GDPR

Also known as: General Data Protection Regulation, EU GDPR

What is the GDPR?

The General Data Protection Regulation is a European Union law that took effect on 25 May 2018. It governs how organizations collect, store, use, and transfer personal data belonging to people in the EU. The official text lives at EUR-Lex Regulation (EU) 2016/679.

The GDPR replaced the 1995 Data Protection Directive. It harmonized rules across all 27 member states. It also gave individuals stronger rights over their data and gave regulators real enforcement teeth.

For advertisers, the GDPR is the single most important privacy law in the world. It shapes how cookies, pixels, retargeting, and audience-building work in every market where EU residents browse.

Who does the GDPR apply to?

The GDPR applies to any organization that processes the personal data of people physically located in the EU, regardless of where the organization itself is based. Article 3 of the regulation calls this "extraterritorial scope." A US retailer shipping to Germany is in scope. A Brazilian publisher running display ads to French readers is in scope.

Two roles matter.

• Controllers. The organization that decides why and how personal data is processed. The advertiser running a campaign is usually the controller.
• Processors. A third party that processes data on the controller's behalf. Ad networks, analytics vendors, and email service providers typically act as processors.

Both roles carry direct obligations under the regulation. Controllers and processors must sign a Data Processing Agreement (DPA). The European Commission DPA guidance sets out the standard contractual clauses required for international transfers.

What are the key GDPR principles?

Article 5 of the regulation sets seven core principles for handling personal data. Every advertiser, publisher, and tech vendor must apply all of them.

• Lawfulness, fairness, and transparency. Process data on a clear legal basis. Tell people what you are doing.
• Purpose limitation. Collect data for a specific, explicit purpose. Do not repurpose it later without a new lawful basis.
• Data minimization. Collect only what you need. No more.
• Accuracy. Keep data correct and up to date. Fix errors when reported.
• Storage limitation. Delete data when the purpose ends. Hold no longer than necessary.
• Integrity and confidentiality. Use technical and organizational measures to keep data secure.
• Accountability. The controller must be able to prove all of the above. Documentation, audits, and records of processing activities are mandatory.

The European Data Protection Board publishes guidelines that flesh out each principle. EDPB opinions are not law but they carry serious weight in regulator decisions and court rulings.

What does the GDPR mean for advertisers and marketers?

Marketers feel the GDPR through three pressure points: consent, individual rights, and cross-border data flows.

Consent for tracking

Advertising cookies and tracking pixels need prior, freely given, specific, informed, and unambiguous consent before they fire. The standard is set by Article 4(11) and reinforced by the ePrivacy Directive. A pre-ticked checkbox does not count. A cookie wall that blocks the site until consent is given does not count either, per EDPB guidelines on consent.

The standard pattern is the IAB Europe Transparency and Consent Framework (TCF v2.2), which most ad networks support. Consent strings travel with the bid request so vendors know what they are allowed to do.

Consent for retargeting

Retargeting needs the same level of consent as any other tracking. If a user denies consent on the first visit, you cannot drop a cookie, fire a pixel, or build a custom audience from their behavior. [UNIQUE INSIGHT] In practice, consent rates across major EU markets sit between 50 and 70 percent depending on geography and consent banner design, which means advertisers should plan media budgets and audience sizes around lower addressable reach than pre-GDPR baselines.

Right to be forgotten and access requests

Articles 15 to 22 give individuals the right to access their data, correct it, delete it, and port it to another service. A user can email an advertiser and ask for everything held about them. The controller has 30 days to respond. Marketing teams need a workflow for this. Spreadsheets do not scale.

A clear privacy notice and a working consent record are the minimum disclosure layer for any advertiser running EU traffic. They also feed directly into brand safety reviews when buyers audit how their ads are served.

What are the penalties under the GDPR?

Article 83 sets two tiers of fines. Lower-tier infringements cap at 10 million euros or 2 percent of global annual turnover, whichever is higher. Upper-tier infringements, including consent and lawful basis failures, cap at 20 million euros or 4 percent of global turnover.

Concrete enforcement examples published by the EDPB enforcement tracker and supervisory authorities:

• Meta Platforms, 1.2 billion euros (May 2023). Irish Data Protection Commission, for unlawful EU to US data transfers under decision IN-21-9-2.
• Amazon, 746 million euros (July 2021). Luxembourg CNPD, for advertising cookie practices.
• TikTok, 345 million euros (September 2023). Irish DPC, for handling of children's data.
• Google, 50 million euros (January 2019). French CNIL, for lack of transparency and valid consent for ad personalization.

Fines are not the only risk. Regulators can also order processing to stop, which kills campaigns mid-flight.

How do you comply with the GDPR?

Compliance is a system, not a checklist. Six concrete steps cover most advertisers.

1. Run a data inventory. List every place personal data lives. CRM, ad platforms, analytics, email tools, customer support. Document what flows where.
2. Pick the lawful basis for each processing activity. Consent for advertising cookies. Legitimate interest for fraud prevention. Contract for order fulfillment. Write it down.
3. Deploy a consent management platform (CMP). Tools like OneTrust, Cookiebot, Didomi, and Sourcepoint integrate with the IAB TCF and store auditable consent records. The CMP is the source of truth for what each user agreed to.
4. Sign DPAs with every processor. Ad networks, analytics vendors, email providers, hosting platforms. No DPA, no data sharing.
5. Keep audit trails. Article 30 requires a record of processing activities. Log consent timestamps, purpose changes, and deletion requests.
6. Train the team. Marketers, engineers, and customer support all touch personal data. They need to know the rules and the escalation path.

[PERSONAL EXPERIENCE] Across performance campaigns we have shipped, the single biggest compliance gap is not the consent banner. It is the gap between the banner and the pixel. Pixels often fire before consent is recorded because the tag manager loads them on page load. The fix: gate every advertising tag behind the CMP signal, not the page lifecycle.

How does the GDPR compare to the CCPA?

Both laws protect personal data. The mechanics are different.

Feature	GDPR	CCPA / CPRA
Who it covers	People in the EU	California residents
Default model	Opt-in (consent before processing)	Opt-out (user can ask to stop sale or sharing)
Lawful bases	Six in Article 6	No equivalent, "business purpose" framing
Fines (max)	4 percent of global turnover or 20M euros	$7,500 per intentional violation, per CCPA
Individual rights	Access, correction, deletion, portability, objection	Access, deletion, opt-out of sale, correction
Regulator	National DPAs coordinated by EDPB	California Privacy Protection Agency (CPPA)

Most US-based advertisers running global traffic now build to the GDPR standard and treat it as the floor. CCPA, Brazil's LGPD, and the UK GDPR all map cleanly on top.

What does GDPR look like in 2026?

The regulation has not changed. Enforcement and adjacent law have. Three trends matter for advertisers this year.

• Cross-border transfer scrutiny. The EU to US Data Privacy Framework, finalized in 2023, replaced Privacy Shield. Adequacy is being challenged in the courts again. Vendors with US-only data centers carry rising risk.
• Dark patterns crackdown. The EDPB and national DPAs have flagged consent banner designs that nudge users toward "accept all." Expect fines for banner UX, not only data handling.
• AI Act overlap. The EU AI Act came into force in 2024 and adds rules on top of the GDPR for systems that profile people or generate ad creative from personal data.

[ORIGINAL DATA] Looking at the public EDPB tracker as of early 2026, total GDPR fines now exceed 5.6 billion euros across roughly 2,200 published decisions, with advertising and cookie cases accounting for a meaningful share of the largest awards. The trajectory is up, not down.

The takeaway for marketers: build the consent and data infrastructure once, build it well, and treat it as a permanent operating layer. The cost of getting it wrong is no longer theoretical.

Related terms

• Ccpa
• Cookies
• Disclosure
• Brand Safety
• Pixel
• Consent Management

Frequently asked questions

Does the GDPR apply to companies outside the EU?

Yes. Article 3 of the GDPR sets out extraterritorial scope. Any company that offers goods or services to people in the EU, or monitors their behavior, must comply. Location of the company does not matter. A US ad network with EU visitors falls inside the rules.

What counts as personal data under the GDPR?

Any information that can identify a person directly or indirectly. Names, emails, phone numbers, IP addresses, cookie IDs, device identifiers, and location data all qualify. Pseudonymous identifiers used in advertising, like a Meta Pixel cookie or a mobile advertising ID, are personal data under EDPB guidance.

Do I need consent for every use of personal data?

No. Consent is one of six lawful bases in Article 6. Others include contract, legal obligation, vital interests, public task, and legitimate interests. For advertising cookies and tracking pixels, the ePrivacy Directive requires prior consent on top of the GDPR lawful basis. That is the strict rule.

What are the largest GDPR fines so far?

Meta Platforms received a 1.2 billion euro fine in May 2023 from the Irish DPC for unlawful EU to US data transfers. Amazon was fined 746 million euros by Luxembourg's CNPD in 2021. TikTok was fined 345 million euros in 2023 for child data handling. Source: EDPB enforcement tracker.

How is GDPR different from CCPA?

GDPR is opt-in. The user must agree before data processing begins. CCPA is opt-out. The user can ask the business to stop selling data after the fact. GDPR covers all personal data. CCPA covers California residents and focuses on sale or sharing of data. Penalties also work differently.