I posted this week on LinkedIn that I was seeing more interest in cookie/web tech governance training, and given the super fascinating conversation (check it out here), I wanted to dive deeper into this topic in this week’s newsletter.

I LOVE holding training sessions. I love presenting and making facts simpler to understand.

Have you ever been told to do something and then had a gazillion questions? Like, why are you being asked to do “fill in the blank”? What exactly am I supposed to do? How should I handle this unique situation (because, of course, every company is unique!) And the list goes on.

In the land of privacy governance, including cookie/pixel governance, people need a policy, the rules of the road that the company has set, and that employees need to follow. Then there needs to be a process that operationalizes that policy. Fancy speak for taking the policy and making it actionable into steps that employees take. Training is the bridge between the policy and process.

Without training, privacy requirements live on paper, while day-to-day decisions are made in isolation.

With training, privacy considerations start showing up earlier in planning conversations, vendor selection, experimentation, and design choices before something goes live.

That shift from reactive to proactive is where privacy maturity really starts.

Here’s the part people miss: training isn’t just a “privacy program” activity – it’s a business accelerator. Without training, privacy requirements live on paper while day-to-day decisions are made in isolation, which creates rework, fire drills, and last-minute launches getting paused. With training, teams spot risk earlier (during planning, vendor selection, experimentation, and design choices), so fewer problems make it to production in the first place.

Why am I seeing a surge in cookie/web tech governance training?

And yes, as someone rightfully pointed out, it’s not just cookies. It’s really all web technologies.

And it’s not just for marketing. Cookie/web tech governance training should be role-based and built around the types of decisions different teams make. Marketing, product, and recruiting can all deploy tracking technologies, and when those teams operate in separate lanes, risk gets duplicated, and no one sees the full picture.

Marketing teams make dozens of small, rapid decisions every day, many of which involve personal data. These decisions have a privacy impact that may or may not be reviewed against internal policies, evaluated against customer expectations, and might put the company in violation of privacy compliance obligations.

My hunch is that most marketers aren’t trying to purposefully do these things. They just don’t know any better. They aren’t informed of how a website update can break a cookie consent software. Or how, when they sign up with that super cool new vendor who has promised the world to them, they might have just unknowingly agreed to selling data as defined under privacy laws like CCPA. Many marketing teams understand ad tech, but not the intersection of ad tech and privacy laws.

Good governance training makes these intersections practical by clarifying:

  • Why cookie/web tech governance matters (beyond “because legal said so”)
  • Where issues commonly arise (consent misfires, new tags, vendor changes, site updates)
  • What employees are expected to do (the “rules of the road” in real workflows)
  • When to pause and escalate (and who to go to)
  • How to move faster with clear guardrails instead of guessing

Some companies create guardrails for teams to work within. Some companies want every single new pixel reviewed. Some need a short assessment completed first; others, it’s a full privacy risk assessment.  For other companies, any pixel that meets certain criteria can be obtained with no additional approval or review needed. There are pros/cons to all these approaches (and the cookie/web tech governance framework is an entire other topic for another day).

Whichever approach a company takes needs to be codified into the policy and then translated into the actual business process. And policy and process only work if people are trained on why we have a policy, what the process is, and what to do with questions.

Training as Enablement, Not Enforcement

The most effective privacy programs I see treat training as enablement, not enforcement.

Training’s goal is not to control every decision, but to raise the baseline level of understanding across the business, so fewer problems are created in the first place.

Enablement means:

  • Helping teams understand why privacy requirements exist
  • Showing them where privacy risk typically shows up in their work
  • Giving them context, not just rules
  • Providing guardrails so people know where the boundaries are
  • What employees are expected to do

Most people think cookie/web tech governance also applies only to marketing. I’ve worked with product teams and had to think through the “What kind of cookie is this?,” “What will the vendor do with this data?,” “Is there a contract in place?” (and a long list of other questions).

I also work with companies where recruiting teams are deploying the same type of ad tech as marketing, just for jobs trying to attract talent. In companies, these three business functions using pixels might be managed completely separately, and the training might need to be provided to each team.

Training helps companies move faster because they have guardrails.

If you have attended an IAPP conference in the last few years, you may remember Trevor Hughes, President and CEO of IAPP, telling the story about the invention of brakes. I love this analogy! While yes, brakes actually make a car stop, they actually let it go faster because now, instead of a manual brake, there’s a mechanical one. Brakes are the guardrails that allow for trust and safety, letting cars have greater speed.

Just like in privacy, we want to enable teams to go fast (and speedy they are these days), but with guardrails so that the company manages customer expectations, risk, and applicable privacy law obligations.

People Don’t Learn Once, and They Don’t All Learn the Same Way

When creating training programs, companies often miss a simple human reality: people learn differently, and most people don’t retain information after hearing it once.

Research on adult learning and memory consistently shows that without reinforcement, people forget the majority of new information very quickly. Studies based on the Ebbinghaus forgetting curve show that learners can forget roughly 50–70% of new information within 24 hours, and up to 90% within a week if it isn’t reinforced.

Learning research also shows that:

  • People absorb information in different ways – some prefer written guidance, others visuals, discussion, or applied examples
  • One-time training has very low long-term retention
  • Repetition and reinforcement significantly improve retention and behavior change

Effective privacy training meets people where they are, uses multiple formats, and reinforces key concepts over time. Customize the training.

This is why I LOVE creating bespoke privacy training presentations. Tailoring a training to your company’s audience allows for real case studies and creates discussion about all those unique situations. When people are thinking about their own day-to-day, the training is more likely to stick, and any issues might get resolved too.


Recently, I gave a training, and we included a sticky subject that involved vendors getting onboarded without any privacy or security approval. In this process, the company increased privacy exposure and through the training, a health discussion ensued, leading to steps to change the process.

Most training isn’t engaging or relevant, and it’s why it doesn’t stick. When I create and deliver my trainings, I spend time ensuring that we have specific use cases and make it engaging so the audience will pay attention. I just love this feedback from someone recently.

Then take that same training and create newsletters, videos, or other forms of content that works with your company culture. Meet regularly with the teams impacted and review sections of the training.

This is how it moves from an annual check-the-box exercise to real ongoing training.

Training Reduces Risk Before It Happens

One of the most overlooked benefits of training is that it shifts privacy risk upstream.

Instead of discovering issues during an audit, after a complaint, during enforcement, or when a customer asks uncomfortable questions, training helps teams recognize risk earlier, when it’s easier and less costly to fix.

This doesn’t eliminate mistakes, but it reduces their frequency and severity, and that’s exactly what mature privacy programs aim to do.

When done well, cookie and web tech governance training reduces reactive reviews, limits last‑minute fire drills, and allows privacy teams to focus on higher‑risk issues instead of constant cleanup.

How to get started (without overengineering it)

You don’t need a perfect governance framework to begin training. Start small and build momentum:

  • Start where decisions are happening fastest – Identify the teams deploying or changing web technologies most frequently (often marketing, product, or recruiting). Training is most effective when it’s targeted at high‑velocity decision‑makers first.
  • Clarify your current guardrails even if they’re imperfect – You don’t need a perfect governance framework to begin. Document what’s generally allowed, what usually needs review, and what’s off‑limits. Training can evolve as your program matures.
  • Design training around real scenarios, not legal theory – Focus on common situations: adding a new tag, changing a consent tool, onboarding a vendor, launching a new campaign, or updating a website. This helps teams recognize risk in context, not in the abstract.
  • Define escalation paths clearly – One of the most valuable outcomes of training is that employees know when and how to ask for help. Clear escalation reduces both risk and unnecessary back‑and‑forth.
  • Reinforce, don’t rely on one‑time sessions – Training should be ongoing—supported by refreshers, examples, newsletters, and conversations. This is how governance becomes part of how teams work, not a once‑a‑year obligation.

Why This Training Matters Now

Companies are moving fast, and data collection isn’t stopping. More vendors are being selected, and more state privacy laws are protecting consumers all while privacy enforcement is increasing.

Training teaches rules, emphasizes process, and empowers teams to make decisions within the company guardrails.

If you’re trying to make cookie and web tech governance actually work in practice, this is exactly the type of training I love helping companies design and deliver. I’d love to hear what’s working (or not) in your world. Hit reply and let me know. If you’re new to my newsletters, sharing that I read every single reply (and personally respond too)!

All this talk of cookies has me needing to get my favorite food (the gluten and dairy-free kind),


Jodi

💡 When you’re ready, here’s how we can help:

⚙ Privacy Advisory & Implementation: We help companies navigate privacy requirements with confidence. Our advisory support covers strategy, operations, and real-world implementation.

⚙ Fractional Privacy Services: We provide fractional privacy leadership tailored to your needs and pace. From program development to day-to-day support, we help you build and sustain a strong privacy program.