15 December 2025

Propensity modelling in the age of consent

In summary

• What: Propensity and predictive models are being reshaped by consent, minimisation and purpose limitation, changing how data can be collected and used.
• Why: Privacy rules restrict the individual-level, historical data these models rely on, and consent states now shift dynamically user by user.
• When: As third-party cookies disappear and global privacy reforms accelerate, especially in Australia, consented, purpose-led data becomes the only durable modelling foundation.
• How: By embedding privacy into data architecture through pseudonymisation, purpose-led pipelines, aggregated or cohort-based modelling, strong data-layer design, and awareness of implicative data risks.

For years, marketing analytics operated on a simple mantra: collect everything, analyse later. More data meant better models, better targeting, and better growth.

But the industry has crossed a threshold. Global privacy laws (GDPR, CCPA and incoming reforms in Australia), rising user expectations, and structural changes like third-party cookie deprecation have shifted the ground beneath every data-driven discipline.

Today, the success of any model, whether it’s propensity, LTV, recommendation systems, time series forecasting, MMM, or MTA, hinges on something far more foundational than statistical power:

Do you have consent to use the data your model is learning from? Welcome to the age of permission-led modelling.

The new reality: consent isn’t binary, it’s a dynamic state

Historically, brands treated consent as a simple yes/no toggle. But modern regulations require something much more nuanced:

• Consent must be specific to a purpose
• Consent must be informed and unambiguous
• Consent can be withdrawn at any time
• Consent does not automatically carry over to analytics or advertising

This means every user sits in a multi-faceted consent state, and your models must adapt in real time.

Challenge 1: Purpose limitation

If a user gives data to fulfil an order, that does not grant permission to use it for marketing analytics.

This one rule alone disrupts almost every legacy data architecture.

Impact on modelling

Models can no longer be trained on one unified customer table.

Every data field needs to carry metadata about:

• Original purpose
• Legal basis
• Allowed downstream uses

Example:

• Sales data collected under Contract
• Marketing attribution requires Consent
• You cannot simply join these datasets unless the user explicitly agreed.

This breaks the long-standing industry habit of “just add that column to the model”.

Challenge 2: Granular consent fractures your training data

Most consent banners now offer categories:

• Analytics
• Personalisation
• Advertising
• Cross-site tracking

This means:

Your training dataset is no longer “all users for all purposes,” it’s dynamically filtered based on the permissions each user actually granted.

Legacy models assumed stable, universal data coverage. Today’s privacy environment breaks that assumption entirely.

Impact on common marketing models

1. LTV and propensity models

These models depend on deep historical data, exactly the data most vulnerable to minimisation rules and deletion requests.

The problem:

• Minimisation reduces the depth of data you’re allowed to hold
• Purpose Limitation fragments your training cohort

Outcome: Lower predictive accuracy and unstable features.

The solution: Pseudonymised training pipelines

Instead of training on identifiable user data, brands should:

• Strip direct identifiers into a secured PII table
• Assign a pseudonymised ID
• Train models on behavioural patterns, not individuals
• Invalidate IDs when users delete their data

This preserves model utility while honouring legal obligations.

2. Marketing mix modelling (MMM)

MMM is aggregated by nature, but it still relies on identifiers and conversion logs.

The problem:

Cookie deprecation and opt-outs create “holes” in the dataset.

The solution: Synthetic data generation

Where user-level data is missing for privacy reasons, synthetic datasets, built from aggregated patterns, can fill statistical gaps without re-identifying individuals.

3. Multi-touch attribution (MTA)

MTA tries to stitch impressions = clicks = conversions across long timelines.

This is directly at odds with modern privacy obligations.

The problem:

Persistent identifiers are fading or illegal without ongoing consent.

The solution: Move to cohort-based or differential privacy MTA

Focus on group behaviours and aggregate flows. Not individuals.

This shift mirrors what Google and Meta are doing with privacy sandboxes and aggregated event measurement.

How privacy-first data architecture solves these challenges

Privacy-compliant modelling isn’t just a legal exercise, it’s a structural one. Below are the core architectural patterns Louder regularly recommends.

1. A centralised Consent Management Model becomes the gatekeeper

A dedicated Consent Service tracks:

• User ID
• Consent type
• Legal basis
• Timestamp
• Expiry

Every analytics pipeline must check permissions before processing data.

This transforms consent from a front-end banner into an enforceable rule baked into your data model.

2. Architectural Separation (Pseudonymisation)

Split your system into:

• PII Table (minimised, restricted, highly privileged access)
• Behavioural Data Table (rich, useful, non-identifiable)

Link them only through a pseudonymised ID stored in a secure linkage table.

Why it matters:

When a user invokes Right to Delete:

• You delete one row from the PII table
• The pseudonymised ID becomes invalid
• All behavioural history becomes unlinked and therefore unusable

This is a privacy-safe kill switch.

3. Embedded data lineage, retention and auditability

Every data field should include:

• Its consent state
• Its legal basis
• Its retention period
• Its source system

Your models should trigger automatic deletion or anonymisation when:

• Consent expires
• Purpose changes
• Retention limits are reached

This is where data layers become a key component. A well-structured data layer ensures:

• Only the right data is collected
• Every field is tied to a purpose
• Downstream systems know how it can be used

Where this leaves the industry

The age of consent doesn’t mean the end of modelling. It means the end of lazy modelling.

The organisations that win will be the ones that:

• Treat consent as a dynamic model input
• Build resilient architectures that survive data deletion
• Shift from individuals to pseudonymous or cohort-based signals
• Prioritise declared and contextual data over passive surveillance
• Use synthetic data where privacy removes granularity
• Invest in privacy engineering as a core analytics capability

Prediction must now be grounded in permission.

Louder’s recommendations

• Build privacy into the data model itself. Consent must be machine-readable and enforced automatically across every pipeline.
• Use purpose-led, pseudonymised data architectures.Models should never access raw identifiers, only the minimum data required for the approved purpose.
• Shift from individual-level to aggregated or cohort-based modelling where needed. A more privacy-resilient approach for attribution, measurement and forecasting.
• Treat the data layer as critical infrastructure. It ensures only the right data is collected, with clear purpose, provenance and retention.
• Use synthetic or cohort-based methods to offset signal loss. Future-proof models by designing them to operate even when granularity drops.
• Train teams in “implicative data” risk. Privacy risk increasingly comes from what models can infer, not just what’s collected.

Get in touch

Get in touch with Louder to discuss how we can assist you or your business and sign up to our newsletter to receive the latest industry updates straight in your inbox.