A

Cookie based marketing is on life support. In June of 2025, Google doubled down on its privacy sandbox timeline, pushing chrome towards a third party cookie shutdown by 2026. So what is this?

B

You cannot place a cookie before you get consent. You need to have consent if you're going to be tracking people. No means no. There will be monetary fines of is.

A

It $5, is it $5 million? Like what's.

B

It'll be six figures at least.

A

How do I protect myself, Ryan?

B

So it's gonna come down to what you have on the back end. You should have.

A

If your ad strategy still depends on cookies, Google and some regulatory agencies are about to cut the cord. In June of 2025, Google doubled down on its privacy sandbox timeline, pushing chrome towards a third party cookie shutdown by 2026. Meanwhile, some regulatory agencies are warning brands that shady cookie banners could trigger enforcement. In other words, consent isn't just a checkbox anymore. And if you're not auditing your tracking stack, your ad spend, your targeting, you could be at legal exposure. Today on Marketing on Trial, my co host and I are going to be unpacking the new rules for cookieless compliance and how to rebuild trust and tracking in a privacy first era. I'm Emma Rainville, your co host and I'm here with Ryan Potee. And let's dive in.

B

Let's do it.

A

I'm excited for this.

B

Me too.

A

So no means no.

B

No means no. We had an interesting conversation before this about what consent actually means.

A

Yep. Huh. We're gonna go through all sorts of stuff, but let's start with the basics. So what is this?

B

So it's if you are going to be tracking people on the Internet, which.

A

All of us are tracking people on.

B

The Internet, you need consent.

A

Okay. So we can't just stalk people anymore.

B

No. I mean the example that we used when we were talking offline about this was if you go to a mall and somebody put a little sticker on the back of you and you went from store to store to store so that that little tracking device could then send you ads. You know that's kind of intrusive, right? I mean, you wouldn't let somebody just walk up to you and put that on you and then able to send you a bunch of stuff. You seem to be, you know, the rare exception.

A

Were you like this? I absolutely 100% know that I am not the audience, but yes, I absolutely love it. My favorite thing about Saks Fifth Avenue and their credit card is that they track me on in multiple Stores what I purchase and they only show me what I buy. And I, I enjoy that. It saves me time. I am not everybody. I know that there are people who are like very upset with being tracked and you know, Alexa's listening to them all the time and yeah, constantly.

B

So I mean the digital, the digital marketplace is no different. The digital mall is no different. You need to have consent if you're going to be tracking people. So what does that actually look like? It is a cookie banner. The takeaway from all of this is you need to be consistent, concise about what you're doing and why you're putting this pop up banner in front of them and then having a button or two that gets consent to either tracking or not tracking.

A

Let's talk about those buttons and what they need to say. Best case scenario is allow cookies, don't allow deny cookies. But a lot of us have variants of that. And what you were saying earlier was if, except all cookies is one click, then everything should run exactly like that. So to deny should be one click. But a lot of us have customized. So walk me through what you said was okay, right.

B

So under California law and the California privacy regulator issued some guidance on this and we'll link it in the show notes. You need to have symmetry of choice. And what that actually means is you can't make opting out of giving consent to your data more difficult than it is to give it. And so the examples that they use in this guidance is, you know, one click for yes or one click to give your data, one click to opt out of giving your data. That is what symmetry of choice looks like. Some of the examples in the guidance document say, you know, yes to all, no to all, or accept all, or no to all. What you were talking about is how can you customize or can you give an option to customize in lieu of and opt out. Black letter law says no. But I think it would be defensible to have either a yes or all or no and modify having some sort of button that says I don't want to give you all of my data. But, but there are legitimate reasons to have certain cookies. You know, cookies help websites to function, they load faster. I mean they just, you need cookies for the websites to really work. And so being able to give the consumer the option to use the only necessary cookies as opposed to all the cookies. Exactly.

A

Opting into.

B

All right, I wouldn't say it's necessarily compliant, but I think defensible perhaps depending on the language.

A

Okay, now I want to move on to the design elements because the FTC and AGs, that's attorney generals statewide, are now giving regulations on the design. And so we had talked about, what do you do when The FTC has one set of guidelines and then 50 states have 50 different set of guidelines? How do I protect myself, Ryan?

B

So I think going to California still is the most stringent.

A

We generally say California. You look at what California is doing and if you abide by that, you're probably going to be okay. Because they're the most regulated, the most strict.

B

Totally. I mean, if you. You can't keep up with everything. If I had to pick two, I would look at what the FTC is saying and I would look at what California is saying. You know, FTC is going to be harping on dark patterns. What is a dark pattern really? It's, you know, say what you do and do what you say and those. That is privacy law in a nutshell. Say what you do and do what you say. The California privacy regulator came out and gave some guidance. You know, use straightforward language. Tell consumers what you're doing. Don't insert a whole bunch of technical jargon that no one understands. Just say why you're asking, why you're asking for consent and what consent means to consumers.

A

Okay, now I'm gonna ask you a hard question that I didn't ask you before. Cause I was gonna try and stump you on every podcast. So what's up? We interrupt this podcast to remind you to like and subscribe so that you can always be in the know of when Ryan and I drop a new episode of Marketing on Trial. Also, sign up at www.specialopspodcast.com for our visionary vault and get all of our freebies. Just because I'm going to be funny for a minute if I ask you for tea and you go make me tea. And then by the time you bring me the tea, I don't want the tea anymore. You can't force me to drink the te. So. Oh, God. Now let's say I visit your page today and I accept all cookies because I'm in a mood where I want to hurry up and go through. That's generally what happens. By the way. Other times I might be sitting at home and I got a little bit more time and now I deny all cookies. Same person does both. How do we interact with that?

B

So it's going to come down to what you have on the back end. You should have some sort of consent tracking mechanism. OneTrust is a good company. We don't have no interest in OneTrust. But one trust is a good one.

A

Trust is a good.

B

One trust is a good one. There's a, there are a bunch of vendors out there that do a lot of this. Some of the. Actually one of our colleagues in Driven does as well. But you're going to need some sort of consent tracking mechanism and you're going to need this with any sort of comprehensive privacy program. Because if you're selling to California and you're triggering the thresholds for CCPA compliance, how are you honoring opt out requests, information requests, you know, deletion requests and all that? I mean, you're going to need some sort of tracking mechanism or some sort of database. So you guys should have this in place already. And they should have it in place already.

A

Okay, awesome. Okay, so I want to be completely compliant. What haven't I asked you that I should have? As far as the cookies go, what.

B

Happens after the banner or what the back end. Okay, right. You can't be placing a cookie before you get. Yeah, jeez. You cannot, you cannot place a cookie before you get consent. Right. And so what happens a lot of times is you will have a, a banner and immediately the cookies are being placed. Tracking, pick all of it. And so you need to be careful that you don't, you don't place the cookies until you get that consent.

A

Things are going to be changing and we're going to be. As the year progresses and as Google is preparing and gearing up to remove cookies, we'll be talking more on the technical side on special ops on what to do. And then you and I will be talking because I imagine things are going to change and escalate. But let's talk about what my consequences are. It's always important. I think a lot of people are just, you know, everybody else is doing it. I want to understand the consequences first. If I was the one to get caught, what happens?

B

I mean, there are going to be monetary fines, injunctive relief. I mean, it is an unfair and deceptive trade practice. And so the ftc, under their broad authority to regulate the economy for unfair and deceptive trade practice, can get an injunctive relief. And there's some various jurisdictional latches that it can get civil penalties. But right now it's mostly injunctive relief. And typically this will be paired with some other claim. I doubt that it's ever going to be just privacy related or cookie banner related. But the fines are going to start adding up. And under state law, you've seen some press releases.

A

I'm Way more concerned with attorney generals than the ftc. Actually, please don't come from the ftc. You're scary enough. But attorney generals have a lot of power.

B

They do.

A

And it only takes the secretary's aunt to be upset. I mean really, that's a real thing, someone's aunt to go to, someone that works with an attorney general for them to completely flip your life and your business upside down. So I'm way more concerned about that. What happens on that level.

B

I mean, there will be monetary fines of.

A

Is it $5, is it $5 million? Like what's.

B

It'll be six figures at least.

A

Six figures at least. So it's worth getting my whole gauge in that by the way, was how much is it going to cost me to be compliant and to have these backend regulators or these backend regulations and monitoring platforms versus how much could I end up spending if I were to get caught, caught not doing.

B

And it's only going to get worse. Not worse. I mean there's only going to be more focus on this as, as we continue, you know, with, with AI coming to the forefront. The way that we're using everything on the Internet. I mean it is. And also just this push to be more anonymous online. I mean you have all the vendors, you know, touting themselves, you know, use this browser because I don't want to be tracked or use the private relay on your. I, you know, consumers are very interested in privacy and there's no such thing as privacy.

A

But let's give the illusion of.

B

Well, exactly.

A

By not allowing marketers to track.

B

Well, and I think there's also a lot of class action risk.

A

Okay, that's more what I want to hear about why and how.

B

Because it is ultimately an unfair and deceptive trade practice. You're violating people's right to privacy. And then some of state statutes have kind of defined this even more and there are statutory penalties and that starts.

A

Racking up very, very quickly class action lawsuits. Just the attorney's fees alone cost far more than I think any regulator is going to find you, frankly.

B

It can.

A

Let's do just like a quick checklist of what people should do. And I think number one, first and foremost, audit all cookie banners and make sure that they're design compliant, both FTC and then your guidance, which I love California because they tend to be the most regulated. That doesn't mean you're going to be covered by the way, you should have an attorney look at it. That's a good start for auditing yourself. And then next prioritize first party data in funnels and checkout flows and for me, finally create internal policies. Like if you don't have an SOP that says not only do we need to put this on all funnels that we build from today forward, this is a huge one. This happens all the time. It needs to be put on funnels that have been running that are previous. People screw that up all the time. I've got a funnel that's been running for three years that this had nothing to do with when I built it. But I don't ever go back and make sure it's compliant. So anything to add?

B

Make sure you pay attention to the back end.

A

Of course, don't. Don't forget the back end. If your cookie banner tricks users, regulatory bodies are going to call that deception. If your ads depend on Chrome cookies, Google's going to call you obsolete. Cookie based marketing is on life support. Between Google's tech changes and the crackdowns from regulatory bodies, marketers must rethink tracking consent and compliance. Ryan and I built you a cookie list compliance toolkit that you can grab over in your Visionary vault. If you haven't signed up for Visionary Vault, go head over to www.specialopspodcast.com and sign up for free today. We never try and sell you anything and we have all kinds of free goodies in there. And again, go grab your cookie list compliance toolkit. Ryan, this was fun. It always is. Thank you.

B

Thanks.

A

I love getting free legal advice. You should have gotten a Ferrari by now, but somehow I tricked you into doing this instead.

B

I wouldn't trade it.

A

Thank you.

B

Thanks, Emma.