-in systems properly. Breaches don’t happen because the technology isn’t up to scratch.

Kiran: 100%. The term is ‘technical and organisational’ measures. It’s not just what you’ve got on the servers, it’s who is looking over your shoulder and what’s that privacy screen on your laptop doing. Very basic things like don’t plug a random USB into your laptops.


Q: Many users use biometric data to access their accounts – are marketers prepared to manage this kind of data and what are marketing managers liable for? 

Kiran: So in terms of managing the data, it needs to attract the relevant level of security. That’s the starting point. But do you even need that biometric data in the first place? For example, some apps on your phone will have your thumbprint on them, but the app doesn’t need to see the thumbprint – it just needs a yes/no token from the system to authenticate you to go into the app. The person who owns the app or designs it doesn’t need to see your thumbprint and therefore that’s a form of data minimisation – which is one way you can manage or rather manage to not have biometric data.


Q: How do you suggest we increase consumer knowledge and engagement? 

Kate: That’s a big piece for the industry as a whole. I don’t think any individual is ever going to be able to answer that question alone. Going back to Kiran’s point earlier about education, and education that means something to a consumer. It’s all very well having lots of technical conversations and fear-mongering about data theft, which is what the media will pick up, but I think it’s about giving a sensible and considered viewpoint from the media that’s interpretable and digestible for a consumer. Loads of this becomes so technical and legal very quickly when we start to discuss it, and there are some principles in there that make this a lot more tangible for people. It’s also about showing people the benefits of consenting to data collection, and what consumers can gain from it. I don’t think we talk enough about the gains that consumers get – we just talk about the risks a lot, so there needs to be an industry rebalance on that.

Sarah W: Yeah, people don’t give data because we’re not telling them why you’re asking, and what the ‘because’ is. If you explain to them what you’re going to use the data for, generally people are happy to give it.

Sarah E: There’s that opportunity to think about explaining things in plain language, I think the stuff that the financial industry has been doing recently has been great. We have to talk about all of those products at a level, I think, that a seven-year-old could understand language-wise. I think it would be really nice to do the same with this because it isn’t going to be a cookieless future and we know that we’re going to have to explain cookies at some level all the time. So let’s really have a think about what that means to the consumer and the user – and how do we talk about it in a way that a kid could understand?