All Articles Marketing Digital Technology Dear CMO … 2023 privacy spotlights from a DPO

Dear CMO … 2023 privacy spotlights from a DPO

Data collection is vital in marketing – and AppsFlyer’s Chief Data Officer Emilie Kuijt details what every CMO should know.

5 min read

Digital TechnologyMarketing

Data collection is vital in marketing – and AppsFlyer’s Chief Data Officer Emilie Kuijt details what every CMO should know.

Tumisu / Pixabay

The job of a company’s data protection officer is to ensure that the company is compliant – no matter what. This includes ensuring compliant data collection and handling practices of staff and privacy relationships with customers and partners.

This premise can cause contention with the marketing department — specifically with the chief marketing officer — because data sharing is becoming increasingly limited, making ad campaign measurement and optimization more challenging than ever before. 

These challenges come from Apple, with its game-changing App Tracking Transparency (ATT) framework, Meta, with its decision to only send user-level data to Mobile Measurement Partners (MMPs) and not advertisers, and Google, with its plans to sunset third-party cookies and device advertising identifiers in 2024.

Region-specific regulations such as the CCPA/CPRA have only added to these challenges, leading companies to actively search for new ways to gain meaningful marketing insights in a privacy-compliant way. 

For some companies, these privacy restrictions have led to friction between the CMO and the DPO, but there doesn’t have to be. CMOs and DPOs can be on the same page. Here are the three areas CMOs should be focusing on in order to keep your business privacy compliant.

The cookies-less future and your website

Stay away from “dark patterns.” The privacy options you present on websites must always be designed to allow the individual consumer to make the appropriate choice for them, without leading them in any way. This means, among other things, so-called “symmetry in choice.” For example, on today’s obligatory cookie banner, you cannot make a large, inviting green “accept all” button, and a small hidden away with an extra link “reject” button. These options must be fairly presented. 

Be knowledgeable about the cookies present on your website. It is crucial to understand what’s on your website; it’s like your online address book. But the world is fast moving away from third-party cookies towards cookie elimination or “first-party only” cookies and it’s a paradigm shift. 

You need to ensure that you enable cookies upon consent where needed around the world, and that you aren’t blindly placing third-party cookies on our domains

On top of that, make sure you have a regular chat with your web development team to make sure they periodically check the cookies on the domain and also refresh the cookie banner after 12 months to recurring visitors. You need to accept that you are increasingly heading towards a reality in which you don’t have the level of granularity there was three years ago, but that you also don’t need that in order to be effective in marketing campaigns.

Ensure your events are privacy-focused

 We’re back to in-person events, and that means meeting people in real life, as well as maintaining webinars. Whether you’re creating an event, joining an event as a partner or merely attending, it’s crucial to realize that you are not always allowed to use the data collected at these events. Make sure you’re closely in touch with your legal counsel to organize the right data-sharing agreements with partners. Also, always ask your participants for their consent to share their data with any of your event partners. It may not be at the forefront of everyone’s mind, but as marketers, you are responsible for bringing in data the company is allowed to use.  

As marketers always ensure you engage in that proactive discussion with your partners and participants. It strengthens your compliance, your commitments and your brand. Being a privacy-forward company is the only way to success. 

Leads, prospects and retargeting

For marketers, data collection leads to sales, and that means an inherent desire to maintain all leads and prospects in your CRM systems “forever.” Be aware that you’re not always allowed to reach out to those considered “old” contacts.

In many regions of the world, in particular in Europe, about two years after someone becomes a lead by downloading gated content or reaching out for a demo, they need to be let go from your radar if there hasn’t been proper engagement. 

Data retention in marketing is a real thing and needs to be acted upon. In line with the above comments on cookie management, it would be wise to focus on leveraging that first-party data from here on out. Data retention has become a central focal point of several of the European Union data authorities in particular, so as a marketer it’s crucial to uphold that initial role as the entry point for data into your company and help your company avoid fines. 

And on that same note, make sure you have the systems in place to manage those opt-outs you will inevitably receive from your newsletter or other forms of engagement. It’s really bad form to continue to reach out to someone who so politely declined their interest in your product. If it’s too difficult or too costly to build a system in-house, take a look and perhaps engage with a service provider that can assist you in data deletion requests. 

If you’re doing business in California, the key 2023 takeaway would be to make sure you are updating your data collection (and website) to be in line with the CCPA/CPRA and their focus on “cross-context behavioral advertising.” These legal developments have created a shift in the advertising industry that’s important to marketers. Retargeting your ads to consumers has become a whole new process and requires adaptation of your relationship with your partners (“third parties”) and your customers. 


Dr. Emilie Kuijt is a legal specialist, with a PhD in International Law and Legal Studies, and currently works for AppsFlyer as its data protection officer (DPO). A strong interest in connecting business and policy work, Emilie has an extensive work history as an external DPO and privacy consultant to numerous SaaS and tech firms.

If you like this article, sign up for the SmartBrief on Social Business email newsletter for free.