Privacy Regulation Is Forcing Better Marketing Decisions

ByKeith Lacy
Why This Moment Is Different From Previous Regulatory CyclesWhat Privacy Regulation Has Actually Done to TargetingThe Consent Layer Is Now a Commercial Variable, Not a Legal FormalityThe Creative Implications That Are Being UnderweightedWhat the Budget Conversation Looks Like NowThe Measurement Problem Is Structural, Not TechnicalWhere Team Structure and Capability Need to Catch UpThe Competitive Advantage Nobody Is Talking About

Get sharp marketing thinking, weekly

No fluff. Just clear, commercially grounded insights.

Privacy regulation has done something the industry spent years resisting: it has forced marketers to be more deliberate. The era of cheap, frictionless targeting built on third-party data is contracting, and what is replacing it is not chaos. It is a return to marketing fundamentals that were always more durable than the shortcut.

The practical reality for most advertisers today is that the rules of the game have shifted, the platforms are still catching up, and the gap between marketers who have adapted structurally and those still hoping for a workaround is widening every quarter.

Key Takeaways

  • Privacy regulation has compressed targeting precision across every major channel, and the gap will not close. The structural shift is permanent.
  • Marketers who treat consent as a compliance checkbox are leaving commercial value on the table. Consent rate optimisation is now a revenue function.
  • The teams best positioned in a privacy-first environment are the ones who built first-party data infrastructure before they needed it, not after.
  • Creative quality and media placement discipline matter more than they did five years ago, because targeting can no longer compensate for weak fundamentals.
  • Most of the industry is still measuring the wrong things. Privacy regulation has not broken measurement. It has exposed how fragile it always was.

In This Article

  1. Why This Moment Is Different From Previous Regulatory Cycles
  2. What Privacy Regulation Has Actually Done to Targeting
  3. The Consent Layer Is Now a Commercial Variable, Not a Legal Formality
  4. The Creative Implications That Are Being Underweighted
  5. What the Budget Conversation Looks Like Now
  6. The Measurement Problem Is Structural, Not Technical
  7. Where Team Structure and Capability Need to Catch Up
  8. The Competitive Advantage Nobody Is Talking About

Why This Moment Is Different From Previous Regulatory Cycles

I have watched the industry react to regulatory pressure before. GDPR landed in 2018 and most large advertisers treated it as a legal problem to be managed by the compliance team. Briefings went out, cookie banners appeared, and the media spend largely continued as before. The prevailing attitude was that this was a disruption to manage around rather than a signal to respond to.

What is different now is the convergence. GDPR was one regulation in one region. What we have today is a layered set of pressures arriving simultaneously: the deprecation of third-party cookies in Safari and Firefox already done, Chrome’s trajectory still evolving, Apple’s App Tracking Transparency reshaping mobile attribution, state-level legislation in the US building piece by piece, and a global regulatory posture that is moving in one direction. GDPR established the template, and the rest of the world has been following it, at different speeds but toward the same destination.

The marketers who are struggling most right now are the ones who treated each of these as isolated events. The ones doing well built for the direction of travel, not just the current position of the road.

This is also a good moment to examine the broader context of how marketing teams are structured to respond to these pressures. The Marketing Operations hub covers the organisational and operational dimensions that sit behind decisions like these, including how teams are built, how budgets are allocated, and how performance is measured when the data environment is less clean than it used to be.

What Privacy Regulation Has Actually Done to Targeting

The honest answer is that it has degraded precision and increased cost per outcome across almost every channel that relied on behavioural targeting. Not destroyed it. Degraded it. And the degree of degradation varies significantly by channel, audience type, and how well a given advertiser has built their own data assets.

When I was running agency teams managing large performance budgets, the conversation about audience targeting was often about precision. How granular can we get? How tightly can we define this segment? The assumption was that more precise targeting was always better, and that the data to enable it would always be available. Both of those assumptions deserve scrutiny now.

More precise targeting was always better only if the targeting data was accurate. And third-party data quality was never as clean as the platforms suggested. The signals were probabilistic, the segments were modelled, and the match rates were often overstated. Privacy regulation has not just reduced the volume of targeting data available. It has also, indirectly, forced a more honest conversation about how reliable that data ever was.

The trust dimension matters here too. Consumer trust in platforms has been fragile for longer than the industry has wanted to acknowledge. Audiences are not passive recipients of targeting. They notice when ads follow them around the internet in ways that feel intrusive, and that perception shapes their relationship with the brands doing the targeting, not just the platforms enabling it.

One of the more consequential shifts I have seen in how sophisticated marketing teams operate is the elevation of consent management from a legal function to a commercial one. This is not semantics. It changes who owns the decision, how it is resourced, and what success looks like.

If your consent rate is 40% and your competitor’s is 65%, that is not a compliance gap. That is a data asset gap that compounds over time. The advertiser with a higher consent rate has a larger addressable audience for personalised targeting, better signal for attribution, and more valuable first-party data to inform creative and media decisions. The gap in consent rate translates directly into a gap in marketing effectiveness.

The mechanics of improving consent rates are well understood: clear value exchange, honest language, sensible UX, not burying the accept option or making the reject option deliberately hard to find. That last point matters because regulators are increasingly scrutinising dark patterns in consent interfaces, and the short-term gain from a manipulative consent flow is not worth the regulatory exposure or the brand damage when it surfaces.

Mailchimp’s approach to GDPR compliance is a reasonable reference point for how a major platform handled the consent question at scale. The broader lesson is that the platforms which invested in making consent clear and straightforward generally retained more usable data than those that tried to engineer around it.

What I would add from experience: the consent conversation with users is also a brand conversation. How you ask for permission to use someone’s data says something about how you think about your relationship with them. Teams that have thought about this carefully tend to write consent copy that is direct and specific rather than vague and legal-sounding. That specificity builds more trust and, in practice, generates higher opt-in rates.

The Creative Implications That Are Being Underweighted

Here is where I think the industry conversation has a significant gap. Most of the discussion about privacy regulation focuses on data, targeting, and measurement. Very little of it focuses on creative, which is where I think the most important adaptation is happening, or needs to happen.

When targeting precision was high, creative could be more narrowly calibrated. You could serve different messages to different audience segments with reasonable confidence that the right message was reaching the right person. That confidence is lower now. Which means creative has to do more work. It has to be relevant to a broader audience, more compelling on its own terms, and less dependent on the targeting layer to compensate for weak execution.

I judged at the Effie Awards for a period, and the work that consistently performed well in effectiveness terms was almost never the work that won on targeting sophistication alone. It was the work where the creative itself was doing the heavy lifting: the message was clear, the relevance was earned rather than assumed, and the execution was good enough that the audience chose to engage rather than being engineered into it.

Privacy regulation is accelerating a return to that standard. The campaigns that will hold up in a less targeted environment are the ones where the creative is genuinely good, not just efficiently placed. That is a different skill set from what a lot of performance marketing teams have been optimising for over the past decade.

Video is a specific area worth noting here. As contextual signals become more important than behavioural ones, the content surrounding an ad becomes more relevant to its effectiveness. Video content and the privacy considerations around it are increasingly part of how brands think about both creative delivery and data handling in a single channel decision.

What the Budget Conversation Looks Like Now

Privacy regulation has increased the cost of doing the same thing. That is the uncomfortable reality that does not always make it into the strategy deck. When you lose targeting precision, your effective CPM for reaching a genuinely relevant audience goes up. When you lose attribution fidelity, you tend to be more conservative in your bidding, which also increases cost per outcome. When you have to invest in first-party data infrastructure, consent management platforms, and clean room technology, those are real budget lines that did not exist five years ago.

The question is not whether these costs are real. They are. The question is how to think about them strategically rather than just absorbing them as overhead. How marketing budgets are structured and allocated has to reflect the new cost reality, which means some of the spend that previously went into paid media efficiency needs to be redirected toward data infrastructure and creative quality.

When I was turning around an agency that had been running at a loss, one of the first things I did was look at where money was being spent in ways that created activity rather than outcomes. The privacy-driven cost increases are, in a sense, forcing a similar audit across the industry. The spend that was going into cheap retargeting based on third-party data was often producing activity metrics that looked good but were not clearly tied to business outcomes. The pressure to justify spend more rigorously is not entirely a bad thing.

The teams I have seen handle this well tend to do three things. They consolidate their media into fewer, higher-quality placements rather than spreading thin across a long tail of inventory. They invest in creative testing to improve baseline performance rather than relying on targeting to do the work. And they build measurement frameworks that are honest about what they can and cannot see, rather than chasing precision that the data environment no longer supports.

The Measurement Problem Is Structural, Not Technical

A lot of the response to privacy-driven measurement degradation has been framed as a technical problem requiring a technical solution: better modelling, privacy-preserving APIs, data clean rooms, server-side tagging. These are all legitimate tools. But the underlying problem is structural, and no amount of technical sophistication resolves it entirely.

The structural problem is that the industry built its measurement frameworks on an assumption of near-complete visibility. Last-click attribution, granular conversion tracking, cross-device identity resolution: all of these were built on the premise that you could see most of what was happening and attribute it with reasonable precision. That premise is no longer valid, and the honest response is to build measurement approaches that acknowledge the gap rather than trying to paper over it.

I have always been sceptical of the idea that analytics tools give you reality. They give you a perspective on reality, shaped by what they can measure, what they choose to measure, and the assumptions baked into their models. That was true before privacy regulation and it is more obviously true now. The marketers who are most comfortable in this environment are the ones who were already treating their measurement as an honest approximation rather than a precise record.

Media mix modelling has had a significant revival for this reason. It is not a new technique. It has been used by large advertisers for decades. But it fell out of favour during the period when digital attribution seemed to offer something more granular. Now that the granular attribution is less reliable, the industry is rediscovering that MMM, done well, gives you a defensible view of channel contribution at a level of aggregation that is not dependent on individual-level tracking. It is not perfect. But it is honest about what it is.

Where Team Structure and Capability Need to Catch Up

The operational reality of adapting to a privacy-first environment is that it requires capability that a lot of marketing teams do not currently have in-house. Data engineering, consent management, first-party data strategy, privacy-preserving measurement: these are specialist skills that sit at the intersection of marketing, technology, and legal, and they are not cheap to hire or easy to find.

When I grew an agency team from around 20 people to over 100, the capability gaps that mattered most were never the obvious ones. They were the structural gaps: the skills that nobody had clearly owned, that sat between functions, that everyone assumed someone else was handling. Privacy compliance in a marketing context has exactly that character. Legal says it is marketing’s problem. Marketing says it is legal’s problem. Technology says it is both. And in the gap, nothing gets done well.

The question of how marketing teams should be structured to handle these cross-functional demands is genuinely difficult. There is no universal answer. But the teams that are handling privacy well tend to have one thing in common: a clear owner for data strategy who has the authority to make decisions that cut across legal, technology, and marketing, rather than having to negotiate every decision through three separate functions.

Smaller teams face a different version of this problem. They often cannot afford a dedicated privacy or data strategy hire. What I have seen work in that context is a clear-eyed assessment of what can be handled with good processes and the right tools, versus what genuinely requires specialist expertise. The mistake is assuming that because you cannot build a full team, you can ignore the problem. You cannot. You just have to be more deliberate about where you focus the limited resource you have.

The experience of teams scaling from small to mid-size is instructive here. The structural decisions made early tend to compound. A marketing team that builds good data hygiene and consent practices when it is small will have a significantly easier time as it grows than one that accumulates technical debt and compliance risk along the way.

The Competitive Advantage Nobody Is Talking About

Here is the angle that gets less attention than it deserves. Privacy regulation is not just a constraint. For advertisers who adapt well, it is a source of competitive advantage, because the adaptation is hard and most competitors are not doing it properly.

If your first-party data is richer, more consented, and more actionable than your competitor’s, you have a targeting advantage that does not depend on third-party data availability. If your creative is better calibrated to work without precise targeting, your baseline performance is higher. If your measurement is more honest and more sophisticated, your budget allocation decisions are better. None of these advantages are visible on a media plan. But they compound over time in ways that show up in commercial outcomes.

Early in my career, when I could not get budget for a new website, I taught myself to code and built it. The lesson was not about coding. It was about the competitive advantage that comes from doing the thing that is difficult rather than waiting for the conditions to be easier. Privacy regulation has made some things harder. The advertisers who treat that difficulty as a reason to build better infrastructure rather than a reason to complain will be in a materially better position in three years than those who did not.

The process of building that advantage is not glamorous. It involves data audits, consent platform configuration, creative testing frameworks, and measurement methodology reviews. None of it makes for a good conference presentation. But it is the work that matters, and the operational discipline required to do it well is exactly what separates marketing functions that drive commercial outcomes from those that generate activity and call it performance.

About the Author

Keith Lacy is a marketing strategist and former agency CEO with 20+ years of experience across agency leadership, performance marketing, and commercial strategy. He writes The Marketing Juice to cut through the noise and share what works.

Frequently Asked Questions

How has privacy regulation changed digital advertising targeting?
Privacy regulation has reduced the availability and reliability of third-party behavioural data, which most digital targeting was built on. Advertisers now have less signal for audience segmentation, less fidelity in cross-device tracking, and more constrained retargeting capability. The degree of impact varies by channel and by how well an advertiser has built their own first-party data assets. Those with strong consented first-party data are less exposed than those who relied primarily on third-party audience segments.
What is the difference between a consent management platform and a cookie banner?
A cookie banner is a user interface element. A consent management platform is the system that manages, records, and enforces consent decisions across a website or app. The banner is the visible part of a much larger operational requirement. A properly configured CMP records what a user consented to, when, and under which version of your privacy policy, and passes those signals to your advertising and analytics tools so that only permitted data processing occurs. Many organisations have the banner without the underlying infrastructure working correctly, which creates both compliance risk and data quality problems.
Is media mix modelling a reliable replacement for digital attribution?
Media mix modelling is not a replacement for digital attribution in the sense that it measures different things at a different level of granularity. MMM measures channel contribution to business outcomes at an aggregate level over time. Digital attribution measures individual conversion paths in near real-time. Both have limitations. MMM is less granular and requires sufficient data volume and time periods to be reliable. Digital attribution is more granular but increasingly incomplete due to privacy constraints. The honest answer is that neither gives you a complete picture, and the best measurement frameworks use both in combination, alongside incrementality testing where possible.
Does privacy regulation affect B2B advertising differently from B2C?
Yes, in several meaningful ways. B2B advertising relies more heavily on professional context signals, LinkedIn targeting, and intent data from business research behaviour. Some of these signals are more durable than consumer behavioural data because they are collected in professional contexts where the value exchange is clearer. However, B2B advertisers are not immune. Email marketing consent requirements, lead generation data handling, and the use of third-party intent data providers are all areas where regulatory scrutiny is increasing. B2B teams that have not audited their data sources and consent practices are carrying more risk than they may realise.
What should a marketing team prioritise first when adapting to privacy regulation?
The highest-leverage starting point for most teams is a data audit: understanding what data you currently collect, where it comes from, whether it is properly consented, and how it flows through your martech stack. Most teams discover that their data environment is messier than they assumed, with tools collecting data they did not know about, consent signals not being passed correctly, and first-party data sitting in silos that cannot be activated. Fixing the infrastructure before investing in more sophisticated strategies like clean rooms or advanced modelling is the sequence that tends to produce the best return on effort.

Similar Posts