Understanding Strategic Risk Assessments and Applying Them for Privacy-Centric Marketing

Estimated Reading Time: 11 minutes
November 19, 2021
Privacy-Centric Marketing: Getting Started With a Strategic Risk Assessment

The amount of information, proposed solutions, and recommendations being thrown around in response to the “cookieless future” is overwhelming. Between new identity solutions in development by seemingly every ad tech vendor and delayed progress on in-browser solutions such as Chrome’s Privacy Sandbox, organizations are stuck with no clear view of where to invest to properly prepare. 

So how to get unstuck, and gain the clarity to develop a vision for privacy-centric marketing? 

Transforming into a privacy-centric marketing organization is a journey. Before rushing into the journey, it’s important to survey the landscape and chart out safe and risky paths. The initial focus should be on planning and developing the Privacy-Centric Marketing Roadmap to execute over the next 18-24 months. To do this, you must start with a strategic risk assessment.

Strategic Risk Assessment

A strategic risk assessment is an audit of your organization’s current strategies, platforms, and processes to identify key areas of risk. This assessment will help to quantify the potential impacts on your business and to help with prioritization of activities to prepare for the privacy-focused future of marketing. A comprehensive review will include two main components:

  1. Impact Analysis
  2. Channel Analysis

With the insights from the assessment, you can then begin to outline strategies for remediation and the capability and architecture enhancements necessary to effectively mitigate risks to your marketing and analytics practices. These changes will map to tactical actions which will create your roadmap for privacy-centric marketing transformation.

Impact Analysis

The impact analysis is an assessment of your current state to quantify the risks to your business in light of coming regulatory and technical changes for privacy. It will include four separate areas of review:

1. Device Analysis

What It Is

A device analysis is an examination of the devices and operating systems used by your users. Here you will chart out the proportion of users interacting with your digital properties via web, app, iOS, Safari, Chrome, etc.

Why It’s Important

The technical restrictions imposed in light of changing user expectations for privacy vary significantly from browser to browser and device to device. For example, if the majority of your users are interacting with your brand via a native iOS application, the technical impacts to data collection and activation will be very different than if the majority of users are interacting with your digital properties via Chrome on the web. By understanding the devices’ operating systems and browsers via which your users access your content, you can effectively prioritize the actions necessary to mitigate risk for the largest majority of traffic. 

How to Conduct

For this analysis, you can use your web analytics platform and standard device/operating system reporting to pull out these metrics. Analyze all digital traffic over the most recent quarter to get a good understanding of the current state. 

2. Location Analysis

What It Is

A location analysis is an examination of the locations from which a majority of your users are accessing your digital properties. You will want to analyze first at the country-level (if you are a global organization) and then zoom in at the state level (for the United States). 

Why It’s Important

Regulatory requirements from privacy legislation are location-dependent. Users in Europe have certain rights afforded to them by the General Data Protection Regulation (GDPR). At the country level in Europe, the requirements for consent vary slightly due to country-specific guidance and laws to satisfy the ePrivacy Directive. Meanwhile, in the United States with patchwork privacy, some states have privacy legislation in place (California’s Consumer Privacy Act (CCPA)) with others set to go into effect in 2023 (Virginia and Colorado). All of these various laws have nuance for what data can be collected and the processing activities which users have a right to agree to. Only by understanding the proportion of users from each location can you properly strategize the architecture to put in place to satisfy both regulatory requirements as well as business goals.

How to Conduct

This analysis can be conducted using your web analytics platform and standard user location reporting. All main web analytics platforms will provide out-of-the-box user location analysis at least at the state/country level. Pull the metrics from the past quarter and chart out the proportion of users from each location to begin planning for regulatory requirements within each.

3. User Analysis

What It Is

A user analysis is an evaluation of the proportion of users that fall into the three primary buckets of identification: non-consenting users, consenting users, and named users. Non-consenting users are those who decline explicit consent or express their right to opt-out of certain processing activities. Consenting users are those who consent to personal data processing and/or cookie usage (depending upon the location and legislative requirements) but are not registered with you. Named users are those who have registered with you and are assigned a first-party persistent identifier (such as users who have signed up for your loyalty program and are assigned a unique user ID).

Why It’s Important

For each of the user identification cohorts there are limits to the data that can be collected and ways in which you can activate each audience. For example, the named user cohort can be leveraged for more advanced cross-device analysis and audience creation via Clean Room technologies while non-consenting users can not be used for audience creation—but anonymous interaction data may be able to be collected for aggregate analysis. By conducting this analysis, you are able to benchmark your current state and set goals for increasing your proportion of consenting and named users. This also allows you to prioritize the exploration of different targeting strategies based upon what is possible for your business.

How to Conduct

Before you can conduct this analysis, a measurement architecture needs to be in place to segment each of the user cohorts. This means that a “user state” parameter or dimension must be collected. For consenting and named users this is fairly straightforward, for non-consenting users this becomes a bit more difficult in Europe given the restrictions on cookie placement. There are methods to identify this proportion of non-consenting users, however, by using new technologies such as Consent Mode (with Google Analytics 4), as well as modeling this proportion by analyzing traffic trends pre- and post-implementation of a consent management platform with explicit consent. 

Once you have the architecture in place to assign a “user state” to each user/interaction on digital properties, you can then segment users within web analytics to understand the proportion of users in each identification cohort. After you have conducted the user analysis, it is helpful to benchmark your current status against the broader industry. This is where it is helpful to work with a partner that has a view across a wide cross-section of the industry to understand where you stand relative to competition and help prioritize registration strategies.

4. Platform Analysis

What It Is

A platform analysis is an evaluation of the current marketing and advertising technologies in use to understand which are currently reliant on cookie-based functionality to provide their intended benefit. You will need to take inventory of all the platforms in use, how they use cookies, what cookie context is leveraged, how their cookies are set, and how each is technically interacting with other platforms on your site.

Why It’s Important

The technical ways in which each platform is operating will help you identify which platforms are most impacted by technical restrictions being imposed by browsers and operating systems. With this understanding you can begin to prioritize activities which will help you best leverage new privacy-safe functionalities being offered by the platforms you most rely on. For example, if your acquisition strategy is heavily reliant upon cookie-based audiences you will want to prioritize strategies such as driving user registrations to best take advantage of Clean Room functionality being introduced by platforms like Google Ads and Facebook. Only by identifying the platforms in use and how they work “under the hood” can you assess impact and explore necessary changes. 

How to Conduct

The most straightforward method to conduct a platform analysis is to use a tag auditing platform such as Tag Inspector. Scanning technology like this gives you visibility into all platforms that are loading, the cookies each is setting, the cookie context, and how each cookie is set. With this visibility you can then identify the platforms which present the most risk and prioritize activities accordingly.

Channel Analysis

The channel analysis is an assessment of the strategies used across each of your main marketing and advertising channels that drive your business. Here you will want to outline how you are executing across the three main stages of the activation process: audience creation, targeting/campaign execution, and measurement/optimization. For each stage (within each channel) you will need to outline how you go about executing each, the data necessary, how data is processed, and the platforms involved. Combining these insights with the impact analysis already conducted you can then evaluate the level of strategic risk exposure for each stage within each channel. This activity provides the clarity necessary to begin outlining risk remediation activities and develop the roadmap to make a privacy-centric vision a reality. Let’s dive a bit deeper into the three stages of activation and the questions that need to be asked of each.

1. Audience Creation

Ask yourself, how are we creating the audiences being targeted within this channel? Common examples would be creating audiences in our web analytics platform based upon user actions on your site which are pushed to advertising platforms for activation (cookie-based), relying on interest-based audiences developed by third-party partners, or analyzing the sources of traffic and targeting audiences via contextual clues. Each of these types of audience creation tactics carry varying levels of risk and have differing risk remediation strategies.

2. Targeting / Campaign Execution

Ask yourself, how are we executing campaigns against our defined audiences? Examples here would be using direct buys with premium publishers based upon the acquisition sources of our high-value users, retargeting via programmatic technologies, or targeting similar audiences within social media platforms. An important consideration here is how data is moving amongst the different platforms leveraged in the process. There are technical limitations for many of these execution strategies but also regulatory requirements for how data is shared and processed. Outline the ways in which you are executing campaigns to then evaluate the level to which each will be impacted by privacy-focused changes. 

3. Measurement & Optimization

Ask yourself, how are we measuring campaign and channel effectiveness? Many traditional methods for attribution are cookie-based. Given the technical restrictions imposed on third-party cookies (deprecation in Chrome in 2023, already deprecated in Safari and Firefox) as well as first-party cookies (duration restrictions in Safari and Firefox depending upon how the cookie is set) many of these cookie-based methods are becoming antiquated. As the need to migrate to new measurement techniques (Clean Rooms with modeling, regression-based attribution, incrementality measurements, etc.) increases, so too do the organizational expectations and acceptance of the new reporting outputs. Only by assessing current methods and outlining what needs to change can you develop the plan for cultural and architectural modifications necessary to support. 

Use the channel analysis to get all relevant stakeholders together and the strategies used on the table. With everything out in the open, you can begin to layer in the insights gleaned from the impact analysis to assign strategic risk exposure to each activation stage for each channel. This will help to gain an explicit understanding of what needs to change and what needs to be prioritized in the privacy-centric marketing maturity roadmap. 

And with that, you have your Strategic Risk Assessment completed! Now you can outline the steps to remediation and begin to break each down for the tactical innovation roadmap for the next 18-24 months to prepare for a future-proofed privacy-centric marketing strategy.

Feel overwhelmed? Let us help!

We partner with organizations across the globe to conduct Strategic Risk Assessments and help develop privacy-centric marketing roadmaps. Contact us to get started on your journey!


  • Lucas Long

    Lucas Long is co-author of the Amazon best-selling book, Crawl, Walk, Run: Becoming a Privacy-Centric Marketing Organization. He is also the Director of Privacy Strategy at InfoTrust, working with global organizations at the intersection of digital strategy, privacy regulations, and technical data collection architecture. Through these efforts, Lucas helps companies understand their limitations for data enablement due to privacy challenges and design optimal ways to accomplish core use cases in a compliant manner.

    When not discussing the intricacies of GDPR and cookie laws with clients, Lucas enjoys traveling and exploring new cultures, one bite at a time. Based in Barcelona, he is also a presenter, featured at industry events organized by Google, the Digital Analytics Association, the American Marketing Association, and the Journal of Applied Marketing Analytics.

    View all posts
Last Updated: January 11, 2024

Get Your Assessment

Thank you! We will be in touch with your results soon.
{{ field.placeholder }}
{{ option.name }}

Talk To Us

Talk To Us

Receive Book Updates

Fill out this form to receive email announcements about Crawl, Walk, Run: Advancing Analytics Maturity with Google Marketing Platform. This includes pre-sale dates, official publishing dates, and more.

Search InfoTrust

Leave Us A Review

Leave a review and let us know how we’re doing. Only actual clients, please.