Paul Hewett, CEO, In Marketing We Trust
The way data permissions work across the web is being streamlined by Google in a bid to simplify its systems.
However, this change is about to mean thousands of Australian businesses run afoul of our privacy laws and lose measurement and data collection capabilities. In Marketing We Trust‘s Paul Hewett explains what is happening, and what you can do about it.
Despite repeated attempts to kill them, cookies are still very much alive and kicking and for many businesses they’re the frontline of customer data collection.
But a technical change quietly being rolled out by Google means they’re about to become a real liability for many unsuspecting Aussie businesses. It’s the kind of thing that can often go unnoticed and unreported in trade media, not because it’s not important, but because on the surface it looks deeply technical and relatively minor.
But it is going to hit the trifecta of performance, measurement, and compliance all at once. Just what every marketer wants to hear… but there is still time (just) to get on the right side of the privacy police and stop your business from becoming pirates and copping a big fine on the way through.
So what is actually happening?
On 15 June, Google is removing one of the two privacy controls that govern how advertising data flows from Google Analytics (GA4) into Google Ads.
From that date, your cookie consent banner becomes the single setting that decides what Google Ads can collect from your site.
The change is small in mechanism, the consequences for performance and governance are not.
Today, two settings work together. One inside Google Analytics (Google Signals), one inside your cookie consent banner. Both have to allow data flow before Google Ads collects anything. Either being switched off blocks the flow.
From 15 June, only the cookie banner setting remains. Whatever your banner says is what Google does, with no fallback inside GA4.
Google has framed this as “simplification”. Partly fair. Two overlapping controls were genuinely confusing for advertisers and often contradicted each other. The problem is that the remaining control is the one most websites have implemented poorly, if at all. And this is where you are at risk unless you take action now.
Performance: signal continuity, quietly eroded
Smart Bidding, Performance Max, audience building for remarketing and retention all depend on signal continuity. If your banner is misconfigured (and most are, somewhere) the signal you feed Google Ads will degrade.
For e-commerce advertisers running PMax, the impact shows up in days.
For subscription businesses, it shows up later in retention and win-back campaigns where audience quality matters most. For lead-generation funnels, it sharpens an existing problem with thin conversion data.
Publishers and affiliates face the same dynamic from the inventory side.
None of this breaks campaigns outright. It quietly erodes the inputs they rely on, and most teams will attribute the drift to creative fatigue or seasonality before they look at consent.
Governance: liability sits with the advertiser, not Google
The OAIC position is clear, if your site collects something it shouldn’t you’re on the hook, not Google. Its November 2024 tracking pixel guidance set the bar. The Privacy and Other Legislation Amendment Act 2024 gave the OAIC direct infringement notice powers.
Tranche two of the Privacy Act reforms is expected this year and will tighten the position further: an expanded definition of personal information to include online identifiers, a “fair and reasonable” test for data handling, and stricter consent rules.
Australia is heading in the same direction as the EU on this. Slower timeline, same trajectory.
It applies everywhere, but Australia is particularly sensitive in this instance. If your banner is collecting data without valid consent, you are processing data without a lawful basis. The OAIC has both the powers and the recent guidance to act on that.
This is the bit most marketing teams underweight, because compliance has historically felt theoretical. Recent enforcement actions show this is no longer marketing theory, but regulatory reality.
What to actually do
Time for the good news, for most advertisers, the work to get ahead of this is relatively small. Three questions to ask the relevant person in your organisation:
• Does our cookie banner default to “granted” before the user has actively consented? If yes, you have a problem (and have probably had one for a while).
• Is our consent setup configured deliberately, with each consent signal mapped to the right behaviour, or has it been left at whatever the default was when it was installed?
• Does our privacy policy actually describe what’s happening, particularly post 15 June? If it doesn’t, the gap between what your site does and what you tell users you do is itself a compliance issue.
If you don’t know the answers, speak to your analytics team or partner. They will know whether the work is half a day or two weeks. Either way, four weeks is enough time to find out and act.
The change itself is a reasonable product of hygiene. The risk it creates is real but manageable. What worries me is how many marketing teams I speak to that don’t know which questions to ask, or which person to ask them to.
That’s the actual gap to close before 15 June, and while it is relatively small, I fear we’re going to see a lot of brands being pulled up on it in the second half of this year.
Feature image- CEO, In Marketing We Trust: supplied.