Skip to content

Did GDPR just kill Performance Marketing?

Matthias Reinholz

Matthias Reinholz

Preface: I am not a lawyer and am not allowed to offer legal consultation. This article simply reflects my personal opinion based on research. Please ask your lawyer if your implementation of tracking is GDPR compliant.

Are you also receiving those emails asking for re-permission to send newsletters to you? Did you meet one of those fancy new pop-ups asking if you are willing to be tracked once you visit a website? Have you already accepted all of those new privacy policies that everybody is rolling out these days? It seems like the General Data Protection Regulation (GDPR)see 1 is making everybody freak out.

In this article, I want to take a look at the topic of tracking online marketing performance. As a performance marketer, you are used to leveraging tools like Google Analytics, Facebook Pixel, Adform, or many others to measure the performance of every single Euro spent. We implement software like Hotjar or Mixpanel to understand the user’s behavior and to optimize our offerings. Ideally, we strive to understand where exactly a user is coming from, what she is doing on our website, how she is stepping through our funnel, and what the conversion values of our landing pages are.

In the context of performance marketing, there have been a bunch of articles published around GDPR that are all drawing an alarming picture. There seems to be a commonly agreed upon interpretation of the EU’s new data privacy laws that we are not able to leverage tracking tools without the prior, explicit, and informed opt-in of a user.

What does this mean for performance marketing?

  • We are not allowed to implement tracking pixels which collect personal data without asking for opt-in of users
  • Users have to explicitly opt-in, simple browsing does not count as permission
  • If a user does not opt-in, we are not allowed to collect any data
  • If tracking only collects anonymous data this may be okay
  • If the anonymized tracked data can somehow – even if it is very hard – be matched back to personal data, we need permission

As a result, Google Analytics with anonymizing the IP may be okay while Facebook’s Pixel is a no go without implementing an opt-in method. But take care: if you are leveraging ecommerce tracking in Google Analytics and, e.g. parse order IDs, this may bypass the anonymization of data as you are able to match it back to personal data.

Are you serious?

Yes. Your tracking will be based on cookies or user ids, e.g. on the Facebook Pixel or Google Analytics. Does GDPR even mention those cookies? Are cookies really personal data? Yes. In recital 30 of GDPR, you can read the reason for this “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”2

So far you may have used a consent banner that informed users about the use of cookies. Is this not enough of an ugly interruption to the user flow? No. GDPR explicitly states in recital 32 that “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her […] This could include ticking a box […] or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”2

The European Commission provides a cookie consent kit (login required) which may help you to build a proper opt-in banner. Furthermore, you have to explicitly get an informed and unambiguous opt-in to track data which is adaptable to an individual user’s profile. You may implement a consent banner which asks for opt-in to tracking. But this will not be enough. The word “tracking” does not explain what you do with this data. This will not put the user in the position to take an informed and unambiguous decision. Therefore, it is necessary to explicitly explain what data you are collecting and what you are doing with it. Furthermore, take care, recital 32 of GDPR provides more specification: “Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”2

Also, Recital 42 specifies what an informed decision is: “[…] For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. […]“2

Giving permission for “tracking” or “data processing” or “cookies to make our service better” are worth nothing in this context. Also, you cannot hide behind those terms and refer to a longer explanation in your privacy policy as you have to get the permission of a user in a way which does not unnecessarily interrupt your service. The only solution can be to implement a consent screen which simply explains what data you collect and what you do with it.

Hold on for a moment and think about this.

Are they really asking to implement an ugly conversion-killing pop-up explaining the details of what data we are collecting and what we are doing with it? Can we now expect to see consent screens like these?

“We are recording a video of you while browsing on our website to better understand why you are not spending money with us.”

“We are collecting your browsing data and will send it to Facebook to better match it with your sociodemographic profile.”

“We are recognizing what parts of our website you are looking at in order to determine if we should send you more ads later.”

Maybe yes. There are already several websites which have introduced this kind of opt-in to tracking. But seriously: who would ever click “yes” on one of those? Previously, we have been collecting all this data without having to worry about users really understanding what is going on. Of course, we all know the conversations with our moms who are talking about those ads following them everywhere. But how many internet users actually understand what level of information they have been spreading across different sites?

At the same time, consent pop-ups or whatever form of getting a user’s informed permission to track them do not work for performance marketing. They are conversion killers par excellence and even if users do not bounce off, they will not agree to share their data. As marketers, we are living from conversion rate optimization across all disciplines. We A/B test our landing pages to maximize signup rates. We modify our ads’ biddings, creatives, and audiences to push their impact to a maximum. Over months and years, we have built successful accounts that are driving the revenues of our companies. Without tracking, this would not have been possible. If we cannot leverage user data anymore, the whole discipline of performance marketing will be in serious trouble.

So what now? You only have two options: either you implement an opt-in form, or you delete your beloved Facebook Pixel from your website. Can this be the best solution? Maybe not.

There is only one valid solution. We have to start thinking and find a workaround.

Just to be clear: I am not saying that we should try to find a way to bypass GDPR and to keep on collecting enormous amounts of data about people without informing them properly about this. Let’s face the truth: we have written down what we do in our privacy policies. But who would ever read them? And even more important, who would ever truly understand them? A lot of what we have been doing has only worked because most of the users we have been targeting simply did not get the full extent of what was going on. Now it is the time for ethical marketers to step up. We have to find ways to build our performance optimization systems without the use of sneaky data.

At the same time, we love data and the enormous impact of it on marketing, product management, and on building our digital companies. The whole idea of performance marketing is based on collecting data and leveraging it to improve the steps in our funnels. Therefore, we have to find a way to be ethical and smart at the same time.

Simplified, in performance marketing, we are running ads to reach our audience and bring them to our landing pages. There, we try to get them to take an action (conversion goal). On our landing page and during the conversion event, we are tracking the user’s behavior and certain other metrics around their profile (e.g., where they are located at, what device they are using). With this data, we are able to optimize our campaigns and landing pages. We can build custom audiences based on user behavior and have a close look at our conversion rates. Over time, based on data, we optimize our campaigns until we achieve the best possible ROI.

Performance marketing exists by gathering data about user behavior. We investigate session durations, click-through rates, channel performance, and more. The goal is to understand where we have to spend our marketing budget to maximize our efficiency.

A big part of performance marketing consists of collecting data along the whole funnel. This data is being collected in the background and typically we try to avoid any interruption to the user flow as this kills our conversion rates. With GDPR, we cannot do this anymore. We have to ask the user for permission to collect her data. This questions all existing concepts and tactics of performance optimization in marketing.

It is not realistic to imagine a significant number of people clicking ‘yes’ on consent screens that ask to record videos of them browsing. The same goes for most of the other ways a performance marketer is processing data. Without a significant amount of people sharing their data, we cannot work. If we can only build our logics upon the 5% who are giving permission, we lack insights. Therefore, we need solutions to master this challenge. We need to find ways to process data from a larger sample again.

Maybe an incentive to share data would be a good tactic? Well, maybe. I could imagine seeing some experiments with consent screens that promise early adopter access to SaaS offerings or even voucher codes for online shops. But careful, GDPR may not like this tactic. Read recital 42: “[…] Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. […]”2

What about simply requiring opt-in to tracking and locking-out other users? Doubtful if this is legal. Have a look at recital 43 of GDPR: “[…] Consent is presumed not to be freely given if […] the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”2

This sounds frightening, doesn’t it? Let’s start to think outside the box. Those changes are a big chance to pursue new paths and to elevate the whole idea of performance marketing to another level. A level where we are working more precisely, more strategically, and, in the result, more efficiently. For this, we need to identify new sources of data.

Privacy proof data source #1: customer data

Let us compare this whole idea of user consent to the real world out there. Just imagine you go to a coffee shop every day. And you are ordering the exact same raspberry infused vanilla Frappuccino along with one of those delicious salted caramel brownies every single time. The waiter will know you after some time and will – of course – at some point start to ask you “same as usual?” If we apply what we know about GDPR so far, this would be illegal. The waiter had to forget about your preferences or should ask you for permission to be aware of them.

That is not realistic. And luckily, that is not what GDPR wants. It even explicitly says that this will not be the case. In recital 47, we read about a legitimate reason to collect data without asking for permission before: “The legitimate interests of a controller […] may provide a legal basis for processing […] Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. […] The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”2

Reading this, we can conclude that we already identified the first way to track user data. We have found our first workaround to get user data without implementing a conversion killing element: leverage customer data! Once a user converts and becomes a customer, we are allowed to collect certain data. And we are even explicitly allowed to use this data for direct marketing. There does not have to be a consent screen or any other permission. For completeness, I want to mention that this does not allow us to start tracking irrelevant data from customers. We still have to follow certain preconditions and have valid reasons to collect the data we track.

In other words: be sure to have proper conversion tracking implemented and configure your Google Tag Manager conversion tags precisely! Go through the various conversion goals you have and elaborate if they establish a business relation with your user. Will a user be your customer once the conversion happens? If the answer is yes, keep on firing those tags!

Implementing conversion tracking will at least enable you to leverage all those beautiful machine learning powered optimization features of major ad platforms. Without them, we would still spread our campaigns across millions of irrelevant impressions. Take GDPR as a chance to re-check your CTRs. If you are still running campaigns with insanely low relevance it may be time to revise them. Yes, there is branding, and yes, there are awareness campaigns. Still, this is not a reason to waste your budget. If people do not want to purchase your product, they will for sure not do it because you send them spam.

Privacy proof data source #2: anonymized data

We have found evidence in GDPR that we are still able to use conversion tracking. But what about all those visitors? We need to understand their behavior on our website for product management and for marketing. Do we now have to implement a consent screen to even ask for permission to use Google Analytics?

The answer is maybe not. Just read what GDPR says about this in recital 26: “[…] The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. […]”2

Luckily, Google Analytics already brings a built-in feature which enables the anonymization of collected datasee 3. If you implement the anonymize IP feature, you are able to use Google Analytics without asking for permission of your users.

Privacy proof data source #3: ad network data

We have learned that we can track anonymized and customer data. Still, this does not bring back our good old funnels. We have sent awareness campaigns to attract an audience. Then we gave them content to learn about our value propositions and to make them trust our brands. Ultimately, we hit them with conversion optimized campaigns to make them buy. This whole concept of building funnels used to be based on visitor audiences. Those have been built based on and stored in cookies or using some unique identifier. As an example, in the case of Facebook Ads, those have been stored as custom audiences based on Facebook profile ids.

According to GDPR, there is no way to build those custom audiences without previously asking users for their permission. The reason is, the information we are sending over to ad networks is always personal and may be mapped with individual profiles. If your ad network does not provide an explicit anonymization feature (which most of them do not do), you cannot use their pixels anymore without user permission.

As users will mostly not agree to share their data with ad networks, GDPR may be the end of remarketing as we know it.

One solution to this dilemma may be a fundamental change in the way ad networks are building their audiences. Instead of building remarketing audiences based on website visits, we could target users based on data points they are generating in environments they have already given tracking permission in.

Privacy Proof Facebook Funnels in Spotlight

Facebook leads the pack of ad networks by offering privacy compliant options for custom audiences. Knowing that the data Facebook Pixel gathers from May 25th 2018 on will not be comparable in relevance to what it has been before, you can build your custom audiences on Facebook Ads based on other data sources.

In the audience manager, create a new audience and select “Engagement.” Here, you will find several options that enable you to build effective remarketing audiences. A magical option is to select your Facebook Page as source. Instead of targeting your website visitors, you can simply target people who have clicked your ads! Of course, you will miss some of those who have been coming through other sources to your website. Still, you will hit everybody who enters your funnel through this door. Additionally, Facebook does offer to target people over the past 365 days compared to only 180 days you got with the website visitor targeting.

The good news is that once you build your consideration and conversion campaigns with this targeting, you do not even need Facebook Pixel on your website anymore! It is enough to fire it once a conversion happens. Remember, at this stage, depending on the implementation, this may be used without asking users for their permission. Using this workaround, you get rid of all those privacy issues and do not need a user permission step in your funnel.

As GDPR rolls out and we are all modifying our campaigns, let us hope other ad networks are adopting this kind of more sophisticated targeting quickly.

The future of smart performance marketing is bright.

The General Data Protection Regulation does change a lot for performance marketing. Nevertheless, it does not change everything. Data is everything for great performance marketing and building an ever-optimizing funnel is what we love to do. The new regulations put up some barriers and are directly impacting existing marketing tactics. They are preventing us from gathering data in the same way as before. Users have to be transparently informed about what data is being collected, why, and what is being done with it. Many traditional performance marketing tactics will not work anymore. We will see a bunch of improperly implemented pop-ups asking for our permission to track data. And we will see marketing teams fail due to a lack of creativity in implementing new methods to reach their audiences.

On the other hand, GDPR provides many chances for performance marketing. It finally forces everybody to clean up. There will not be an unbalanced mass-collection of irrelevant data anymore. People will start to think twice about what data they need and what they will do with it. At the same time, new targeting options are coming up and are offering us adequate ways to create effective privacy compliant performance funnels.

The future of performance marketing is bright. It has always been the most data-driven discipline of marketing. Now, there are new rules in the game. Those rules seem to be ‘only’ applicable for the European Union but will soon spread across the globe. Major ad networks cannot afford to build targeting options that allow interruption-free funnels. Those targeting options will redefine the way we control our campaigns. There are powerful tools out there and even the most experienced marketer has to learn to handle this new situation. Everybody has to go back to start. There has never been a better situation for smart performance marketers to stand out. Go and find your tactic. Develop your skills in building privacy compliant performance campaigns. Identify new ways to target effective audiences. This is a time of thousands of new campaign opportunities. This is your time.



    1. Data protection. European Commission – European Commission (2017). Available at: (Accessed: 17th May 2018)
    2. EUR-Lex – 32016R0679 – EUR-Lex. Available at: (Accessed: 17th May 2018)
    3. IP Anonymization in Analytics – Analytics Help. Available at: (Accessed: 18th May 2018)

No comment yet, add your voice below!

Add a Comment

Your email address will not be published. Required fields are marked *