Retargeting is one of the highest-performing tactics in EU paid media — and one of the most legally complex under GDPR. The consent framework that governs advertising pixels, the special category implications of health-based audiences, and the transparency obligations on copy all intersect in ways that most campaign teams handle inconsistently.
This guide explains what GDPR actually requires for retargeting campaigns targeting EU users, where the most common enforcement gaps are, and how to assess whether your current retargeting setup is compliant.
Why retargeting is a GDPR compliance flashpoint
Retargeting works by placing a cookie or pixel on a user's browser when they visit your site, then serving them ads based on that prior behaviour. Every step of that sequence touches GDPR:
- The pixel load requires a lawful basis (typically consent under the ePrivacy Directive)
- The audience creation is a processing activity that must be covered by your GDPR records
- The ad serving is a subsequent processing step that depends on the lawfulness of the first two
- The copy sets user expectations and may make tracking visible
The fundamental principle is that retargeting is only as compliant as the consent mechanism behind the pixel. If your cookie banner doesn't meet GDPR standards — and many don't — every retargeting campaign built from that data carries inherited risk.
1. The pixel consent requirement
Under the ePrivacy Directive (which runs alongside GDPR across the EU), storing or accessing information on a user's device requires either informed consent or strict necessity. Advertising pixels — Google Ads tags, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel — are not strictly necessary for service delivery. They require prior, freely given, specific consent.
What valid pixel consent looks like:
- The user sees a clear cookie banner before any non-essential cookies load
- The banner offers a genuine "Reject all" option on the same layer as "Accept all"
- Consent is recorded with a timestamp and can be demonstrated on audit
- The pixel fires only after acceptance — not before
What invalid pixel consent looks like:
- The banner has "Accept" clearly visible but "Manage preferences" buried several clicks deep
- Consent is assumed from scrolling or continued browsing
- The pixel loads on page load before the banner interaction
- A pre-ticked "advertising" checkbox
DPAs in Germany, France, Belgium, Italy, and Spain have all issued fines and enforcement notices specifically for inadequate cookie consent that was used to build retargeting audiences.
2. Legitimate interest for retargeting: the real limits
Some data protection authorities have accepted legitimate interest as a basis for limited retargeting — specifically short-window remarketing to users who showed clear commercial intent (abandoned carts within 24–48 hours). But this acceptance is narrow and contested.
For legitimate interest to apply to retargeting:
- You must conduct and document a balancing test showing your interest outweighs the user's privacy rights
- The retargeting must be genuinely expected by users in context (e.g., an abandoned-cart reminder from a retailer)
- The window must be short enough that the tracking is not disproportionate
- You must give users an easy way to opt out
For anything beyond short-window cart abandonment — cross-site retargeting, behavioural profiling, long-window audience suppression — legitimate interest is legally fragile. Consent is the safer basis in most EU jurisdictions.
3. Google Consent Mode v2 and Meta's CAPI
Both Google and Meta now offer technical frameworks designed to help advertisers comply with EU consent requirements while preserving some measurement capability.
Google Consent Mode v2 allows advertisers to signal consent status to Google's tag infrastructure. When consent is denied, Google's models use aggregate-level modelling to estimate conversions without individual-level tracking. This does not eliminate the need for valid consent — it reduces the data you collect when consent is not given.
Meta's Conversions API (CAPI) allows server-side event sharing that bypasses browser-based pixel restrictions. CAPI does not change the consent requirement — it changes the technical mechanism. If the underlying data (emails, phone numbers matched to Meta users) was collected with consent, CAPI is a valid way to share it. If it wasn't, CAPI does not fix the lawful basis gap.
4. Article 9 risk in health and wellness retargeting
One of the most under-examined GDPR risks in retargeting involves health, wellness, supplement, and medical device advertisers. When you pixel a health product page and build a retargeting audience from visits to that page, you create a dataset that allows inference about users' health interests or conditions.
GDPR Article 9 covers "data concerning health" — which regulators have interpreted broadly to include data from which health conditions can be inferred. Building retargeting audiences from oncology clinic pages, supplement product pages, or mental wellness app landing pages can trigger Article 9 obligations even if you never directly collect health data.
Practical implications:
- Retargeting audiences built from health product pages may require explicit consent (not just opt-in cookies) in some jurisdictions
- Using those audiences for lookalike expansion compounds the risk (inferring health attributes at scale)
- Ad copy in these campaigns should not lean into health outcomes or clinical claims
5. What your retargeting copy should and shouldn't say
The ad copy in a retargeting campaign doesn't usually contain the primary GDPR violation — that's in the pixel consent. But copy can create secondary exposure:
Avoid making tracking explicit in a way that suggests it happened without consent:
- "We saw you visited our pricing page" — makes tracking visible, focuses scrutiny
- "You left something behind" — fine for cart abandonment with valid consent; problematic without
Avoid implying you have more data than you do:
- "Based on your interests" — acceptable if targeting is consent-based
- "Based on your health profile" — almost certainly impermissible without explicit consent
Standard copy that is generally safe:
- "Still thinking about [product]?" — neutral, doesn't imply surveillance
- "Come back for 10% off" — commercial offer without data reference
- "See why [X] teams choose us" — social proof without tracking reference
The principle: copy that works commercially without making the tracking mechanism visible carries lower risk. Copy that explicitly references the tracking behaviour raises the stakes for the underlying consent question.
Scan your retargeting copy before launch
The free GDPR Ad Copy Checker scans ad copy, lead forms, and landing pages for these exact GDPR and advertising-claim signals in seconds — flagging bundled consent, special-category inference, undisclosed third parties, and missing opt-outs, with safer rewrites for each. No login required.
This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.