In the years since Google originally revealed its decision to delete third-party cookies from its Chrome browser, one recurring theme at conferences and in think pieces has been that publishers should invest in first party data.

More precisely, businesses should ensure that they are equipped to collect data about their viewers, preferably down to the individual level, and that the data is organized in a way that is beneficial to advertisers.

There is strong reason for this advise. Removing third-party cookies will, by definition, make it more difficult for third-party advertisers to target and measure digital adverts. As a result, first-party data will become more important, and ad dollars will most likely flow to those who can target and measure using first-party data. Furthermore, some (but not all) of the technologies gaining ground as cookie-free ad tools require publishers to have some first-party data in order to get the most out of them, with clean rooms being a prime example.

READ MORE: Are Publishers And Buyers Ready For the End of Third-Party Cookies?

This strong opinion may give the idea that any marketing solutions based on first-party data are immune to privacy concerns from regulators and tech corporations. This is not the case, and while publishers react to Google’s new cookie deadline, they are simultaneously fighting to keep their access to advertiser-friendly first-party data.

GDPR Goes into Action

For all the discussion about cookie death, it’s vital to understand that Chrome is just removing third-party cookies. First-party cookies, which publishers set themselves, can play an important role in tracking user behavior for advertising objectives, including targeting and measurement. Indeed, Google is developing capabilities within its Privacy Sandbox to allow publishers who control several properties to drop cookies over a restricted number of domains. While Google is leaving first-party cookies alone for the time being, they remain vulnerable to privacy regulations.

READ MORE: As Video And Display Revenues Decline, Publishers Consider Diversification

Talking about the impact of the EU’s General Data Protection Regulation (GDPR) little under six years after it went into effect seems weird. However, much of the threat to first-party data stems from these rules. Data protection authorities throughout the continent with the authority to enforce these rules have taken a gradual approach to enforcement, giving businesses time to comprehend and adapt to their new requirements. Now, however, a harsher approach is being taken.

The UK’s Information Commissioner’s Office (ICO) issued a warning to publishers at the end of last year to update their cookie consent systems, claiming that many were non-compliant with data protection regulations. Users must formally opt-in to have their data gathered and processed, with informed permission about how their data will be used, according to GDPR laws. And, for advertising cookies, users should be able to “reject all” as easily as they can “accept all.” This includes first-party cookies used by publishers for advertising, as well as third-party cookies.

READ MORE: Meta Pulls Back From Publishers As It Shutters Facebook News In The United States And Australia

The challenge for publishers is that following these guidelines to the letter has a considerable impact on consent rates. The easier it is for a consumer to decline all advertising cookies, the more likely they are to do so. While privacy advocates argue that making it easy for customers to reject data gathering is critical, publishers claim that as more consumers opt out of data collection, it becomes increasingly difficult to monetize their content. Publishers aren’t having it easy in the advertising market right now.

DMG Media, the media sales agency that handles sales for MailOnline, the i, and Metro among others, stated in a statement to Parliament earlier this year that MailOnline’s current opt-in rate is 93%. It claims that when rivals add the ‘Reject All’ option beside the ‘Consent All’ option on the first page of a consent mechanism, consent rates drop to roughly 50%. The corporation predicts that conforming to the ICO’s criteria will result in a 41% loss in monthly ad income.

Peter Wright, editor emeritus of DMG Media, told a parliamentary committee on the future of news that the ICO’s crackdown ultimately pushes publishers to give up their content for free. “No subscription, no advertising, you’ve just got to give it to them,” he stated. “Nobody would expect a store to follow those regulations. I don’t think anyone paused to consider whether this is proportionate. Okay, data privacy is desirable, but so is having a well-resourced news media.

Given the ICO’s enforcement drive, publishers are considering their alternatives. One approach is to employ ‘consent or pay’ models, in which consumers are offered the option of consenting to data collecting or paying for a subscription. This would rebalance the value exchange for publishers, alleviating Wright’s anxiety that they are practically forced to give out content for free (or, more precisely, below a sustainable price level).

READ MORE: Songwriters And Publishers To Receive Nearly $400 Million Payout After Streaming Royalty Ruling In The US

The concern is that it is still unclear whether this methodology is compliant with European privacy legislation. The European Data Protection Board, an EU agency tasked with ensuring the GDPR’s consistent application across Europe, released an opinion stating that permission obtained within these frameworks is usually invalid – however this opinion specifically related to huge online platforms. Meanwhile, the ICO is conducting a consultation on the subject. According to the data authorities, consent or pay models are theoretically viable but may jeopardize consent validity.

The IAB, an industry association, has been lobbying regulators in the UK and Europe to allow consent or pay arrangements. According to the trade organization, the alternative, which forces publishers to rely on contextual advertising (specifically, contextual advertising without cookie-powered targeting or measurement), is unsustainable. “It must be stressed that contextual advertising is not always a viable monetisation alternative,” IAB Europe stated in a statement. “Yet, no company should be forced to produce its products and services at a loss. Furthermore, such a mandate is not supported by the GDPR, which is not meant to interfere with enterprises’ chosen business strategies.

If authorities reject consent or pay models, publishers will be forced to discover a means to make fully cookie-free advertising viable. The Guardian has taken a proactive approach to this issue, developing Guardian Light, a suite of cookie-free advertising alternatives. “The Guardian have worked on mitigating this with our ad solution Guardian Light,” the publisher said in a statement. “As usual, we want to make sure that any changes benefit both our readers and advertising. Guardian Light accomplishes this by protecting our users’ privacy while allowing us to run effective campaigns on behalf of our sponsors.”

The Guardian regularly publishes a blog piece for readers that explains the trade-off between privacy and money. “The reality is that without the use of data to personalise advertising to readers, brands will spend less money on advertising with publishers like us,” said Katherine Le Ruez, director of digital at The Guardian. “Less money generated from advertising means that we need to ask readers to contribute to funding our journalism directly.”

Implications across the board

The Guardian Light does not simply function without first- and third-party cookies. The publisher claims it does not utilize any tracking or programmatic bidding tools, eliminating the possibility of personal data being stacked into or applied to ad purchases.

The ICO’s consent crackdown only applies to data gathered via cookies, but many publishers are accumulating first-party data by encouraging users to sign up and log in to digital properties. Consent for this data is obtained independently and is not currently under the ICO’s scrutiny.

However, all personal data collection and consent are governed by the GDPR and other privacy rules, and techniques that inflate opt-in percentages may face regulatory scrutiny in the future. If that’s the case, and if consent or pay models aren’t approved by authorities, publishers will have to rely even more heavily on entirely tracking free options like The Guardian Light – and hope that the ensuing ad revenues are enough to keep them going.