Navigate
Picture of Kevin Uys
Kevin Uys

Data Collection in a Compliance-First World

Why Compliance is Changing the Way We Collect Data.

Compliance: More Than Legalese

Compliance used to be the legal department’s problem. Something you sorted after the real work was done. An afterthought, filed away in the footer, written in dense language that no one ever actually reads.

Not anymore.

Today, data compliance is one of the most powerful forces shaping how businesses collect, track, and use data online. It’s become more than paperwork or policy, it’s a complete reframing of how digital marketing systems operate.

What’s changed is where the risk sits. It’s shifted from manifesting as a purely reputational or legal risk, where it’s now an operational risk. If your tracking strategy isn’t built around modern compliance standards, it doesn’t matter how good your ad creative is, how advanced your analytics stack is, or how much traffic you drive. You’re working with partial data, broken attribution, and shrinking audiences.

And this matters for everyone: business owners, marketers, developers, and analysts alike. Compliance is no longer just a legal checkbox; it’s a strategic, technical, and operational priority.

In this article, we’ll look at how compliance frameworks, particularly those concerned with personally identifiable information (PII), are quietly but fundamentally altering the marketing toolkit. We’ll get into the real-world impact on analytics tracking platforms like Google Analytics 4 (GA4) and Meta Pixel, and what this shift means for your business’s ability to understand, reach, and convert customers in a compliance-first world.

Compliance Has Rewritten the Rules, but Only Because the Old Ones Were Failing

For years, digital marketing was built on quiet, invisible data collection. Tracking scripts loaded by default. Ad platforms created detailed user profiles across sites. Analytics tools logged everything, including pages viewed, buttons clicked, sessions started, and more. All without asking for much (if anything) in return. Data was abundant, attribution was clean, and personalisation felt like magic.

It was frictionless. It was glorious. It worked.

But it also overreached.

As data collection scaled (often without transparency, limits, or consent) the trust gap grew. Users began to push back, and so did regulators. Over time, compliance stopped being an afterthought and became a technical and strategic force in its own right.

Why We’re Here: The Global Compliance Wave

Regulations like the GDPR (EU), CCPA (US), POPIA (RSA), and others emerged in response to a digital ecosystem that had stopped asking permission. These laws were course corrections, designed to put power back in the hands of users. At their core, they say: “your data is yours, and companies don’t get access to it by default.”

The GDPR, in particular, raised the bar. Since 2018, it’s required that businesses get clear, informed, opt-in consent before collecting any data that isn’t strictly essential.*

*(Non-essential cookies are those not strictly necessary for the website to function, but are used for purposes like analytics, advertising, personalisation, and integrating social media.)

Enforcement hasn’t been purely symbolic. Meta, Google, and others have already faced billions in fines.

Even if you’re not in the EU, you’re still feeling the ripple effects. Why? Because the tools we use every day (think Google Analytics, Meta Ads, LinkedIn tracking, and HubSpot, to name a few) are built with GDPR compliance in mind. If you’re a South African business using global platforms or marketing to international audiences, those rules shape your reality, whether you realise it or not.

The New Reality

Compliance isn’t theoretical anymore. It’s something that touches every layer of your digital stack, from the way tags fire in your Tag Manager to how accurately your campaigns are attributed in Meta Ads.

It limits the data you can collect. It alters how you track performance. It changes what you know about your audience. If your data infrastructure hasn’t evolved to meet these standards, you’re at legal risk.

Now that we know what the issue is, the next step is figuring out what it takes to solve it.

How Compliance Has Changed the Way We Track Users Online

To understand how much compliance has reshaped data collection, it helps to look at the before and after.

Before Compliance: Easy, Invisible, Automatic

Back in the early 2010s, digital tracking happened quietly in the background. Marketing platforms, analytics tools, and ad networks could set cookies, log user behaviour, and build cross-site profiles without asking anyone’s permission.

Tools like Google Analytics, Facebook Pixel, and LinkedIn’s Insight Tag made it effortless. Page views, clicks, conversions, return visits: everything was captured the moment you added the script to your site. Attribution was simple, data was plentiful, and remarketing audiences almost built themselves.

All you needed to do was install the tag and you were done.

After Compliance Enforcement

Then came GDPR, CCPA, and similar privacy laws and the game changed completely.

Tracking stopped being automatic. Platforms now have to wait for a clear yes from the user before collecting any data. If someone ignores or rejects the consent banner, that data simply doesn’t get recorded.

That one change has broken a lot of long-standing assumptions for digital marketers and analysts:

  • Analytics platforms like GA4 can miss entire sessions if consent isn’t given.
  • Ad platforms can’t track conversions or build audiences without permission.
  • Attribution models lose accuracy when the first part of the user journey is missing.
  • Tag Managers need new setups to handle consent rules before triggering tags.

This results in drops in data volume, gaps in conversion tracking, and shrinking remarketing audiences. And the tricky part is that it doesn’t even show up as an error, you’re just left with missing or skewed data.

The era of “set it and forget it” is gone. Tracking now has to be designed carefully from the start so it’s consent-aware, legally compliant, and technically reliable.

How Consent Mechanisms Break Traditional Tracking

At the centre of most compliance frameworks is one simple idea: consent. On the surface, it looks like a basic user experience change: a cookie banner or a Consent Management Platform (CMP) popping up and asking visitors to accept or reject tracking. But what feels like a minor tweak has in reality completely upended the reliability of traditional tracking tools.

Why This Breaks the System

Here’s the problem: unless a user actively clicks “Accept,” most CMPs block tracking tags from firing. This includes analytics, ad pixels, session recordings, and personalisation tools.

This sets off a chain reaction of consequences:

  • Data loss: If a user doesn’t consent, their session is invisible to analytics platforms like Google Analytics. You lose insight into their behaviour, origin, and potential conversion.
  • Attribution gaps: When early-stage visits go untracked, later conversions look like “Direct” traffic, skewing attribution models and masking true performance.
  • Remarketing limitations: Ad platforms like Meta and Google Ads rely on pixel data to build audiences. Without consent, users aren’t added to remarketing pools, shrinking your targeting reach.
  • Inaccurate metrics: Bounce rate, session duration, and conversion rates all become less reliable when a portion of traffic is never recorded.
  • Delayed tag firing: Even when users eventually give consent, there’s a delay between page load and tag activation, which may result in missed events like button clicks or quick exits.

Consent Isn’t Binary

To make things even messier, consent often comes with layers. Someone might allow essential cookies but reject analytics or marketing cookies. That leaves you with inconsistent, incomplete data across users.

A few common scenarios:

  • A user accepts “Essential” cookies = GA4 is blocked.
  • A user accepts “Analytics” but not “Marketing” = GA4 works, but Meta Pixel doesn’t.
  • A user rejects all = no tracking, no data, no cookies.

What used to be straightforward is now fragmented, inconsistent, and hard to stitch together.

Implementation Errors Make It Worse

As if consent challenges weren’t enough, plenty of businesses trip themselves up with sloppy implementation. It happens when:

  • Tags fire before the user gives consent.
  • Tags fail to fire even after consent is granted.
  • Consent signals don’t reach the tag manager or analytics tools correctly.
  • Cookies are miscategorised, like calling analytics cookies “essential” when they aren’t.

All of this results in inconsistent and incomplete datasets and makes it harder to rely on your tracking stack for decision-making.

Technical Fallout: What Happens When Consent Isn’t Given

When a user says no to tracking, it doesn’t just mean you lose a bit of data. Entire parts of your digital analytics and advertising stack can stop working the way they’re supposed to.

1. Analytics Gaps and Broken Funnels

Without consent, platforms like Google Analytics (even GA4) can’t record user behaviour, not even anonymised page views in many cases.

This breaks:

  • Entry-point tracking (like GA4’s session_start event, for example)
  • Funnel reporting
  • Conversion rate analysis

Worse, if the user comes back later and finally opts in, their earlier visits stay disconnected. Journeys get fragmented. Conversions get misattributed. Chaos reigns.

2. Incomplete Attribution and Data Pollution

Attribution systems depend on continuity. Without it:

  • Attribution defaults to “Direct” or “Unassigned”.
  • Paid campaigns appear to underperform.
  • Organic and referral performance may be undervalued.

Paid media, organic social, and email campaigns usually take the hardest hit.

3. Shrinking Remarketing Pools and Audiences

No consent means no remarketing lists. Conversions go untracked. Lookalike and similar audiences get smaller and less effective over time.

4. Server-Side Tagging: Not a Silver Bullet

Server-side tagging can improve data reliability after consent is given, but it doesn’t replace consent. Ethical and legal best practice is clear: if a user says no, server-side tracking should stop too.

5. Predictive Modelling and AI Reporting Suffers

When user-level data is missing, so is the foundation for:

  • Accurate audience segmentation
  • Behavioural cohort analysis
  • Algorithm training for conversions

Many analytics tools now use modelling to fill the gaps, but that adds a layer of uncertainty you can’t fully control.

Platform Responses: How Big Tech Is Reacting

The big platforms haven’t sat still through all of this twiddling their thumbs. Each one has been racing to adapt to the compliance-first world in its own way.

Google

Google rolled out Consent Mode, which tweaks how tags behave based on the user’s choices. Then there’s GA4, which relies less on cookies, leans on event-based tracking, and uses modelling to patch over missing data. Server-side tagging adds more control and better performance, though it still fully respects consent rules.

Meta

Meta’s Aggregated Event Measurement (AEM) supports limited, prioritised event measurement under privacy constraints (consent requirements still apply based on law and your implementation), while Conversions API (CAPI) moves event tracking to the server side for better accuracy (only if consent allows it).

Others

Platforms like TikTok and Snapchat have followed suit, adding consent-aware tagging and server-side solutions of their own.

The trend across all of them is clear: fewer identifiable signals, heavier reliance on modelling, and a future where clean, consented data is the new gold standard.

Bringing People and Platforms Together: How to Approach Compliance Implementation

Getting compliance right isn’t just a legal box-tick or a developer’s problem. It’s a team effort that pulls together legal experts, marketers, developers, and analysts to make sure that data collection stays both compliant and useful.

It starts with the legal and compliance teams. They translate laws like POPIA and GDPR into practical steps that businesses can actually follow. Then the developers take over. They turn legal requirements into real-world setups: building consent mechanisms, configuring tag managers, and making sure tracking tags fire only when they should.

Marketers come in next. They adapt campaigns, audience targeting, and attribution models to work in a world where not all data makes it through. Smaller remarketing pools and gaps in attribution mean they need to work closely with developers and analysts to understand what’s happening behind-the-scenes.

Analysts then close the loop. With less data coming in, they recalibrate reporting, attribution logic, and performance metrics so that the insights stay accurate even when the datasets aren’t complete.

The complexity of all this depends on the platform. WordPress and Shopify often have off-the-shelf solutions for consent, while custom-built sites need far more technical input. Single-page applications bring another layer of challenge because they handle page loads differently, and that can break traditional cookie banners if they’re not set up properly.

Two things make or break compliance projects: solid implementation and real collaboration. A slick banner that doesn’t actually block scripts is useless, and a plan built in silos will fail before it ever gets out the door.

In more complex setups, bringing in people who understand both privacy law and analytics early on can save you a lot of pain later. Teams like ours already help businesses close that gap, making sure consent tools, tracking setups, and compliance rules actually work together instead of against each other. The goal is simple: keep your data clean, compliant, and worth trusting.

Platform Choice and Compliance Complexity

How hard it is to stay compliant depends a lot on how your site is built.

  • Content Management Systems (CMS): Platforms like WordPress and Shopify usually come with mature ecosystems and ready-made tools for consent management.
  • Custom Builds: These need more developer input to set up CMPs, consent-aware tracking, and proper data storage controls.
  • Single Page Applications (SPAs): These bring the most complexity. Because they handle page loads differently, you have to pay extra attention to when and how consent banners trigger tracking.

A simple rule of thumb: the more custom your site, the more technical expertise you’ll need for compliant data collection.

What About SA Though?

South Africa’s Protection of Personal Information Act (POPIA) shares many of the same principles: transparency, purpose limitation, and the right to control how personal data is used. But unlike GDPR, POPIA doesn’t prescribe exactly how businesses should handle cookie consent or tracking technologies.

This lack of specificity has created a false sense of security for many SA businesses, who still assume that they either don’t need a cookie banner, or that “just collecting analytics” doesn’t count. Or that POPIA doesn’t really apply if no one’s chasing them about it.

That assumption is risky. Not just because law enforcement could justifiably come a-knocking, but because you’re working with tools and systems that are already shaped by stricter rules. If your tracking setup doesn’t account for consent, you’re dealing with a ticking time bomb of non-compliance.

Becoming Data-Compliant in South Africa

For South African businesses, compliance comes down to three main stages:

1. Understand the Rules

POPIA is South Africa’s version of global laws like GDPR. It sets out core requirements: consent for data collection, transparency on how data is used, and clear rights for users to access or delete their information.

2. Implement the Right Systems

  • Consent Management: Set up a CMP to control when tags fire and to log user consent properly.
  • Policy Updates: Keep your privacy policy and cookie notices clear, easy to find, and up to date.
  • Platform Settings: Configure your tools to automatically respect user consent.

3. Monitor and Adapt

Compliance isn’t a once-off project. Audit your tags, policies, and CMP settings regularly, and stay on top of legal updates so your setup evolves with the rules.

Quick Role-Based Summary

If you’re a… Focus on… Immediate Actions
Business Owner Legal exposure, user trust Engage compliance/legal advisors
Digital Marketer Attribution, audience reach Work with devs to implement CMPs
Developer Technical compliance setup Configure tags, consent states, data flows
Data Analyst Data quality & modelling Adjust reporting for consent gaps

What You Can Do: Practical Next Steps

If you’re wondering where to start, here’s a clear path forward:

  1. Audit Your Current Tracking Setup:
    List every tag and platform in use. Check if anything is firing before consent (it shouldn’t be).
  2. Implement a Consent Management Platform (CMP) Properly
    Set it up so that your tags are categorised correctly and stay blocked until the user gives the go-ahead. Test it across domains to make sure nothing slips through.
  3. Configure Google Consent Mode and GA4
    Turn on cookieless pings for users who don’t give consent. Use GA4’s behavioural modelling to fill some of the gaps, but keep in mind it’s still modelling, not magic.
  4. Use Server-Side Tagging Responsibly
    Set it up for better data control and performance, but always respect the user’s choices. If they say no, tracking stops.
  5. Collect More First- and Zero-Party Data
    Offer preference centres, gated content, or loyalty perks so people want to share their data voluntarily.
  6. Educate and Align Internal Teams
    Make sure marketing, dev, analytics, and legal are on the same page. Compliance is a company-wide mindset.

Compliance vs Marketing Performance: Finding a Balance

Yes, compliance makes things harder. But businesses are already adapting by:

  • Focusing on first- and zero-party data
  • Improving consent banner design and timing to increase opt-in rates
  • Using smaller, high-quality datasets more effectively
  • Driving collaboration across legal, marketing, dev, and data teams

As it turns out, this new way of working not only ensures compliance but often results in more intentional, data-conscious strategies.

Conclusion: Embracing the Inevitable Shift

Compliance isn’t a temporary headache. It’s a permanent change in how digital data works, driven by a broader shift toward privacy, transparency, and user control.

Yes, it limits what you can track. Yes, it breaks some of the old ways of working. But it also forces us to build strategies that are more ethical, resilient, and future-proof.

As platforms evolve and privacy laws tighten, the businesses that win won’t be the ones fighting the change. They’ll be the ones designing for it from the start.

We spend a lot of time thinking about how data, compliance, and analytics come together to power better business decisions. Got questions about your tracking setup or data strategy? Let’s talk.