From trace to model: how synthetic data is transforming digital privacy

From cookies to simulated data

The phasing out of third-party cookies—driven by browsers such as Safari, Firefox and, more recently, Google Chrome through its Privacy Sandbox initiative—marks the end of an era: that of individualised tracking as the basis for digital marketing.

Faced with this change, the technology industry is confronted with a key question:

How can personalisation and analytics be maintained without relying on the processing of real personal data?

The answer is beginning to take shape in an emerging trend: synthetic data, an alternative that combines innovation, compliance and ethics.

What is synthetic data?

Synthetic data is artificially generated sets of information using statistical models or artificial intelligence.

They simulate the patterns and correlations of real data, but do not correspond to existing individuals. 

In practice:

• It preserves analytical utility (it allows models to be trained or algorithms to be tested).
• They eliminate the risk of personal exposure. 
• They comply with the principle of minimisation by replacing real data with simulated data.

They are the digital equivalent of a topographical map: they reproduce the terrain accurately, without showing the location of any real person.

Privacy by design in action

According to the Spanish Data Protection Agency (AEPD), synthetic data constitutes a privacy enhancement technology (PET) because it allows the same analytical purposes to be achieved without processing real personal data.

In terms of compliance, they represent a practical application of the principle of data protection by design and by default provided for in both the General Data Protection Regulation and Article 15 of the Mexican Regulation.

Practical applications 

• Ethical advertising and marketing: creation of synthetic audiences based on behaviour patterns, without individual tracking.

• System and algorithm testing: validation of segmentation or attribution tools without exposing real data.
• AI and machine learning development: training models in sensitive contexts (health, finance, consumption).

In a cookieless future, these techniques allow companies to maintain analytical accuracy without violating user privacy.

Risks and precautions

Not all synthetic datasets are risk-free.

If the generation model is based on a small or poorly anonymised volume of real data,the possibility of re-identification may persist.

Therefore, the AEPD recommends:

• Evaluating the privacy and utility metrics of each generated set.
• Document the synthesis process and its purpose.
• Applying complementary techniques such as differential privacy or masking.

The potential for Mexico

In Mexico, where regulation on cookies or behavioural advertising is limited, synthetic data offers a means of responsible self-regulation:

• It functions as a compensatory measure or enhanced compliance under the Federal Law on Protection of Personal Data Held by Private Parties.
• It aligns with the principles of proportionality, dissociation, and data quality.
• They allow for innovation without violating the rights of data subjects.

Integrating synthetic data generation into compliance programmes can become a competitive advantage, not just a technical measure.

Conclusion

The future of digital marketing will not only be cookieless, but also synthetic-driven. Organisations that adopt these technologies with ethical and legal criteria will transcend the logic of formal compliance, positioning themselves as leaders in responsible innovation.

At ECIJA Mexico, we promote the convergence of privacy, technology and artificial intelligence: an approach in which compliance does not limit creativity, but rather redefines it.

Article written by Berenice Sagaón Falcón, in collaboration with Andrea Chávez Compliance and Personal Data Protection Department, ECIJA Mexico