top of page


Updated: Apr 19

[GIF supplied by WIX. Cover Image created using WIX AI]

I am sure like everyone else in the world right now you are driven insane daily by the proliferation of Cookie Notifications everywhere you go and endless requests to activate Two-Factor Identification, plug in passwords and OTPs. Whilst this is for good reason, it can be a real pain, and also impact on your advertising tracking, performance and ability to target the audiences you were able to before.

We all want to do the right thing, but what exactly is the right thing? Let's take a look at a few aspects of what's going on with data in the marketing space right now both globally and in Australia and New Zealand.

The following information has been taken off the Google and Meta sites and summarised for your information. It is very high level and "lite". Please note that stok.communications does not take responsibility for their clients legal requirements from a privacy point of view, however, we do take privacy very seriously and keep all client (and their customer) information private to the best of our ability within the platforms we use (Google & Social Media Ad Platforms).

We do however request that clients ensure they are up to speed with the latest changes and developments in this space and consult their lawyers if and when in any doubt.


When you have an “accept cookies” notification on your site, this means you are getting customers to agree to you using their third-party data (a cookie-token that is attached to their device that will recognise them when they come back to your site, and track them where they go from there for a period of time - so you can follow them with annoying ad messages that tell them they do in fact really need those shoes, and here's a discount - otherwise known as remarketing or personalisation. As a consumer, this can be good. As per my opening statement, this can save you having to login to every site every time you visit and the site forgetting your information so you have to start all over again - annoying. As an advertiser, we want to increase conversions and, so the more we can remember about our visitors, the quicker we can bypass the hassles and get them straight to purchasing.

However, that was then. This is now. With so many new privacy regulations (Europe - GDPR - and California being the biggest restrictors), as well as browser changes (esp Apple IOS) it is harder to attach these tokens to devices, even with consent to cookies. So there is a depreciating value of third-party data, meaning companies have shifted to building their opted in first-party data - your opted in consumers who have signed up to newsletters, purchased from you and agreed to receive communications.

Australia and New Zealand however, currently don’t require users to “accept cookies” and the privacy of data is still somewhat loose compared to elsewhere. Below are some links to government sites where there is little to no mention of how this applies to Google and Meta/Social Media.


Most websites such as Shopify and Wix have pre-filled Privacy Policy forms you can activate on your site which cover off most of the restrictions and protection wording including the extra clauses for GDPR and California. It is good business practice to notify customers that you are using their browsing data (collecting cookies) by having an opt in, but this will limit your data collection around the performance of your marketing across Google and Meta, so many businesses are not following global best practice yet, until mandated.


Outside of using your first party data to send newsletters and sales content, Google and Meta allow you to upload your offline data in their Ads Manager for the purpose of being able to:

a) Reach and Re-engage with your existing customers across Search, the Shopping tab, Gmail, YouTube, and Display.

b) Use this information to create lookalike audiences similar to your customers assuming they might become new customers for your business.

The process involves uploading your first party data (the CRM data you have collected through your clients that they have given you).


It is ideal to include an “OPT IN Marketing tick box” on all your new customer sign-ups and capture this. This is not only good business practice, but required by law in most countries.


The customer data files you upload will only be used to match your customers to Google accounts and to ensure your Google Ads Customer Match campaigns comply with our policies. We'll keep your data confidential and secure using the same industry-leading standards we use to protect our own users’ data.

Google doesn’t receive actual email addresses. Google’s system transforms the contact information we have for Google accounts, like email addresses and phone numbers, into hashed codes using the secure hashing algorithm SHA256, a one-way hashing mechanism that is not unencrypted by Google.

Google Claims on Use of Data:

Limited data use. We won’t use your data files for any purpose other than to create your Customer Match audiences and ensure compliance with our policies. We won’t use your data files to build or enhance profiles of your customers.

Limited data access. We won’t share your data files with other Google teams other than to create your Customer Match audiences and ensure compliance with our policies. We use employee access controls to protect your data files from unauthorised access.

Limited data sharing. We won’t share your data files with any third party, including other advertisers. Google may share this data to meet any applicable law, regulation, legal process or enforceable governmental request.

Limited data retention. We won’t retain your data files for any longer than necessary to create your Customer Match audiences and ensure compliance with our policies. Once those processes are complete, we'll promptly delete the data files you uploaded via the Google Ads API.


This article linked here is for customers who use Google's online and offline solutions and receive data from end users in the European Economic Area (EEA).


To use Customer Match, your account must have:

  • A good history of policy compliance - if you have been flagged for policy violations in the past this will impact you ability to upload your first party data.

  • A good payment history - sadly they penalise you for declined billings.

  • Not be in the Medical and related Profession.


To improve your match rate, Google recommends adding as many match keys as possible - ie: supplying both email and a phone number..

Users who upload two match keys see an average list size increase of 28% and advertisers who upload a third match key see an average list size increase of 35%.


META offer a similar opportunity in their Ads platform, to upload your first party data as a “Custom Audience” from where you can then also target LOOKALIKE persons in their database - to find new people who share similar behaviours and interests with your existing customers.

If your account is new or if you’ve recently linked to an existing account, it may take a few weeks before you’re able to create or share a customer list custom audience.


This is from META Before we use your uploaded list for the matching process, the information in your customer list is hashed and will be unidentifiable at an individual level. Hashing is a type of cryptographic security method that turns your identifiers into randomised code and cannot be reversed.

(Depending on the size of your list, this may take a few minutes.)

When you upload your customer list in Ads Manager to create a Custom Audience, the information in your list is hashed before it’s sent to Facebook. Facebook uses this hashed information and compares it to our own hashed information. Then, we help build your audience by finding the Facebook profiles that match and create a Custom Audience for you from those matches.

After your Custom Audience is created, the matched and unmatched hashed information is deleted.


We would recommend that an NDA is signed between stok.communications and clients to form as further protection which would also include a waiver.

Please reach out to Elisabeth on if you need any further information, require and NDA form or have any questions.


bottom of page