What Is Cohort-based Marketing? Is It GDPR Compliant?

January 14, 2022 - Ensighten

By now, the "cookie apocalypse" isn't new news. But it doesn't mean marketers have a clear solution to navigate the changes.

Google's plan to phase out third-party cookies will change audience targeting in online advertising as we know it. The marketing and advertising world has to grapple with the impact. New technologies have emerged to replace third-party cookies, and one of them is cohort marketing.

Cohort-based marketing solutions, such as Google's Privacy Sandbox and Federated Learning of Cohorts (FLoC), aim to reproduce the current capabilities of third-party cookies in the context of targeted advertising while protecting consumers' privacy more effectively.

Let's look at what cohort-based marketing is, whether it's a viable alternative to third-party cookies and GDPR-compliant, and what you can do to navigate the new online marketing landscape.

What Is Cohort-based Marketing?

A cohort refers to a group of individuals with similar interests, affinities, online behaviors, personas, and other characteristics. 

Unlike third-party cookies, which track specific individuals and their online activities, cohort-based marketing targets anonymized groups without using the individuals' personal information. 

Advertising platforms, such as Google, provide only aggregated results to advertisers without the ability to view individual data. They may also obfuscate operations, such as ad auctions to keep the data anonymous.

FLoC's cohort assignment is performed within the Google Chrome browser, and the user's information is stored locally. It's different from third-party cookies, which can be applied to any website that loads an ad tech server’s code. 

FLoC uses an application programming interface (API) built into the Chrome browser to anonymize individual users' data. Then, Chrome groups users based on their browsing habits to determine shared interests, behaviors, and more. These individuals will share a unique and persistent cohort ID stored on their browsers. 

The browser then communicates the cohort ID via API to websites to inform ad targeting. Site owners and advertisers only receive information about cohorts but not individual users to preserve their privacy. 

Is Cohort-based Marketing a Viable Alternative to Third-party Cookies?

While cohort-based marketing and FLoC can replace some of the functions of third-party cookies, the verdict is still out whether it's a viable replacement.

On one hand, Google says it's "extremely confident" of the technology's effectiveness. It claimed that advertisers can expect to see at least 95% of the conversions per dollar compared with cookie-based advertising. 

However, some industry experts question the claim's validity, as inefficiencies and waste is inherent in cohort-based advertising. Additionally, no browser vendor besides Chrome has plans to enable FLoC, which means it won't be able to cover almost 36% of internet users.

Most marketers won't rely on FLoC alone and will use different methods and technologies to support targeting and personalization. These include zero-, first-, and second-party data, micro-groupings, universal identifiers, single sign-on (SSO) tracking, fingerprinting, conversion measurement, and contextual targeting.

But cohort-based marketing using FLoC will provide a catch-all for consumers using the Chrome browser. Marketers can reach them at scale without the lengthy process and high cost of some other methods, such as collecting and analyzing zero- and first-party data.

Is Cohort-based marketing and FLoC GDPR-compliant?

FLoC trials are delayed in Europe because the current FLoC tests aren’t GDPR compliant.

Even though FLoC and cohort-based marketing are less intrusive than third-party cookies, further evaluation is needed to ensure that the techniques uphold user privacy and data minimization requirements of various data privacy laws, including the GDPR.

There are also questions concerning whether a browser assigning users into a cohort is using personal data without consent, which is a privacy violation according to GDPR.

France’s data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL,) considers the re-identification of users as a risk. Meanwhile, many organizations and privacy groups argue that FLoC will still reveal an individual's behavioral data, only in different ways.

How To Make Cohort-based Marketing GDPR-compliant

CNIL guidance states that "the development of alternative [sic] to third-party cookies must not be made at the expense of the Internet user’s right to protection of their personal data and privacy." 

As such, consent management is a must for staying GDPR-compliant—even if you're not using individual targeting.

GDPR protects private communications and data and access to terminal equipment, such as smartphones and computers. Since FLoC relies on accessing these endpoints to read the information stored there (i.e., cohort-based identifier,) user consent is required. The permission must be solicited in compliance with GDPR by allowing users to accept or reject such tracking.

Whether you use cohort-based marketing or other third-party cookie alternatives, consent management is the key to ensuring GDPR-compliance. Learn more about our Consent Management Platform to see how we can help you deliver rich and relevant digital experiences in a regulated environment.





Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.

Learn more about Ensighten and our solution

Online skimming blog

Learn why third-party components on your website could be leaving you vulnerable to online skimming attacks

Read Now

Web skimming webinar

Learn more about how online skimming attacks happen and how you can protect against them

Watch Now

Online demo

See the Ensighten solution in action to learn how we can help protect your website against online skimming

Book Now