Data Privacy Best Practice Guide 


The ability to understand and utilise data has always been a big part of effective marketing. However the scope, remit and complexity of data has expanded as marketing has become more digital. Modern marketing is now dependent on up to date and actionable data.

As a marketing asset, data serves three primary functions:​

  1. It informs marketers about customers by providing the insights that allow them to segment and personalise marketing communications
  2. It enables marketers to plan and evaluate marketing tactics
  3. It empowers marketers to understand & articulate the value of marketing activities to the board

Data presents as many challenges as opportunities for marketers who need to extract insight from it while respecting privacy. As data increases in importance it means that privacy, data management and data governance can no longer be after thoughts for forward thinking companies.

Highly publicised data breaches have contributed to greater customer awareness and scrutiny of how their data is used (and misused). In response, authorities in different jurisdictions have introduced legislation to provide greater visibility and privacy controls around the use of personal data.

In this guide for marketers, we’ll outline the key issues around data privacy that marketers need to understand. This will include an examination of trends around data privacy and implications for the collection and management of data.

What is data privacy and why is it important?

 Data privacy is the protection of consumers’ personal data from those who are not permitted to access. This implies that consumers can determine who can access their personal data and how it can be used.

Personal data includes:

  • Address and contact details.
  • Payment information such as credit card details.
  • Engagement data - interactions with websites and apps, such as pages viewed.
  • Behavioural data - transactions, products viewed, devices used.
  • Attitudinal data - expressed preferences, survey response data. 

Data privacy is important for a number of reasons.

  1. Fraud protection: At the more serious end, data leaks involving customers’ financial data and personal details may expose them to fraud or harassment.
  2. Consent: Data which is shared without the consumers’ consent can result in unwanted marketing, from emails to direct mail, to SMS and phone calls.
  3. Trust: More broadly speaking, there is an issue of trust. Businesses which fail to protect customer data, or overstep the mark in the eyes of consumers, are less likely to retain customers.
  4. Regulation: There are legal implications around data privacy. Regulations such as GDPR are setting higher bars for marketers to cross. Legislation related to data privacy has been introduced around the world over the past decade.
    This means that there are now heavy fines for the misuse of data and/or poor data security. For example, British Airways was fined £20m in 2020 for a data breach involving 400,000 customers. (1) In addition to any fines or legal actions, failing to protect consumer data can cause significant reputational damage.

 While data security may primarily be the responsibility of the IT department, the acquisition and use of customer data is an integral part of the marketing function. After all, customer data has the potential to improve the overall effectiveness of marketing, enabling brands to provide more relevant content and communications, and to improve the customer experience.

Marketers face two major challenges around data:

  1. Gathering customer data while complying with legislation and maintaining customer trust.
  2. Creating relevant marketing and experiences while using data responsibly. 

Consumer attitudes to data privacy issues

 High profile data breaches from firms such as Meta (Facebook) have contributed to growing consumer awareness about the use of their data online, but how do most consumers feel about data?

Consumer concerns about personal data

Deloitte’s Digital Consumer Trends 2020 survey found that 74% of UK consumers were very or fairly concerned about how companies they interact with online use their personal data (Figure 1). (2)

Fig 1: Data Privacy Concerns Amongst UK Consumers (Deloitte) (2)


The results suggest that consumers are relatively relaxed about data privacy, with the numbers of ‘very concerned’ falling over three years, and the figures for ‘not very concerned’ rising. Overall, the numbers of concerned consumers have fallen slightly over the three years, from 80% to 74%.

This may be a recognition on the part of consumers that the benefits of being online and using services involves a trade off, and that handing over data is a price worth paying.

Attitudes also change according to the types of data shared. Deloitte found that consumers are willing to share data on demographics and product buying behaviour, with 40% even willing to share health information (Figure 2). However, many will draw the line at data such as location and income details. (2)

It’s important that marketers understand what kinds of data their customers are happy to share, and the point at which they feel uncomfortable. These will differ depending upon the type of business and the relationship that exists or is expected with customers.

The lesson for marketers is to be aware of this and only request reasonable information when creating things like lead generation forms. Once a customer demonstrates some intent such as completing a transaction then it might be possible to seek more data during the checkout process.

Figure 2: Consumer Willingness to Share Different Types of Data (Deloitte): (2)


Cultivating consumer trust
While not all consumers have major privacy concerns, research published by EY indicates that just 34% of CEOs felt that customers trust them with their data. (Figure 3.) (3)

Figure 3: CEO views on use of data within their organisations. (3)


Cultivating trust is a key challenge for marketers. To put this into context, a recent customer experience trends report from Acquia found that customers want personalised experiences and relevant communications from brands, but don’t necessarily believe that brands have their best interests at heart when using their data. (4)

  • 90% of survey respondents want a convenient experience when they interact with a brand online.
  • 80% would be more loyal to a brand that understands them and what they're looking for.
  • 68% of customers say the brands they regularly interact with understand their preferences, provide what they are looking for and anticipate their needs.
  • 61% are not confident that brands have their best interests in mind when they use, store or share their personal data.
  • 83% wanted stronger data privacy laws in their country.  

Perhaps there’s a realism from consumers here. They are aware that there is a value to their data, and that brands aren’t using their data for altruistic reasons, but instead view it as a transaction. For marketers, the challenge is then to ensure that consumers see the value of sharing data, and experience the benefits in terms of better experience.      

Why data matters to marketers

According to research by Invoca, 64% of marketing executives surveyed strongly agreed that data-driven marketing is crucial in the current marketing landscape. (5)

As a marketing asset, data informs, enables and optimises what marketers do. Let’s examine in more detail why data matters to marketers.

It provides the insights that allow marketers to segment and personalise marketing, and to measure what works, and what doesn’t.

  1. Data informs strategy. Data enables you to understand your audience, your competitors, and informs the decisions you make around marketing strategy.
  2. Data enables more effective advertising. Personalised and target advertising is more effective. The best way to ensure that your ads are targeting the right people (at the right time and in the right place) is by capturing customer data across all touch points and unifying it in a central location. Tools like CRMs, CDPs, and DXPs exist for this purpose.
  3. Data is needed for measurement and optimisation. Different types of data are needed to optimise different customer touch points and interactions. CRM data collects customer interactions in one central location, while web analytics platforms collect and analyse website visitor behaviour, demographics, and other visitor attributes.
  4. Transactional data from customer purchases helps retailers understand past customer purchasing behaviour which can be used to make product recommendations and create content that better resonates with shoppers. All of this data is used collectively to optimise, improve, and streamline websites, customer journeys, and improve customer service approaches.
  5. AI, machine learning, and automation require data. Effective machine learning requires access to data. AI and machine learning can mine huge volumes of structured and unstructured data generated by campaigns and customer interactions to scale automation and personalisation.
  6. Data improves customer experience. A data-driven approach to marketing enables companies to unify messaging, content, and overall marketing approach across the many channels and devices consumers use to research products and interact with brands. The tools, platforms, and technologies that exist to streamline and personalise customer journeys are all powered by data.

Key data privacy regulations

 In response to shifting public opinion and high-profile corporate data scandals, the data privacy regulatory environment continues to evolve. In 2021, China became the 17th country to introduce a customer data privacy law akin to Europe’s General Data Protection Regulation. (6)

Further, according to the United Nations Conference on Trade and Development, 183 countries now have data protection and privacy legislation while 20 countries have draft legislation in the pipeline. (7)

Data regulations vary depending on jurisdiction. A common theme is that these regulations seek to empower the consumer by enabling them to control what data is held about them. In addition, customers should have information about how their data is used before they consent to share it.

The key regulations that most marketers need to consider are the General Data Protection Regulation (GDPR), the California Privacy Rights Act (CCPA) and the USA’s Children’s Online Privacy Protection Act (COPPA). While these regulations are specific to their legal jurisdiction, marketers should familiarise themselves with their main themes and the spirit in which they were created.


The EU’s passage of the General Data Protection Regulation (GDPR) in 2018 was a game changer as it had far reaching implications for anyone in Europe and those doing business in Europe. It gave greater rights to consumers over their data, required marketers to rethink policies around collection and use of data.

With potential fines for non-compliant companies of up to £17.5 million or 4% of annual global turnover (whichever is the largest amount), the legislation has real power behind it.

If you want to read the full GDPR regulations, here they are, but keep in mind they’re exhaustive. (8)

GDPR regulates the processing of personal data of EU citizens, or ‘data subjects’. It is primarily designed to give greater protection and rights to individuals while also reducing the risk of their personal information being exploited or misused. This is done by limiting the amount of data that can be collected by companies, the way it can be used and the amount of time that it can be stored.

Here’s a summary of some of the things that the GDPR addresses. The GDPR applies to any file or database with personally identifiable information across all departments (marketing, research, customer service, etc).

  • Personal data must be kept current, accurate, and secure.
  • Companies must be transparent about how users’ personal data is used.
  • Data collection should be kept to a minimum, only what is necessary.
  • Companies must obtain consent before collecting personal data.
  • Companies are only allowed to use data as set out to the customer when they consented.
  • Anyone under 16 years old cannot legally give consent. In this case, consent is needed from a parent or guardian.
  • Companies cannot collect sensitive data (race, political affiliation, religion, health info, and convictions)


The California Privacy Rights Act (CCPA) was passed in 2018. Like GDPR, the CCPA was created to give consumers more control over their personal information.

The law applies to any for-profit business that operates or does business in California with some additional stipulations (business size, data collection practices, etc). (9)

Privacy rights included in the law include:

  • Consumers have the right to know what information a business collects about them and also how this information is used.
  • Consumers have the right to delete personal information that’s already been collected.
  • Consumers have the right to opt out of the sale of their personal information.
  • Consumers have the right to non-discrimination for exercising CCPA rights.
Under the CCPA, businesses must clearly explain their privacy practices to California residents and honour opt-out requests from consumers who don’t want their personal information sold. Businesses must also notify consumers that they’re collecting information at or before the time of collection.


Another US law, the Children’s Online Privacy Protection Act (COPPA) was passed way back in 2000. (10)

The law regulates the collection of personal information by entities under US jurisdiction from minors. While it is an American law, marketers should consider the goal of the act and bring this learning into their own jurisdiction. It has since been updated to broaden the type of personal information protected to include things like screen names, email addresses, and video chat names. It also extends privacy restrictions to photos, audio files, and street-level geo coordinates.

According to the Federal Trade Commission (FTC), COPPA imposes requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Further, the FTC also asserted that COPPA applies to any online service that is directed to U.S. users or knowingly collects information from children in the U.S., regardless of its country of origin. (10)

There are other privacy laws in the US, though they tend to be less centralised versus Europe’s overarching GDPR. Some of them include regulations for specific verticals like the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GBLA) which protects financial non personal information.

While all of these privacy laws differ by region, they share some commonalities that can help marketers address data privacy in a comprehensive, proactive way.

For example, both GDPR and CCPA give consumers the right to access, delete, and opt-out of providing their data. The following table compares some of the differences between the two laws.

Figure 4: Comparison of GDPR and CCPA:


The need for marketers to focus on zero and first party data

The data that marketers collect from consumers and use can be broken down into four categories.

Type of data



Zero party

This is data your customers directly and intentionally share with a business - email addresses, product preferences and more.

Personal information and preferences submitted directly by customers. It is often gathered in exchange for something of value to the user, such as an email address for an ebook download.

First party

This is data gathered by tracking and observing user behaviour on a website and interpreted by marketers to build out segmentation and targeting.

Customer browsing behaviour on websites and apps, purchase and communication history.

Second party

This is data you receive from someone else. It’s typically used between partners who share audience insights for mutually beneficial reasons.

Essentially, second part data is someone else’s first party data.


A car dealer may share information with non-competing brands which target the same type of buyer

Third party

Third-party data is any information collected by an entity that does not have a direct relationship with the user the data is being collected on.


It’s generally collected via web cookie tracking

A car dealer may purchase data on web users who have recently browsed automotive websites in order to serve ads to this audience segment.



The shift away from third party data

With the increased emphasis on data privacy, marketers need to reconsider their approach to different data types as they vary in quality and reach. For example, third party data may help you reach a larger segment of potential customers, but the quality of insight and level of customer intent is likely to be lower than that from first or zero party data.

Figure 5: Relative quality and reach of data types


In particular, the use of third party data is under threat from various directions. Principally, the thrust of legislation such as GDPR makes the sharing of data and permissions between parties challenging, while major browsers have responded with moves to phase out third party cookies.

One example of the challenges marketers face is a recent ruling around the Transparency and Consent Framework (TCF). The TCF is a system developed by IAB Europe to help advertisers collect and manage customer consent for advertising.

The TCF helps the capture of the users’ preferences through a Consent Management Platform, usually a pop up. These preferences are stored in a 'TC string' which shares user preference with advertisers and ad tech vendors so companies know whether or not they can use this data for retargeting and other forms of advertising.

The Belgian Data Protection Authority found that IAB Europe, through the use of the TCF framework, was in breach of GDPR. The fact that the consumer consent pop ups failed to adequately inform users of the way their data is processed constituted a further breach of GDPR. (11)

While there may yet be appeals, this ruling brings much of the current cookie consent systems into question, and therefore threatens the use of third party data.

Apple’s introduction of ‘ask not to track’ on apps downloaded via its App Store is a further threat to third party data, but perhaps the biggest threat is that major web browsers are committed to phasing out the use of third party cookies.

What are third-party cookies?

Third-party cookies are bits of code that contain information about a website visitor. They’re called third-party cookies because they’re created by a domain different from the one the user is on.

Once placed on a user’s computer as they visit a website, the third-party cookie lives in the user’s browser and is used by digital ad platforms to target ads and track consumers as they navigate the web.

For example, after leaving a fashion website, you may see ads for the trainers you viewed as you arrive at another website. .

The problem with third-party cookies is that they make it difficult for users to control their personally identifiable information, which means companies can’t reliably remain in compliance with privacy laws. 


Apple’s Safari and Mozilla’ Firefox browsers currently block third-party cookies by default. Google announced plans to block third party cookies through its Chrome browser in March 2021, though it announced recently that it planned to delay this move until 2023. (12)

As Chrome holds almost 63% of the global browser market, this delay is significant, and probably linked to the fact that almost 90% of Google’s revenue is earned from ads, much of it targeted via the use of third-party cookies. (13) (14)

Despite this delay, the direction of travel is clear, and marketers will need to wean themselves off these cookies. The future will be about consensual data gathering.

How marketers can collect zero and first-party data

Marketers need to focus on sources of zero and first party data, in order to obtain data in compliance with legislation, and to meet customer expectations.

Data can be gathered from several channels:

  • Information can be gathered through CMPs and preference centres.
  • Subscription data. People who subscribe to receive content such as ebooks or emails are expressing an interest and can be a valuable source of data.
  • In-store data. Knowing a customer’s channel and shopping preferences can help you understand and personalise the customer experience.
  • Customer service data. Data about customer interactions and help desk items can provide valuable insights.
  • Survey and customer feedback data. Why not add customers directly for feedback? Use surveys and feedback forms to gather information on customers’ demographics, opinions of your products, and communication preferences.

Whatever the channel, it’s important that marketers provide a value exchange. Many customers know that their data has value, as Cathy Tyrell-Knights, Digital Product Owner at BT told MarTech Alliance:

“We're seeing customers, especially with GDPR, being a lot more aware of what data they have and almost seeing their own data as a commodity. What will you give me if I give you my data? People are looking for much more value.” (15)

It’s important for marketers to consider what value they can offer to customers in return for the use of their data. Think of brands like Spotify and Netflix. Customers see the direct benefits of data sharing because the more data they share, the more relevant and personalised their recommendations become.

Considerations for effective data value exchange

Here are some examples that demonstrate how data can be exchanged in return for enhanced CX.

Zero party data as business model

In this example Thread offers personalised tailoring recommendations, using data submitted by users.

This includes preferred styles, measurements, age, price range and other clothing preferences. This enables the retailer to gather some very useful and detailed information, and should lead to more relevant product recommendations and a personalised site experience.


Free tools

Free tools are a great way to advertise a product or service, and to gather data from potential customers.

For example, social media tool Sparktoro offers a range of free tools that are useful as standalone software, but also give users a taste of the broader platform. All users have to do is register and provide a few details.

Account Registration

When people register for accounts in return for access to content, or perhaps as part of the purchase process, this is an opportunity to obtain useful information on preferences and more.

It’s important to remember the value exchange though, so emphasise the value of registration, such as ease of repeat purchase and relevant content and product recommendations.

Access to Content

 Report or ebook downloads are a valuable B2B tactic to attract details from potential leads.

Ebooks are unusually offered in exchange for contact details and other information such as job title and company size.

Preference Centres

Preference centres allow customers to set their product and contact preferences and can help to build up customer profiles.

It’s important that, once customers have made the effort to share their data, they see the benefits of this in terms of relevant content and personalised product recommendations.


The technology that can help marketers manage data privacy

Marketers have been investing heavily in data related tech over the past few years.

Research conducted for our Martech Report 2021/22 found that many marketers are planning to buy data related technology in 2022. Observe that digital commerce platforms, digital experience platforms (DXPs), marketing and analytics attribution platforms and customer data platforms (CDPs) are key targets for marketing investment (16)

Figure 6: Which major martech tools does your organisation / typical client plan to add to their marketing stack in the next 12 months?


 These tech investments are not necessarily made in order to manage data privacy, many will be purchased with this in mind. For example, tools such as customer data platforms and data management platforms can help marketers with the use of consumer data.

 “The increase in both spend and education around analytics, attribution, and business intelligence within marketing have really taken a leap in 2021. As marketing efforts have become even more data-driven and digitally focused, marketers have been asked to be accountable for the money being spent and are investing in the tools and resources to demonstrate that and take action accordingly.” - Brooke Bartos, Director Of Marketing Operations & Analytics, Invoice Cloud (15)

Effective marketing increasingly requires access to zero and first-party data - to personalise campaigns and messages, customise content down to the individual customer, and accurately attribute marketing spend to outcomes.

Thanassis Thomopoulos sees some three key challenges for marketers to overcome, in response to changes around privacy and data access.

“How do we measure the efficiency of our marketing, how do we come up with a reliable ROI, how do we model the people we can't measure?

In the light of this, how do we optimise budget allocation and feed incomplete data back into our models ?

Also, how do you keep on providing a personalised experience to users who want so badly not to be tracked that they don't allow you to know anything about them?” -Thanassis Thomopoulos, Head of Global Marketing & Commercial Analytics at Adevinta

Some major martech tools can help marketers to manage customer data and store customer preferences to ensure compliance.

Consent Management Platforms

Consent Management Platforms provide a user interface and back-end integrations that allow individuals to manage their consent settings and then have those settings enforced. CMPs directly address specific privacy regulations such as GDPR.

For example, The Guardian prompts website visitors to accept or manage cookies, while providing some information on how they are used by the publisher and its advertising partners.


CMPs power the banners and popups visitors see when they arrive at websites. They usually request permission to serve cookies for various purposes, and offer options to manage cookies.

For example, users may want to reject cookies used for advertising, though in truth, many users will simply click accept so they can get on with reading an article.

Due to the proliferation of different digital devices, it’s important that CMPs work across different devices and channels.

Preference Management Platforms

Preference centres, often used to allow customers to adjust frequency of email communication, or select product preferences. Used well, they offer benefits for brands and users.

These centres allow for the collection of zero party data and allow brands to present the value exchange to the user. For example, by explaining that data will be used to personalise online content and email communications, or to deliver relevant promotions.

Customer Data Platforms (CDPs)

CDPs help companies create a persistent, unified customer database by pulling data from various sources then cleaning it and combining it into one single ‘source of truth’. The profiles created can then be used by other systems (e.g., for the segmentation and targeting of ad campaigns).

A CDP can help you deliver and manage a robust data governance plan to mitigate your risks both legally and from a brand trust decay perspective.

Digital Asset Management Platforms (DAMs)

A DAM is a piece of software that helps you manage all your digital assets. For marketers, it offers efficiency in terms of accessing and reusing existing assets - text content, video, images and more.

In the context of data privacy, a DAM can help you to store and manage images, video and other data related to customers, and the linked privacy data and preferences.

It also aids compliance. For example, GDPR and related legislation allows data subjects to ask for personal data to be removed by brends. A DAM enables brands to find and remove this data.

Citizen developers are empowered business users who create new or change existing business applications without the need to involve IT colleagues.
For example, in the past, anyone that wanted the approval of even the smallest project faced frustration as their request languished in an overburdened IT department’s task queue. During that wait, internal business priorities could change.                                                                                                                             

In Conclusion

The use of consumer data is essential for modern marketing, which means that marketers must balance data privacy with the need to deliver effective marketing and exceptional customer experience.

The first step to achieving this balance is to create consumer-first data privacy policies and approaches that comply with privacy laws and put consumers at ease about the safety of their data and how it’s being used.

More broadly, there is a challenge for marketers to ensure that users see the value of taking time to provide information in the form of a better customer experience.

For marketers, with many forms of third party data on the way out, the focus needs to be on zero and first party data.

Further Reading


1 Source: ICO, ‘ICO fines British Airways £20m for data breach affecting more than 400,000 customers’, ICO, October 16, 2020. (

2 Source: Paul Lee, Cornelia Calugar-Pop, ‘Changing attitudes to data privacy: Digital Consumer Trends 2020’, Deloitte, October 21, 2020. (

3 Source: John de Jonge, ‘The CEO Imperative: How has adversity become a springboard to growth’, EY, March 8, 2021. (

4 Source: Graham Charlton, ‘Brands Failing to Meet Customer Experience Expectations: Report’, MarTech Alliance, August 25, 2021. (

5 Source: Derek Anderson, ‘Data-Driven Marketing Trends for 2022’, Invoca, December 20, 2021. (

6 Source: Daniel Barber, ‘Navigating data privacy legislation in a global society’, Tech Crunch, October 2, 2021. (

7 Source: UNCTAD, ‘Data Protection and Privacy Legislation Worldwide’, UNCTAD, 2021. (

8 Source: EUR-Lex ‘GDPR Regulations’, EU, 2021. (

9 Source: State of California Department of Justice, ‘California Consumer Privacy Act (CCPA)’, State of California Department of Justice, 2021. (

10 Source: FTC, ‘Children's Online Privacy Protection Rule (COPPA)’, FTC, 2021. (

11 Source: Graham Charlton, ‘IAB Europe's Cookie Consent Framework Breaches GDPR Rules’, MarTech Alliance, February 10, 2022. (

 12 Source: Graham Charlton, ‘Google Defers Demise of Third Party Cookies on Chrome’, MarTech Alliance, June 25, 2021. (

 13 Source: statcounter, ‘Browser Market Share Worldwide’, statcounter, February 2022. (

 14 Source: Cookie Script, ‘All you need to know about third party cookies’, Cookie Script, December 21, 2021. (

 15 Source: MarTech Alliance, ‘2022 Predictions for martech and marketing’, Martech Alliance, January 2022. (

 16 Source: MarTech Alliance & Moore Kingston Smith, ‘The Martech Report 2022’, MarTech Alliance, October 2021. (