Five years into GDPR: How EU companies balance compliance and effective marketing

Five years into GDPR: How EU companies balance compliance and effective marketing

A survey conducted on a group of 300 CEOs and marketing executives from across Europe

Key findings

GDPR is now five years old, and much has happened since the report we released last year. The saga of rulings against Google Analytics and Facebook, the acceleration of work on the new EU-US data transfer agreement, and the planned strengthening of GDPR enforcement by the European Commission are a few events that have influenced the perception of privacy compliance among European businesses. 

The results of our survey show a massive shift in how EU companies view GDPR and the obligations that come with it. Let’s dig into the details.

We turned to 300 marketing executives and decision-makers from the European Economic Area (EEA) and asked how GDPR impacts their everyday work. Their answers show that their understanding of and attention to the rules set out in the law are changing for the better.

According to our survey, more than 80% of EU companies find a balance between effective marketing and privacy compliance possible to achieve – almost 20% more than last year (63.2%). At the same time, more than 70% of study participants perceive the law as easy to understand. 

Companies are also taking privacy assessments of their tech more seriously – 33% run them regularly, while 36% do them once in a while.


of respondents believe that laws such as GDPR are important, compared to 75% last year.


are considering switching to European alternatives to big tech products.

The recent fuss around the use of Facebook and Google Analytics in Europe might have increased the popularity of European and EU-hosted marketing platforms. Many organizations (58%) already use marketing software with servers in the EU, while three-fourths are considering replacing their big tech tools with European alternatives. This is a significant increase compared to last year’s 50%.

All this indicates that businesses feel more comfortable complying with GDPR, keep abreast of current events, and are willing to adjust their strategies accordingly. In turn, considerable attention on European technology vendors can translate into great opportunities for local companies that previously didn’t stand a chance with less privacy-oriented tech giants.

GDPR has been viewed as “Europeans regulating themselves to death” by many. While it may have ended some business models, privacy and compliance is now being embraced by businesses.
With reluctance and hesitation mostly gone, companies are getting better at adhering to the rules. What’s more, they see many additional benefits, with better customer experience being one of them.
The picture is, of course, not perfect. Issues and challenges are still there. But it looks like five years in, business and privacy people have started to understand and support each other. Is it just a phase, or a lasting trend? I’m already looking forward to our next year’s research to find out.”

Piotr Korzeniowski, CEO at Piwik PRO

Business and privacy

This part of the report focuses on views on online privacy, the importance of privacy rights, and their impact on European companies. According to the survey’s results, despite the challenges of aligning with GDPR, European businesses believe that such regulations are needed. On top of that, more than 80% of respondents successfully balance compliance and effective marketing.

The vast majority of study participants, 90%, think companies must respect the online privacy of individuals. Only 3.4% of respondents take the opposite view.

Most respondents also view respecting the online privacy of individuals as both a moral and legal obligation (81%). Nearly 80% consider laws such as GDPR necessary – 4% more than in last year’s survey.

82.6% of marketers and business executives state that companies can adhere to privacy laws and effectively market their products and services. This is a significant change compared to last year, where only 63% of respondents agreed with this statement.

Companies must respect the online privacy of individuals.

“I’m glad to see that more and more organizations are declaring higher standards regarding privacy compliance. The ones still adjusting, with many new resources and guidelines in place, will be able to achieve the required level of privacy protection sooner rather than later.
With clarification in many key areas and the announcement of better GDPR enforcement, the European Union is starting a new phase of the privacy saga.
Organizations with higher privacy standards will enter this time better prepared. With the basic requirements fulfilled, they can focus on updates and optimizations, further increasing their competitive edge and start using privacy compliance as a unique selling point.

Lisette Meij, Data Protection Officer at Piwik PRO

Companies can respect privacy laws and conduct effective marketing activities at the same time

Finally, 75% of the group believes that online privacy positively impacts business and can be perceived as a business advantage, while 73.4% acknowledge that compliance with online privacy standards can be challenging.

Respecting the online privacy has a positive impact on business and can be perceived as a business advantage

Respecting the online privacy of individuals is challenging for businesses

“Five years in, companies are starting to find ways to successfully work with the privacy rules and not just treat GDPR as an obstacle to doing business. Moreover, many organizations confirm that a privacy focus can be treated as a business advantage. We’re happy to see the meaningful growth in companies that succeed simultaneously in digital marketing and privacy compliance.”

Magdalena Pawlitko, Head of Global Sales at Piwik PRO

GDPR compliance

In this part of the report, we investigate what motivates companies to align with GDPR and how the regulation impacts their operations. The results suggest that organizations are feeling more and more at home with their responsibilities – around 20% more respondents than last year think the rules of GDPR are easy to understand and implement. 

Main motivations towards compliance

The main factors driving companies’ compliance in 2023 are building trust with consumers (65.7%) and company values (54.3%). To a lesser extent, the study participants point to neutral or negative motivations, such as legal obligation (39.3%) and risk of fines (12.7%).

GDPR requirements are viewed as easy to understand, with 73.7% of respondents agreeing with this statement (strongly agree – 25.0%, agree – 48.7%). Compared to last year, it’s a significant change – in 2022, only 38.7% of respondents agreed with this opinion.

Only 8% of respondents take the opposite view. 

At the same time, 62.7% of respondents consider GDPR’s requirements easy to implement (strongly agree – 24.0%, agree – 38.7%). This is a nearly 20% increase in positive answers since the last survey in 2022.

Only 9% of marketers and other business executives view GDPR implementation as challenging.

GDPR requirements are easy to understand

GDPR requirements are easy to implement

GDPR’s impact on EU businesses 

39.7% of respondents say that GDPR compliance has positively affected their business, while 60.3% don’t consider the influence of the law to be that positive. 

Compliance with GDPR has positively affected my business

Compliance with GDPR has negatively affected my business

Respondents whose businesses benefited from compliance with GDPR cite the following reasons: greater data security, company credibility, and greater customer confidence, among others.

17.7% of respondents say that GDPR compliance has negatively affected their business. More than 82% of respondents don’t feel the negative effect of the law. Among the negative consequences of the law, the respondents list higher data storage and management costs, immense workload, and limited marketing opportunities, including activities related to personalization and the use of AI.

“Privacy is reshaping how organizations do business. Trust becomes a critical factor in building relations between brands and consumers. When consumers trust a brand, they might be willing to share more data with it. By demonstrating a commitment to privacy, companies prove their compliance, ramp up positive customer experience and gather more insight for data-driven decision-making.”

Dominika Gruszkiewicz, B2B Marketing Manager at Piwik PRO

Marketing technologies and compliance

This section of the report examines what marketing technologies European companies use. It explores marketers’ knowledge of the data flow in their tools’ ecosystem, the legal grounds for processing clients’ data, and compliance reviews of their stack. It also dives into their preferences for EU marketing technologies and big tech products.

The most popular technologies in European marketers’ stacks are analytics (46.3%), social media channels and email automation tools (35% each), and advertising technologies (32.7%). The group of less frequently used platforms includes experience optimization tools (25.7%), CMS (21.3%), and CRM (17.7%).

Marketing stack compliance

Only 11% of marketers are unaware if their tools collect personal data, which is a sign of increasing privacy awareness, compared to last year’s 18.6% (the average of answers to questions concerning seven different types of marketing tools). 60% state that their software gathers personal data, while 28.7% claim it doesn’t.

When asked about the legal basis for collecting marketing data, more than half of respondents (55%) indicate consent and 26.3% legitimate interest. Only one in ten invoke a different type of legal ground, and as few as 7% need to learn their basis for processing personal data.

My marketing stack collects and stores personal data

What GDPR legal basis do you use for marketing data collection?

One in three respondents review the compliance of their marketing stack regularly, and 36% do it occasionally. 18% have done it once, 9% of respondents have never done it, and 4% only plan to review it.

I review compliance of my marketing stack

“I’m satisfied with the level of compliance of my marketing stack” is a statement with which more than 70% of respondents agree. 15.7% of respondents disagree, while 13.3% are not sure.

More than 60% know the data flow between the tools in their marketing stack. 25% of the group disagree with this statement, while 14.7% don’t have an opinion.

I’m satisfied with the level of compliance of my marketing stack

What are data flows?

By this term, we mean transferring data from one platform to another, either between different parts of your stack or between your stack and third-party technology. Data flows also refer to moving data from one privacy jurisdiction to another, for example, from the EU to the US.

I know where all the data from my marketing stack is stored

62% of study participants understand the data flow in their marketing stack. One in four has yet to understand this process, while 12.3% can’t give a conclusive answer. 

Regarding the location of data, 70.7% of respondents know where the data from their marketing stack is being stored.

In 60% of cases, marketing data always remains in the European Economic Area (EEA). 24.3% of respondents keep data outside EEA, while 17.7% don’t know the location of their data.

Choosing EU-based vendors over the competition

Interestingly, 73% of study participants would choose an EU marketing technology as an alternative to big tech products. It means that the interest in marketing products from the EU has grown by nearly 25% year-to-year.

Would you choose an EU marketing technology alternative to big tech products?

What’s even more intriguing, privacy compliance would be the main reason to pick European alternatives over big tech products for only 30% of the respondents. More popular factors among this group are price (50%), local hosting (42%), customer support (42%), and the offered feature set (35.7%).

What would motivate you to choose a European marketing platform over a big tech product?

“Privacy Shield’s downfall was a shock to the whole EU-US digital economy. It also motivated organizations to be more conscious about data transfers, especially in marketing technologies. Organizations are taking control of their data. A big part of this task is considering EU alternatives and including them in their technology stack.”

Kuba Bomba, Chief Product Officer at Piwik PRO

Recent events and changes in privacy and marketing

We’ve asked marketing and business executives about the recent trends and events in marketing and privacy that influence their business. We’ve also looked into how companies plan to prepare for these changes. Let’s take a look at the results.

According to our findings, the events and trends that have the most impact on organizations’ marketing activities are the EU’s plans for better GDPR enforcement across the Member States, work on the new version of the EU-US data transfer agreement, the increasing popularity of server-side tracking, and the deprecation of third-party cookies.

Meanwhile, EU businesses are less concerned with the rise of data clean rooms, the sunset of Universal Analytics, and the violation of GDPR by both versions of Google Analytics.

The charts show the result on a scale from 1 to 10, where 1 is a “zero impact” and 10 a “full course correction”

We’ve also asked our study participants how they want to prepare for these changes.

Marketers and business executives are getting ready for better enforcement of GDPR by improving the privacy and security of their data collection, investing in employee training, and ensuring compliance of cross-border data transfers.

Businesses that anticipate the introduction of a new data agreement between the EU and US are updating their processing agreements with international partners, increasing their focus on data privacy, and taking a more conservative approach to transatlantic data transfers.

Companies that invest in server-side tagging and tracking do it to improve their marketing operations, data management, and data security and to prepare for the deprecation of third-party cookies.

Organizations interested in the use of data clean rooms want to improve their customer segmentation, do advanced ad targeting, enhance their marketing effectiveness, and better protect the privacy of their customers’ data.

Marketers and business executives concerned with Google Analytics’ violations of GDPR plan to update their data processing agreements with third parties, limit data collection with Google products, and switch to privacy-compliant alternatives.

Finally, the sunset of Universal Analytics is inspiring EU companies to migrate to Google Analytics 4, reevaluate their KPIs and data strategies, as well as find a new analytics platform.

“There are a lot of dynamic changes, both in the technology and legal landscape. It’s good to see that organizations are paying attention to recent events and acting accordingly by updating their strategies and actions. That’s a practical way of building future-proof and sustainable business processes.”

Mateusz Krempa, Chief Operating Officer at Piwik PRO

about the methodology

This report is based on the answers of 300 anonymous respondents from 30 European countries. The most significant number of respondents came from France, Germany, Italy, the Netherlands, and Sweden. The group consisted of senior marketing managers, CEOs, heads of marketing, CMOs, and COOs of mid-size and enterprise-grade companies. The survey was conducted in April 2023 using the computer-assisted web interview method (CAWI).

Interested in moving your analytics to a privacy-friendly European platform with local hosting? 

Meet Piwik PRO – a modern web and app analytics vendor that offers easy migration, advanced reporting available from a friendly UI, and privacy compliance with a tick of a box.