When the UK’s Data Use and Access Act reaches full enforcement in June this year, the long decline of third-party cookies will become a cultural reckoning for those still invested in the practice. For businesses operating this way, the message is clear: surveillance marketing is no longer commercially or legally sustainable.
Yet customers still expect personalisation and the relevant services that third-party cookies helped to enable. According to Kantar’s 2026 Marketing Trends report, while 76% of consumers are deeply concerned about brands harvesting data, 70% still want personalisation and relevance.
Businesses may need to find new ways to maintain personalisation without infringing on customer privacy. This has taken the form of privacy-first marketing.
What privacy-first marketing means in 2026
Privacy-first marketing goes beyond compliance with the General Data Protection Regulation (GDPR), the Privacy and Electronic Communications Regulations 2003 (PECR) or other local data protection laws. It requires businesses to move from passive behavioural tracking to active, consent-based data exchange, with a clear understanding of what data is genuinely required to enable personalisation and related services. They must also provide transparent arrangements that customers can easily understand.
The UK Data Use and Access Act 2025 reframes automated decision-making and marketing consent, placing greater responsibility on organisations to ensure proper protections. Under guidance from the Information Commissioner’s Office (ICO), organisations must demonstrate necessity, proportionality and safeguards when deploying profiling technologies. The Act also introduces a “can, so long as” framework for certain automated processes, although marketers must be clear about why it was used, how total data collection was reduced and how it benefits the end user.
“Online advertising doesn’t have to come at the expense of privacy. We want to see the industry develop new models that put users in control while supporting publishers and platforms to thrive,” says Stephen Almond, executive director of regulatory risk at the ICO, indicating that privacy-first models are viable provided safeguards are clear and proportionate.
The costs can be significant for organisations that fail to meet privacy standards, with PECR marketing breaches carrying penalties of up to £17.5m, or 4%, of global turnover.
For organisations that can provide transparency and accountability in data collection, there is a notable commercial upside. According to the report by Kantar, up to 80% of consumers are willing to pay a premium for transparency, as much as 9.7% more than they otherwise would. Another study by Experian found users are more willing to share data when they understand the value exchange and retain control.
Zero-party data puts personalisation in the user’s hands
Using zero-party data gives companies accurate information directly from you, without sneaky tracking. Unlike first-party data, which captures observed behaviour such as clicks, URLs and purchases, zero-party data consists of information customers actively choose to share. This includes preferences, quiz responses and communication choices, enabling greater user control while potentially opening up a wider range of marketing tools.
Engaging users directly from the outset may feel unfamiliar for brands accustomed to operating behind the scenes, but it reflects a strategic shift towards optimising intent from the start and placing power in the customer’s hands.
In practice, this direct engagement can take many forms. In retail, interactive quizzes can help customers find what they want more quickly, while in fintech apps, goal selectors encourage repeat visits and ongoing engagement.
That said, incentives must be aligned carefully to maximise conversion; offering freebies in exchange for data rarely works in the long term for either party.
Context matters more than cookies
Contextual advertising, once seen as less precise than behavioural retargeting, is making a comeback thanks to artificial intelligence. AI can now analyse what a webpage is about and how it feels, allowing ads to match the content in real time instead of targeting users based on what they looked at earlier.
According to research by Matomo, a privacy-focused analytics provider, shows that brands using cookieless first-party analytics are better able to match their content with customer buying intent, while avoiding the compliance risks linked to cross-site tracking.
The performance of contextual advertising is improving through AI solutions. In industries like travel, retail, and finance, marketers see better engagement when ads match the content someone is viewing rather than their past browsing history. AI helps understand the context more deeply, avoiding mismatched placements, for example, showing a generic travel ad on a blog about solo travel.
For chief marketing officers, this method offers a way to improve engagement and click-through rates while respecting privacy, especially in today’s highly regulated, low-attention environment.
The pay-or-okay dilemma
Offering users the choice to provide data or pay a subscription comes with its own challenges. While the European Union has promoted this approach to reduce consent fatigue, it still relies on first-party tracking, which regulators are scrutinising more closely.
In 2026, brands may need more sophisticated strategies, such as tiered value exchanges, offering enhanced experiences for extra data, using contextual ads for a less intrusive approach, or providing opt-outs for full anonymity.
For organisations under pressure, this can be difficult, especially since GDPR cookie pop-ups show that most users just click the first button to move on. Brands need to design data collection methods that genuinely engage their audience rather than relying on passive consent.
The post-cookie marketing landscape
Moving away from cookies and behavioural marketing doesn’t mean giving up personalisation or customer experience. By using creative approaches, aligning incentives, and implementing strong governance, organisations can retain many benefits of previous systems, while being more transparent and gaining proper consent.
Research shows that transparency pays off: customers are more likely to trust brands and share information when they know how their data is used.
With the Data Use and Access Act coming fully into force, UK organisations should focus on identifying which data is essential and clearly communicating to customers how it creates real value and functionality.
When the UK’s Data Use and Access Act reaches full enforcement in June this year, the long decline of third-party cookies will become a cultural reckoning for those still invested in the practice. For businesses operating this way, the message is clear: surveillance marketing is no longer commercially or legally sustainable.
Yet customers still expect personalisation and the relevant services that third-party cookies helped to enable. According to Kantar’s 2026 Marketing Trends report, while 76% of consumers are deeply concerned about brands harvesting data, 70% still want personalisation and relevance.
Businesses may need to find new ways to maintain personalisation without infringing on customer privacy. This has taken the form of privacy-first marketing.
