A landing page is usually where a campaign actually collects personal data — so it carries most of the GDPR risk. The ad sets an expectation; the page is where that expectation either holds up or breaks. This is a copy-and-form checklist you can run before any EU campaign goes live, organised by the four areas regulators and platforms actually look at: forms, transparency, tracking, and claims.
Why the page is the riskiest surface
An ad can be flawless and still send traffic to a page that quietly over-collects, assumes consent, or buries the data story. Because collection happens here, the page inherits the heaviest obligations under GDPR Articles 13 and 14 — the duty to tell people, at the point of collection, who's taking their data and why. Run this list as a gate, not a nicety.
Forms and data collection
1. Name the controller. The page should make clear which legal entity collects the data, not just a brand. "Brand X" is marketing; the controller is a company. If a user can't tell who actually holds their data, the disclosure is incomplete.
2. Explain the purpose at the point of collection. "Get the guide" should also make clear they'll be emailed and, if true, marketed to. The expectation set here has to match what actually happens next, or it's a transparency failure.
3. Don't over-collect. Asking for phone, company size, and budget to deliver a PDF signals you're collecting more than necessary. Data minimisation is a GDPR principle, and copy that justifies the ask ("so we can send your quote") reads better and safer. Every extra field is both a compliance risk and a conversion drag.
4. Separate marketing consent from the action. A pre-ticked "yes, market to me" box is invalid consent under GDPR. Keep it unticked, specific, and separate from the core conversion. Bundling marketing consent into the download button fails the freely-given test (Article 7(4)).
Transparency and rights
5. Link the privacy policy near the form, not just in the footer. The "informed" part of consent depends on the notice being reachable at the moment of collection.
6. State the lawful basis where it matters — consent for marketing, legitimate interest for some lead-gen, but never both vaguely at once. Claiming "consent and/or legitimate interest" for the same processing signals you haven't actually decided, which is itself a red flag.
7. Make opt-out / withdrawal discoverable. Even on a landing page, the path to manage or withdraw consent should exist. Withdrawing has to be as easy as giving (Article 7(3)).
Tracking and profiling
8. Cookie/consent banner before non-essential tracking fires. Copy that says "we personalise your experience" implies profiling — make sure consent actually precedes the pixel. The cookie consent banner guide covers how to phrase that consent correctly.
9. Avoid creepy personalisation copy that reveals tracking you don't have a basis for. If the copy is more confident about what you know than your consent record justifies, you're advertising your own exposure.
Claims and sensitive data
10. No guaranteed outcomes or unverifiable superlatives. "Guaranteed results," "#1 in Europe," "doctors recommend" — all advertising-claim risks under the UCPD, tightest in regulated sectors. See the UCPD guide for what's defensible.
11. Sensitive data is a hard line. Any health, financial, or biometric collection needs an explicit lawful basis and described safeguards, or it's high-risk. This is the trap for wellness and supplement pages: targeting a health condition and collecting buyer data can let health status be inferred, engaging GDPR Article 9.
12. Substantiate testimonials and stats. "Join 50,000 happy customers" needs to be true and supportable. Unsupported social proof is a misleading claim like any other.
The 30-second version
If your landing page (a) tells people who's collecting their data and why, (b) doesn't bundle or assume consent, (c) doesn't over-collect, (d) doesn't overclaim, and (e) gives a clear opt-out — you've handled most of the common GDPR exposure. The rest is detail, but those five cover the failures that actually pull campaigns.
How this connects to your ads
The landing page is the destination, not the whole journey. The ad that drove the click set an expectation, and the page has to honour it. A search ad promising a quote that lands on a page enrolling users in ad personalization breaks the chain. Audit the ad and the page together — our Google Ads compliance guide and Facebook & Meta ad copy guide cover the upstream side.
The most common landing-page failures
Patterns repeat across audits. A handful of mistakes account for most of the GDPR exposure on landing pages, and recognising them is faster than re-deriving the rules each time:
- The reassurance-reality gap. "We respect your privacy" sits above a form that feeds a 15-partner data flow. The reassuring copy makes the omission worse, not better, because it actively sets a false expectation.
- Consent stapled to the button. The only way to download is to accept marketing. That's bundled consent, and it fails the freely-given test no matter how the checkbox is styled.
- The silent pixel. Analytics and ad pixels fire on load, before any banner interaction. The copy can be perfect; the tracking already happened without consent.
- Over-collection by habit. The form asks for everything the CRM has a field for, regardless of what the offer needs. Each unnecessary field is a minimisation problem.
- Borrowed claims. Stats and testimonials copied from a deck — "trusted by 50,000 teams" — with no one able to substantiate them on request.
Build the checklist into your launch process
A checklist only works if it runs every time, not just on the pages someone remembers to review. The realistic failure mode isn't ignorance of the rules — it's a rushed variant shipped under deadline that skipped the check. Agencies running many client pages feel this acutely: the tenth landing page of the week is the one that goes out unreviewed.
The fix is to make the review a gate in the launch workflow rather than a discretionary step. Whoever ships the page runs the copy through a compliance pass first, the same way they'd check tracking or links. Embedding the check where the work happens — at the point of launch, on every variant — is what turns a good checklist into actual protection. A fast automated scan makes that gate cheap enough that no one skips it.
For agencies: standardise the review across clients
Agencies carry a particular version of this problem. You're shipping landing pages for many clients, each with a different brand, legal entity, privacy policy, and risk appetite — and the compliance buck often stops with you, because you wrote the copy and built the page. A mistake on a client's page can become your liability and your reputational damage.
The answer is standardisation. Rather than relying on each account manager to remember the rules, bake the 12 checks into a single repeatable review that runs on every page regardless of client. That means a shared definition of what "done" looks like — controller named, purpose stated, consent unbundled, no over-collection, claims substantiated, opt-out present — applied uniformly. It also means capturing the client's specific facts once (legal entity, lawful basis, privacy policy URL) so they flow into every page instead of being re-guessed each time.
Standardisation does double duty: it protects the agency, and it's a service you can show clients. "Every page we ship passes a documented GDPR review" is a credible differentiator for EU-focused clients who've been burned by disapprovals before.
Mobile and the fold change what "near the form" means
A check like "link the privacy policy near the form" assumes a layout, and mobile breaks that assumption. On a phone, the form, the consent checkbox, the privacy link, and the claim may each land in different scroll positions, and a disclosure that sits comfortably beside the form on desktop can end up two screens away on mobile. Since most paid traffic is mobile, the mobile layout is the one that actually governs your compliance.
Review the page at mobile width, not just desktop. Confirm that the consent mechanism, the purpose statement, and the privacy link are all reachable at the point where the user is asked to submit — on the device they're actually using. A technically-present disclosure that no mobile user will ever see is functionally an omission.
Scan the page copy before launch
Running this checklist by hand on every client variant is slow and error-prone. The free GDPR Ad Copy Checker scans landing-page copy for these GDPR, transparency, and advertising-claim signals in seconds and suggests safer rewrites — no login required. For the complete framework behind every check here, see the GDPR advertising compliance guide.
This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.