Privacy and cookies: where do we stand now?

State of the art and some activities to watch in 2023

In 2022, we talked a lot about cookies and privacy, issues that – for good or evil – will continue to be debated this year. It is therefore worth recapitulating past developments and the current situation to help us see how we can keep pace with events in this continuously (and rapidly) evolving world.

The State of the art

Google (Android 12L)

Since 1 January 2023, two new regulations concerning cookies have come into force in the United States, tightening up the rules in force to ensure greater protection for web users. Effective 1 January 2020, the California CCPA was expanded to become the California Privacy Rights Act (CPRA). Amongst other things, this document included new rights of modification and limitation of the use of the user’s personal data; in addition, the text to be inserted within the cookie banner was defined in detail. Another American state that has joined California in enacting legislation on the protection of personal data, is Virginia, with the Virginia Consumer Data Protection Act (VCDPA), in some ways even more similar to European laws.


Remaining on US soil, let’s not forget that we are getting closer to a new agreement on the transfer of data between the United States and Europe, generally known as “Privacy Shield 2.0” (we already talked about this here). Last October, President Biden signed an executive order with the changes needed to “reassure” Europe about the passage of personal data between Europe and the United States. Now, the ball is back in the European court: the good news is that, at last, the European Commission has started the process to adopt a decision on adequacy. Once the process of adopting the decision has been completed, in line with what is spelled out there, personal data will be freely transferable to the USA. The adoption process is expected to be completed by spring of this year, but this is still not certain.

Google (Android 12L)

As we all know, in Europe, the importance attached to users’ privacy is increasing, as are the sanctions against large companies that do not abide by the legislation.

On 29 December 2022, the French CNIL sanctioned Apple for 8 million euros for not requesting consent for advertisements on French users’ iPhones. The trouble turned out to be the iOS 14.6 version, where personalised ads and data collections were activated for profiling purposes on the App Store, without any consent from the user.

In the early days of 2023, another big player in the tech world was sanctioned: Meta, which received a fine of 390 million euros from the Data Protection Commission (DPC), the Irish Data Protection Authority. Indeed, the Irish Authority, after consultation with the other European Guarantors, challenged Meta over several violations of the GDPR, but in particular it was confirmed that the company cannot use the legal basis of the contract for the purpose of customising advertising and behavioural advertising services. Mark Zuckerberg’s company has responded to the decision by explaining its position in this post, which clarifies how the way their data is treated is, in their opinion, in compliance with the GDPR.

There are also instances where a fine has led to a technology company adapting, including through consultation with the Privacy Authorities: it was announced a few days ago that the Belgian data protection authority (Belgian DPA) has approved the action plan proposed by IAB Europe, which provides for the updating of the policies and procedures of the Transparency & Consent Framework (more details).

Privacy-related changes by large technological platforms, known as Gatekeepers, will be increasingly frequent. The European Commission has been working on the Digital Markets Act since March 2022. This legislation aims to shake up the current Big Tech scenario, to ensure greater fairness and security for users and the companies that use their tools.


Some companies are trying to ride out the wave of privacy penalties and lack of information by developing new technology solutions that allow proprietary data to be used. One such case is Shopify,  which earned a mention in the Financial Times. The Canadian eCommerce platform, in fact, wants to aggregate the numerous data of its users and provide businesses with relevant audiences that can be exploited on third-party advertising tools, such as Meta. The Shopify Audiences solution – currently under development – is inspired by Amazon’s existing model, but it’s not yet clear if it can be leveraged at the European level.

Meanwhile, Google continues its gradual transition to privacy by design solutions. Google Analytics 4 is increasingly structured and ready for the transition that will begin in summer 2023. The deadline for the removal of third-party cookies by Chrome, on the other hand, has been postponed to Q3 2024. This decision is mainly due to the new tech solutions proposed in the Google Privacy Sandbox, which are still largely under review (including by the Authorities). Some of the proposals, in fact, have not overcome the barrier of European privacy regulators (e.g.: FLoC) causing numerous delays and reworkings. The personalisation of ads is the most critical point of this transition to cookieless, so Google is trying to ensure market success for its proposals by seeking the best compromise between user privacy and advertising performance.

Among the others being tested is Google Pair (Publisher Advertiser Identity Reconciliation), a new identifier that aims to reconcile first-party data while respecting user privacy.

What to watch out for in 2023

Considering the changes that took place last year and the current state of digital marketing, we think that 2023 will shift the focus more and more towards the technical side. It will probably be a year dedicated to the study and testing of new technologies and that is why close ties  between the worlds of advertising and IT will be vital.

The gap left by the data collected up until now will be filled using machine learning algorithms, which however must be well configured if they are to be helpful and provide correct answers.

The first party data that we manage to collect will be valuable, so we want to give you some advice on how to make the most of it:

  • Provide GA4 training for all personnel who use Google Analytics data, if possible adapting the courses for the different categories. Then take advantage of the transition to GA4 to revise the data collection strategy, optimising it for the new structure.
  • Consider using a data and compliance monitoring tool, to ensure its correctness at all times. One such tool is Data Kojak, a product of Webranking know-how.
  • Unify data from different sources into a Customer Data Platform in order to leverage it in audience creation and much more.
  • Invest in UX, UI and customisation of site and app content to improve and consolidate the relationship with customers and increase trust levels.


This article was written by Daniela Pedroni, Digital Analytics Tech Team Manager.


Leave a Reply

Your email address will not be published. Required fields are marked *