Skip to main content

Stop Tracking Customers and Start Earning Their Trust by Using Clear Consent and Global Privacy Control

September 23, 2025

Stop Tracking Customers and Start Earning Their Trust by Using Clear Consent and Global Privacy Control
Summer Swigart

Posted by

Summer Swigart

In January 2020, Google said Chrome would phase out third-party cookies within two years. The industry braced for impact. Marketers expected remarketing to shrink, frequency capping to wobble, and multi-touch attribution to lose its ability to show user journeys. Ideas to replace cookies arrived fast: FLoC cohorts, then the Topics API for interest-based ads, alongside a broader “Privacy Sandbox” toolbox and a push toward first-party data, server-side tagging, and clean rooms. 

That future did not land as predicted. In July 2024, Google said it would keep third-party cookies available in Chrome and pivot to a user-choice model while continuing Privacy Sandbox work. In April 2025, it went further and opted against a new standalone cookie prompt, reinforcing that third-party cookies would remain a Chrome setting rather than a forced removal. For teams on the ground, the practical outcome is simple: cookies persist in Chrome, but the environment is fragmented and still changing. 

Two other shifts explain why your remarketing may feel “off” right now.

First, Google’s Consent Mode v2 moved from guidance to enforcement. As of July 21, 2025, sites that do not send the required consent parameters are losing conversion tracking and remarketing audiences for EEA and UK users. Marketers reported sudden drops in conversions and audience size as enforcement went live. Even U.S.-focused teams saw ripple effects where global tagging or regional traffic was in play. If you have not upgraded, you are flying with missing instruments for those regions. 

Second, Safari continues to chip away at click-ID attribution. Apple’s Link Tracking Protection strips known tracking parameters like gclid and fbclid in Private Browsing, Mail, and Messages, and recent releases make broader protections easier to enable. When those IDs disappear, your bid models and path reports wobble. If your vendor claims the ability to deliver “full recovery” proceed with caution, and test in your stack with each Safari update. 

Regulators also added new pressure. On September 9, 2025, California, Colorado, and Connecticut launched a joint enforcement sweep to check whether businesses honor the Global Privacy Control (GPC) signal. If your site ignores GPC, regulators will not see it as a UX choice. They will see noncompliance that affects audience building and personalization rules. 

Put it together and the pattern is clear. Your lists shrink when consent is unclear. Your dashboards drift when tools disagree about user choices. Your attribution blurs when click IDs drop. Chasing hacks buys a week. Building trust into the stack keeps launches on schedule.

When remarketing crosses the line from helpful reminder to unwanted shadow, people feel watched, not served. The cues are familiar: the same ad following them across unrelated sites, promotions that reference something they only typed once, or a device hand-off that makes a private moment feel public. Most users don’t think about tag logic — they feel the experience. If something feels out of place or creepy, it will cost your brand the trust it needs for conversions. That’s why consent that’s clear, choices that actually stick (including GPC), and simple controls like “Why you’re seeing this” with an easy opt-out beat any targeting hack. Respect isn’t just ethical; it’s a performance feature.

Why trust is beating tracking

Trust converts. When consent is short and specific, more people say yes to your data request. When your stack honors choices automatically, you stop re-running campaigns to fix edge cases. When Legal, Marketing, and Dev share one consent truth, approvals move faster and dashboards stop disagreeing.

Trust also outlasts platform swings. Chrome can pause a deprecation. Apple can tighten link tracking. Google can enforce new tag rules. Clean consent and cohesive IDs keep your remarketing steady across all of it.

Good consent is not a design flourish

Start with your copy. Two short sentences in plain language beat a wall of text. Name the actual purposes you use: analytics, personalization, and ads. Avoid bundling everything into one vague “improve your experience.” Tell people they can change their choice at any time and show where that happens. A banner that respects a user’s time earns more approvals than a banner that tries to push them.

Make the experience resilient. The page should work if someone refuses non-essential cookies. That “no” is not a failure. It is a signal you use to adjust behavior. Your scripts and pixels need to match the promise you just made. If the banner says analytics will wait for consent, then analytics must wait. If a user opts out of targeted ads, do not sneak a retargeting tag into a separate template or fire it through a fallback. That mismatch is where trust, and then performance, starts to leak.

Carry consent end to end. The consent state you capture at the banner must flow into your form handler, your tag manager, your customer data platform, and the platforms that build audiences. If the state only lives in one tool, you will get reports that disagree. The fastest way to lose executive confidence is a dashboard that does not match what customers actually chose.

Test the journey like a person. Load a page with scripts blocked to confirm the site still works. Toggle consent on and off and watch the network calls. Save a one-minute screen capture and a log snippet. Share both with Legal and Support so they see what users see. That simple habit makes your next approval and your next help-desk answer much easier.

Wooden figurines circling a transparent globe, symbolizing global unity and the importance of honoring user privacy through Global Privacy Contro

GPC in plain English, and how to honor it

Global Privacy Control (GPC) is a user preference sent by a browser or extension that says “do not sell or share my data.” You can detect it as an HTTP request header Sec-GPC: 1 or as a JavaScript property navigator.globalPrivacyControl that returns true when the signal is active. If you see either, treat it as an opt-out. 

Why it matters. California established in enforcement that a user-enabled global privacy control is a valid opt-out. The 2022 Sephora case made that explicit. Colorado recognizes a universal opt-out mechanism in its own framework. The multistate sweep announced this September means investigators are checking for real, not just reading your policy page. 

How to implement this without drama: Detect GPC in two places. On the server, read the Sec-GPC header as early as possible. In the browser, check navigator.globalPrivacyControl. If present, treat it as an opt-out of sale or sharing and targeted ads, even if the person never clicks your banner. Log a small “proof of permission” record tied to the contact key: timestamp, signal seen, jurisdiction basis, purpose tags in scope, and the policy version you applied. That one row of data saves you hours later. The MDN references are clear if your team wants technical details. See my storyCPRA/CCPA Compliance That Speeds You Up,” for more tips. 

What Consent Mode v2 actually does

Consent Mode lets your site tell Google whether a person consented to storage for ads and analytics. With v2, Google introduced two additional consent signals (“ad_user_data” and “ad_personalization”) and began enforcing them for EEA and UK traffic. If you do not send the required signals, Google restricts conversion measurement and disables remarketing for those regions. You can still run banners from any compliant CMP. Consent Mode is not a banner. It is the plumbing that communicates choices to Google’s tags. Start with the official guides, then test your implementation in the regions you care about. 

Teams that missed the July 21, 2025, enforcement date reported sharp drops in conversions and shrinking remarketing lists until they fixed their setup. If that sounds like your account, confirm that your CMP is passing the v2 parameters and that your tag templates are updated. The quickest public summaries of the impact are consistent on this point.  

Make tools agree with a one-page data contract

A data contract sounds heavy. Keep it to one readable page. Name the fields you rely on, the allowed values, the system of record, and who approves changes. Start where money moves: a HubSpot form on your site that feeds analytics audiences and ad lists. Define the contact key you will carry, plus the consent fields that must travel with it: consent scope, purpose tags, GPC state, jurisdiction, and a keep-until date. Add one rule for conflicts. If two tools disagree, which one wins and why.

Even a simple contract does real work. Legal can point to one place when it approves copy or data flows. Marketing can see which fields gate a list. Engineering can see who owns a change. Your dashboards stop telling different stories. See my storyAre Your Tools Talking or Just Sitting Next to Each Other?,” for more details. 

Log proof of permission without friction

You do not need a second CRM. Just add a slim custom object in HubSpot or a small warehouse table keyed to your contact ID. Record the policy version, channel, timestamp, whether GPC was present, the purpose tag, and who made the change. Keep it short. Review once a month to prune fields you do not use. This gives Legal a quick answer, helps Marketing debug audiences, and helps Dev confirm behavior across releases.

Freshness labels and drift guardrails

A dashboard is only useful if people trust it. Add a small label that tells leaders how fresh the data is. “Updated eight minutes ago” for example, is a sentence people repeat with confidence. Add two guardrails to stop bad surprises. Show a match rate across tools so teams see when IDs drift. Show a consent coverage rate so everyone understands the shape of the audience they are interpreting. If the executive and operations dashboards diverge beyond a set threshold, raise a flag before the next board deck goes out.

Common pitfalls to skip

  • Collecting fields with no clear purpose tag. If you cannot say why you need it, do not collect it.
  • Treating GPC like a banner choice. If the signal is present, honor it as an opt-out of sale or sharing and targeted ads, and record that you did.  
  • Publishing a data contract and letting it rot. Assign a change owner and a review cadence.

Most “tracking problems” are really trust problems. Make consent short and specific. Honor GPC automatically. Carry one consent truth across your form, site, analytics, and ads. Label freshness and watch for drift so decisions stay grounded. That is how you keep remarketing steady when the ground shifts.

FAQ

Q: Do we still need to fix consent if Chrome kept cookies? 

A: Yes. Chrome’s decision did not address EU consent gating or Apple’s link tracking protections. The durable gains come from clear consent, automatic GPC handling, and cohesive IDs your tools agree on. 

Q: Why did our EU remarketing list vanish? 

A: Many teams saw drops after Google began enforcing Consent Mode v2 for EEA and UK users. Without the v2 signals, Google limits conversion measurement and disables remarketing in those regions. 

Q: What is the smallest viable GPC implementation?

A: Detect Sec-GPC: 1 on the server or navigator.globalPrivacyControl in the browser, treat either as an opt-out of sale or sharing and targeted ads, and log a small proof record tied to your contact key. Add a quiet on-page confirmation later if you like. 

Q: Does GPC matter outside California? 

A: Yes in practice. Colorado recognizes a universal opt-out mechanism, and a multistate sweep is already checking GPC compliance. If you treat it consistently, you avoid regional surprises and reduce approval time.