<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=388299605380721&amp;ev=PageView&amp;noscript=1">
Privacy, GDPR and Schrems II for Marketers
Blog featured image
Blog Author
Jonas Hagströmer Theodorsson

Get monthly notifications

Privacy, GDPR and Schrems II for Marketers

Privacy | 30 minutes

In this article, we would like to share with you the key information within privacy for marketers, share sources for further investigation and give you a simple tool that you can use to guide your team on the next steps.

Privacy and Why it's More Complex Than Ever

Today, when we write this article GDPR and rulings regarding Schrems II, are coming out from different countries in Europe. You can check the reference list at the end of this article to find all 101 complaints sent in regarding privacy violations for companies in Europe. So with more rulings coming out we expect best practices will change.


For example, the Danish Data Protection Agency press release from September 2022 stating that Universal Analytics is not compliant due to data transfer to US. They have also identified issues with the use of Google Analytics 4. Read the appendix section for details about their statements.


The Swedish authority for privacy protection IMY released there announcement "Four companies must stop using Google Analytics

 on the 3 July 2023

So how do tech companies communicate regarding privacy?

Here is a statement from Apple, a brand that wants to position itself as a leader in privacy:

“Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.”

-Apple's General Stand on Privacy March 2022

“Some websites allow hundreds of different data collection companies to watch you, build a profile of you, and serve you ads as you browse the web. Intelligent Tracking Prevention in Safari uses on-device machine learning to help block those trackers. And you can get a snapshot of all the cross-site trackers Safari is blocking by visiting your Privacy Report in the Safari toolbar.”

-Safari Privacy features as described by Apple in March 2022

Read more about Apple's efforts on Privacy first and how it's built into their products

Stream our online course together with Voyado: How to solve Privacy for Marketers & eCommerce




Table of Contents


How to Collect Data

Strive for better privacy policy standards

Stronger Privacy Measures Lead to Higher Growth

Build direct relationships with your customers

Technology to collect first-party data from your customer relationships

Store first-party data, CRM, Marketing Automation or CDP

- CRM System

- Marketing Automation



Measure Conversions More Accurately With First-Party Data

Unlock Insights Through Machine Learning

The Future of Privacy and Rise of Privacy-first Browsers

- Brave

- Duck Duck Go

- Google Chrome


References Resources and Templates

- Data Act, European Commission

- GDPR, European Commission

- Glossary for GDPR

- EDPB, European Data Protection Board

- Ico. Information Commissioner Office UK

- Schrems II

- Google

- Podcasts


How to collect data

In order to respect the privacy of your customers, you must understand the correct ways to collect data. Let’s look at various ways to collect data safely, making sure that you’re respecting the privacy of your users.


Strive for better privacy policy standards

Brands can't transform other aspects of their business without setting a strong privacy policy in place where their customers feel that the brand respects their personal data and will make sure that it's safe.

81% of consumers say that the potential risks they face because of data collection outweigh the benefits, according to a study by Pew Research Centre.


A table of Collect, Measure and Activate.


Stronger privacy measures lead to higher growth

A common misconception among today’s marketers is that being privacy-centric makes it difficult for businesses to grow. This is far from the truth, in fact, making sure that your customers’ privacy is respected goes a long way in the growth of your business. Brands that have taken the matter of privacy seriously have shown a higher growth as compared to the brands that haven't. This highlights the fact that privacy is not only good for customers but also for brands. Let us show you how you can use privacy to your advantage and grow your business while keeping your customer secure and loyal to your brand.


Build direct relationships with your customers

The ability to build direct relationships with customers is a common thread that runs through all great brands. Brands should focus on building relationships with their customers by giving them what they’re looking for - the right value. People are way more likely to engage with a brand when they find value in their relationship with it.

If you’re starting from scratch, you must start by placing a cookie consent banner on your website. Make it clear, transparent and easy for the user to understand the value of sharing your data. Build trust and work on the details in the consent banner.

Below is a cookie consent banner from Swedish Fintech Klarna, 11 April 2022. Notice how it clearly states the value for the user if opted in.

Example of a "cookie consent banner"

You can read the full Klarna's Privacy Policy here.

Read the full guidelines from ico. - What is Valid Consent?

Max Schrem and Noyb have filed 226 complaints regarding GDPR complaints with 18 authorities against websites that use the popular cookie banner software (“OneTrust”) with deceptive settings. OneTrust also changed the standard settings to be more GDPR compliant. However, there are still many websites that do not comply. Read the full list of 226 complaints here


Informing your customers of the value they will get by sharing their data and how your brand will use their data is the most important part of building trust. It’s found that customers are happy to share their personal data when they know how the brand will use it. This is the best approach to consent, period.

Brands should be more focused on going beyond expectations than doing just the bare minimum for the sake of legal obligations. This will be highly advantageous for brands in the long run making them more successful.

Strengthen your customer relationships with the right value exchange. Here are a few different ways to offer value to your users in exchange for permission to use their personal information.

  • Recommend content or a product based on the way your users interact with your website or app.
  • Give your users a good reason, like convenience, to share their contact information with you. Users are more likely to share their contact information if they’re being notified regarding their favourite product getting back in stock.
  • You can offer a deal or coupon when people agree to provide their contact information to receive your marketing communications.
  • A golden way to take things to the next level is by inviting people to register for your loyalty program where they can receive rewards or exclusive benefits.
  • Early access to new drops in your future collection. Many DTC (direct-to-consumer) brands have a high pace of releasing new parts of their assortment resulting in the most wanted products being sold out within minutes.


Here is a great example from IKEA of what they use data for and why you should opt in:

Barbara Martin Coppola, Chief Digital Officer for IKEA talks about privacy and the importance of:

-Breaking down your privacy policy in the simplest way possible
-Putting customers in control of their privacy
-Realising that it’s only the right thing to do


Once you’ve determined how to use customer information to deliver better experiences, it’s important to explain to users what data is being collected, what value they’ll get by granting data permissions and how they’re in control.

Collecting data is an important step but handling it responsibly and being transparent is just as important. Once you’ve decided how to use the gathered customer information to deliver better experiences, it’s time to explain to your customers what data is being collected and how they’re in full control of the data they’ve shared with you. It’s also important to remind them of the value they’ll get by granting data permissions.


Here are the 3 M’s marketers should keep in mind while communicating with their customers:


The 3 M's for marketers: Memorable, Meaningful and Manageable.


Make it Memorable: It’s found that people who consciously agree to share their data are more open to ads presented to them and find them more relevant. This highlights the importance of a crystal clear, jargon-free privacy policy. Your goal as a marketer should be to save your customers from unnecessary confusion and help them understand your privacy policy as best as you can.

Template for Privacy Policy to ensure compliance with GDPR, Reference EU GDPR

Make it Meaningful: 9 out of 10 adults in the world say that they’re more likely to shop with brands that provide offers and recommendations relevant to them. This shows the importance of knowing your customers through their data and providing them with offers and recommendations for relevant products and services. This adds value to their experience and makes them more comfortable sharing their data with you.

Make it Manageable: People are 3 times more likely to react well to advertising when they feel in control of their data. So, the best thing you can do is to give your users full control of settings and features so they can decide how their information is used and when it’s deleted. Once a user has made a choice, it absolutely must be honoured.


Technology to collect first-party data from your customer relationships

Now that you’ve established a direct relationship with your customers by providing value, all you need is a few tools to generate insightful and actionable first-party data from your customer relationships wherever a customer interacts with your website, app or directly with your offline store. Let’s check out the tools that will help you collect and make the most of first-party data.

Server-side tagging

Collect first-party data from site visitors: A robust tagging infrastructure will help you make the most of the data consumers share with you when they engage with your website. You can use sitewide tagging solutions that can also set first-party cookies for measuring conversions. You can execute this type of tagging with either:

Setup of tags

  • Google’s global site tag in Google Tag Manager. Then use this in Google Ads, Display & Video 360, Search Ads 360 and Campaign Manager 360 to optimise your marketing mix.
  • Google Tag Manager for all Google and non-Google tags
  • Server-side tagging is available through Google Tag Manager and Tag Manager 360 so you can place third-party tags in a secure cloud server. 

Read more about how to set up Server-Side Tagging in GTM


Client-side tagging

These types of tagging solutions allow you to respect the consent choices of consumers. For example, advertisers operating in the European Economic Area and the U.K. can use

Consent Mode to adjust how the global site tag and Google Tag Manager operate based on user consent choices for ads cookies or analytics cookies. If users don’t consent to cookies, Consent Mode will use conversion modelling instead to fill gaps when conversions cannot be linked to ad interactions.


Collect first-party data from app users: Add a Software Development Kit (SDK) to your mobile app. SDK is designed to help you collect information from the actions people take when they download and engage with your mobile app. You can do this with the Google Analytics for Firebase SDK which is available for both Android and iOS apps.


Collect first-party data from customers: Invest in a Customer Relationship Management (CRM) tool to gather and organise the information that’s shared by people during offline interactions like store visits or phone calls. You can link this offline data with Meta as well as Google’s advertising and measurement tools like Google Ads, Google Analytics, Campaign Manager 360, and Search Ads 360.

Read more about Privacy control in Google Analytics 4

How to safeguard data


Store first-party data, CRM, Marketing Automation or CDP


CRM System

Customer relationship management (CRM) is a technology for managing all your company’s relationships and interactions with customers and potential customers. Simply put, it improves business relationships. A CRM system keeps brands in touch with their customers and improves profitability.


Marketing Automation

Marketing automation is a great way to effectively market on multiple online channels and automate recurring tasks. There are some great software and platforms like Klaviyo that help marketers and brands get ahead in the area of marketing automation. Here are some benefits of implementing marketing automation:

  • Higher customer lifetime value
  • Complete customer profile
  • Real-time segmentation
  • Accurate omnichannel attribution



Collecting first-party data is crucial for all marketers in order to deliver a personalised experience to their customers and display relevant ads. So you have obtained the necessary consent and are set to collect first-party data. But how do you store and manage this first-party data? What you need is a Customer Data Platform (CDP) which is designed to collect, segment and organise customer first-party data from various sources and combine it all to create a unified view of each customer. Here are some benefits of using a CDP:


  • Eliminate silos
  • Concise customer profiles
  • Direct data collection
  • Unified cross-channel marketing


Customer Data Platform (CDP)

Like with every software in your technology stack it's key to understand how to set them up in a privacy-safe way and to align with your legal team. Here are three examples of CRM, Marketing Automation and CDP. Click on each resource to learn how to use them in a privacy-safe way.


Hubspot, CRM system

Klaviyo, Marketing Automation

Voyado, CDP


Measure conversions more accurately with first-party data

Once you’ve established a first-party data foundation from practices like sitewide tagging, it can

enable your measurement solutions to work together and provide you with the most comprehensive reporting possible. For example, enhanced conversions allow site tags to use consented, user-provided data to give you a more accurate view of how people convert after engaging with your ads. This also expands your retargeting audience size.

Measure conversions and fill out the blank spots. The use of conversion API has increased dramatically. Still, you are passing personal data. So be careful and align with your legal team.


TikTok Advanced Matching and Events API (TikTok Pixel)

The TikTok Events API is a Server-to-Server (S2S) integration that allows you to share website and app visitor events directly to TikTok. Data that is shared via the Events API is processed similarly to information shared via the TikTok Pixel and TikTok SDK business tools. You can leverage events data to power solutions like dynamic product ads, custom targeting, campaign optimization and attribution. It’s best for larger eCommerce and non-eCommerce brands that have a dedicated development team to support integration.

Advanced Matching, More data from your first-party data collected. You can upload phone numbers or Email addresses from your opt-in customers 

Flowchart of how API works

META Pixel

When you use the Conversions API along with our other Meta Business Tools, you can gain additional insights into the people who interact with your business. One of the best practices is to use the Conversions API in addition to the Meta Pixel to help maximise the effectiveness of your website events.

Google Ads Measurement

Enhanced conversion is a feature that can improve the accuracy of your conversion measurement and unlock more powerful bidding. It supplements your existing conversion tags by sending hashed first-party conversion data from your website to Google in a privacy-safe way. The feature uses a secure one-way hashing algorithm called SHA256 on your first-party customer data, such as email addresses, before sending it to Google.

Enhanced Conversion for web


Unlock insights through Machine Learning

Google Analytics 4, the future of measurement

Okay, so you’ve set the tools in place to gauge and measure conversions. Are you missing something? Yes, you also need to consider the gaps that occur in the customer journey when people move across devices, from online to offline, browser restrictions, and different consent choices. This is where machine learning can greatly help fill measurement gaps.

Conversion modeling, for example, continues to be a key feature in Google’s measurement solutions. How does it work? Modelling uses observable signals to help paint a more complete picture of your performance in a privacy-safe way. Modeling can also set your campaigns up for success by enabling products like Smart Bidding in Google Ads to work better because of access to more complete information - all with user privacy at the forefront.

Google Analytics automatically enriches your data by bringing Google machine-learning expertise to bear on your dataset to predict the future behaviour of your users. With predictive metrics, you learn more about your customers just by collecting structured event data.

Once you implement predictive metrics, you can answer questions like - “Will this user convert?” Read more about Google Analytics 4 capabilities to predict conversion, revenue or churn in this post here.

Modeled conversion is a way to fill the gaps that can't be measured so that you have access to more data for your bidding algorithm in Google Ads. Read all about it here.

A common question regarding measurement and Google Analytics 4 is how IP addresses are tracked and if the data is sent to the US. The short answer is that they are not.

When collecting data, Google Analytics 4 does not log or store IP addresses.

  • Analytics drops any IP addresses that it collects from EU users before logging that data via EU domains and servers.

In addition, Analytics provides controls to:

  • Disable collection of Google signals data on a per-region basis
  • Disable the collection of granular location and device data on a per-region basis

Google Analytics 4 does not log or store individual IP addresses.

Analytics does provide coarse geo-location data by deriving the following metadata from IP addresses: City (and the derived latitude, and longitude of the city), Continent, Country, Region, and Subcontinent (and ID-based counterparts). Read more about EU-focused data and privacy



Future of privacy and the rise of privacy-first browsers

By now, you must have gotten a decent idea of the integral role of privacy. But what does the future hold for privacy in this rapidly evolving market?

  • Google’s announcement of ending support for third-party cookies by the fall of 2023.
  • Universal Google Analytics will stop collecting data by 1 July 2023
  • The new legislation will be coming out from the 101 Privacy Complains sent in by Max Schrems and the organisation Noby

It is clear how big companies like Google and Apple are driving change, initiating dialogue around the importance of privacy and finding ways to respect the privacy of the users. This has resulted in the rise of privacy-first browsers - a much-needed shift. Let’s look at a few browsers that have privacy as their top priority.



Brave is by far, one of the best privacy-first browsers at the moment. It has the strongest privacy protections which block trackers, cross-site cookie tracking, fingerprinting, etc. Brave claims to safeguard its users’ data by not collecting it in the first place. Try out the browser here.


Duck Duck Go

Even though this isn’t a browser, we decided to keep it on the list for how this small yet impressive extension keeps privacy as its number one priority. This extension offers a safer browsing experience on your not-so-safe browser.

Found back in 2008, the DuckDuckGo Privacy Browser mobile app and Privacy Essentials desktop extension both come with a tracker blocker, encryption enforcer and private search engine. This gives its users all the key privacy protection tools to search and browse privately, curbing the constant monitoring of internet activity by companies. Click here to try it out.


Google Chrome

The most popular web browser of our age is claiming to have evolved into a responsible, privacy-first browser. Google Chrome is widely used as the main browser for Windows (PC) and Android (Mobile) with a total of 3.2 billion users. Chrome is expected to put more focus on keeping privacy as its number one priority in the near future.


References Resources and Templates


Data Act, European Commission

23 Feb 2022, Data Act: Commission proposes measures for a fair and innovative data economy


“Today is an important step in unlocking a wealth of industrial data in Europe, benefiting businesses, consumers, public services and society as a whole. So far, only a small part of industrial data is used and the potential for growth and innovation is enormous. The Data Act will ensure that industrial data is shared, stored and processed in full respect of European rules. It will form the cornerstone of a strong, innovative and sovereign European digital economy.”

-Thierry Breton, Commissioner for Internal Market


GDPR, European Commission

Official source of information from the European Commission. 


Find out what your organisation must do to comply with EU data protection rules and learn how you can help citizens exercise their rights under the regulation


Glossary for GDPR



EDPB, European Data Protection Board

The European Data Protection Board (EDPB) is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The EDPB is established by the General Data Protection Regulation (GDPR)

Stay up to date with the latest publications from EDPB

The Article 29 Working Party (Art. 29 WP) is the independent European working party that dealt with issues relating to the protection of privacy and personal data until 25 May 2018 (entry into application of the GDPR)

Article 29 Working Party, All archived news here.

Ico. Information Commissioner Office UK

The UK’s independent authority is set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

What is valid consent? Read all the details here.

Schrems II

Maximilian Schrems is an Austrian lawyer, who became known for campaigns against Facebook for its privacy violations, including violations of European privacy laws and the alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA's PRISM program.


In 2021, Schrems II – the landmark data privacy verdict issued in July 2020 – continues to prevent businesses from carrying out basic data transfers to non-EU countries.

Read more about Schrems II here.

Max Schrem, rulings in Europe and the 101 complaints filed by Noyb 



The Danish Data Protection Agency, Datatilsynet

Read the full statements about the use of Google Analytics in the links below. They cover both Universal Analytics and Google Analytics 4. If the setup for Google Analytics or Google Analytics 4 is done in a way that doesn't use any personal data. Datatilsynet has no issue with the use of any of the methods. This requires deep technical understanding and customised setup.


Quote from the Q&A section on Google Analytics, Datatilsynet 22 Oct 2022

"But Google Analytics 4 does not collect IP addresses. Isn’t that enough?"


It appears from Google’s own documentation that the collection of data via Google Analytics is done via regional data centres. Google will use the IP address of the website visitor to determine the location of the nearest data centre. For visitors accessing the website of a Danish organisation, this is likely to mean that visitors connect to a European server before the data is sent to Google in the USA. However, in practice, it may also mean that visitors who access a Danish organisation’s website from other countries, e.g. from Asia, are never connected to a European server, but are connected directly to a Google server in the USA if this server is closest to the visitor’s location. In other words, the IP address of the visitor may be transferred to the United States before it can be anonymised.

For Google Analytics 4, it is apparent from Google’s documentation that IP addresses are used to determine the approximate location of the visitor, after which the address is discarded before the data is logged to a server. As with Universal Analytics, the same issue is also relevant for Google Analytics 4, as – depending on the location of the data subject – there can be direct connection to, among others, American servers before the address is discarded.




The French Data protection Agency CNIL guide for setting up Universal Analytics in a safe way avoiding personal data transfer to US. Important notice is that Google Analytics 4 should have another approach.


Sweden -Integritetsskydds Myndigheten IMY

3 July 2023

Companies must stop using Google Analytics

The Swedish Authority for Privacy Protection (IMY) has audited how four companies use Google Analytics for web statistics. IMY issues administrative fines against two of the companies. One of the companies has recently stopped using the statistics tool on its own initiative, while IMY orders the other three to also stop using it.

IMY has audited how four companies transfer personal data to the US via Google Analytics, which is a tool for measuring and analysing traffic on websites. The companies audited are CDON, Coop, Dagens Industri and Tele2. The audits concerns a version of Google Analytics from 14th of August 2020.



Read more about Conversion API and what signals and data META are using to optimize ads targeting. 

META Conversion API and Privacy White paper 2022

Signals Guidebook META 2022





Help with the EU user consent policy

The policy reflects certain requirements of two European privacy laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive, as well as any equivalent UK laws. The ePrivacy Directive should not be confused with the proposed ePrivacy Regulation, currently under discussion. These laws apply to end users in the European Economic Area (EEA) and the UK. The EEA comprises the EU Member States and Iceland, Liechtenstein, and Norway.

The original version of this policy was introduced in 2015 and was updated on 25 May 2018 when the General Data Protection Regulation (GDPR) came into force.



Aurélie Pols on Google Analytics Rulings by European DPA's

Interview with Aurélie Pols, a Data Protection Officer with a background in Digital Analytics who knows all about the GDPR and its impact on Digital Marketing


Simo Ahava on Taking Control with Server-Side Tag Manager

Interview Simo Ahava, one of the most renowned Google Tag Manager specialist

Similar Articles

Get monthly notifications

July 3 2023 11:30:00 PM 30 minutes Yes