Article 9 of GDPR is the regulation's highest-risk category — and the one that advertising teams most consistently underestimate. The common assumption is that Article 9 only applies if you directly collect health data, political opinions, or religious beliefs. That assumption is wrong.
Article 9 applies whenever personal data processing reveals or allows inference of special category attributes — including through advertising engagement data. EU data protection authorities have made clear that ad targeting systems that enable health, political, or religious inferences engage Article 9 obligations even without direct data collection.
What Article 9 covers
GDPR Article 9(1) prohibits processing of:
- Health data — data concerning a person's physical or mental health
- Genetic data
- Biometric data used for unique identification
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Sex life or sexual orientation
Processing these categories is prohibited unless one of the conditions in Article 9(2) applies. For advertising, the relevant condition is almost always explicit consent (Article 9(2)(a)) — a higher bar than ordinary GDPR consent.
Why advertising engages Article 9 even without direct collection
The intersection of Article 9 and advertising doesn't require you to ask users about their health. It operates through inference.
When a user clicks on an ad for a diabetes monitor, visits a mental health app's landing page, or engages with content about a specific religion, that engagement creates a behavioural signal. Ad platforms use those signals to:
- Build audience segments ("interested in health supplements")
- Target other users with similar profiles (lookalike audiences)
- Serve retargeting ads that reference the prior engagement
The process of creating and using those audience segments involves inferring health, political, or religious attributes from behaviour — which is exactly what Article 9 addresses, regardless of whether you explicitly collected the underlying data.
The regulators who have confirmed this
The Austrian Data Protection Authority ruled in 2022 that Google Analytics data transfers involved health-status inference through behavioural data. The French CNIL and German DSK have both issued guidance noting that advertising that allows inference of health conditions from targeting data engages Article 9. The Belgian DPA fined IAB Europe over TCF consent management that permitted special category inference in programmatic advertising.
The enforcement direction is clear: EU regulators are looking at the inference chain, not just the explicit data field.
Which advertising scenarios carry the highest Article 9 risk
High risk:
- Retargeting users who visited specific condition pages (oncology clinic, mental health platform, addiction recovery service)
- Custom audiences built from health product purchase data
- Lookalike audiences built from any health-related custom audience
- Advertising for fertility services, reproductive health, weight loss, or mental wellness with detailed targeting
- Political advertising with any targeting beyond age and geography
- Religious product advertising with interest-based targeting
Medium risk:
- Supplement or wellness advertising to broad audiences with generic interest targeting
- Financial product advertising for debt relief or payday products where financial difficulty can be inferred
- Advertising for sexual health products without interest targeting
Lower risk:
- Broad-based advertising for health products with no behavioural or interest-based targeting
- Contextual advertising that matches ad to content rather than to user profile
- Advertising that does not enable engagement-based profiling
What explicit consent for Article 9 processing looks like in advertising
If your advertising engagement genuinely involves Article 9 processing, ordinary opt-in consent isn't sufficient. You need explicit consent: an unambiguous, specific statement from the user that they consent to the processing of their special category data for the described purpose.
In practice, this is very hard to implement in standard ad flows. Most advertising platforms don't offer a mechanism for collecting Article 9 explicit consent before serving an ad. This is part of why regulators have pushed advertisers toward contextual targeting models that don't enable special category inference.
For advertisers in high-risk sectors, the practical implications are:
- Avoid building audience segments based on health engagement data unless you have explicit consent from each individual in that segment
- Use contextual targeting where possible — matching ads to page content rather than user profiles
- Audit your DMP/CDP for any segments that rely on health, political, or religious inference
- Review your retargeting audiences for any built from sensitive site sections or product categories
- Check your copy — ad copy that makes health claims or implies knowledge of a user's health status adds to the inference risk
How Article 9 affects ad copy specifically
Ad copy is rarely where Article 9 is directly violated — the violation usually happens in the targeting setup. But copy can contribute to the inference problem:
- Copy that implies knowledge of the user's health condition ("We know you're struggling with...") makes the inference explicit and indefensible
- Copy for medical or health products that promises outcomes makes the health connection obvious, which strengthens the case that health data inference is part of the advertising system
- Copy that references political or religious affiliation in a targeting context (even for legal advocacy or charitable organisations) may engage Article 9
The safest copy in high-risk sectors is copy that makes general claims about the product or service without implying that the targeting was based on sensitive personal inference.
Scan your copy for Article 9 risk
The free GDPR Ad Copy Checker scans ad copy, lead forms, and landing pages for these exact GDPR and advertising-claim signals in seconds — flagging bundled consent, special-category inference, undisclosed third parties, and missing opt-outs, with safer rewrites for each. No login required.
This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.