Legalify shield logoLegalify
Free CheckerGDPR GuideBlogFeaturesHow it worksPricing
Log inSign up
← All articles

18 June 2026 · 6 min read

Retargeting Ads and GDPR Compliance in the EU

Retargeting is one of the highest-performing tactics in EU paid media — and one of the most legally complex under GDPR. The consent framework that governs advertising pixels, the special category implications of health-based audiences, and the transparency obligations on copy all intersect in ways that most campaign teams handle inconsistently.

This guide explains what GDPR actually requires for retargeting campaigns targeting EU users, where the most common enforcement gaps are, and how to assess whether your current retargeting setup is compliant.

Why retargeting is a GDPR compliance flashpoint

Retargeting works by placing a cookie or pixel on a user's browser when they visit your site, then serving them ads based on that prior behaviour. Every step of that sequence touches GDPR:

  • The pixel load requires a lawful basis (typically consent under the ePrivacy Directive)
  • The audience creation is a processing activity that must be covered by your GDPR records
  • The ad serving is a subsequent processing step that depends on the lawfulness of the first two
  • The copy sets user expectations and may make tracking visible

The fundamental principle is that retargeting is only as compliant as the consent mechanism behind the pixel. If your cookie banner doesn't meet GDPR standards — and many don't — every retargeting campaign built from that data carries inherited risk.

1. The pixel consent requirement

Under the ePrivacy Directive (which runs alongside GDPR across the EU), storing or accessing information on a user's device requires either informed consent or strict necessity. Advertising pixels — Google Ads tags, Meta Pixel, LinkedIn Insight Tag, TikTok Pixel — are not strictly necessary for service delivery. They require prior, freely given, specific consent.

What valid pixel consent looks like:

  • The user sees a clear cookie banner before any non-essential cookies load
  • The banner offers a genuine "Reject all" option on the same layer as "Accept all"
  • Consent is recorded with a timestamp and can be demonstrated on audit
  • The pixel fires only after acceptance — not before

What invalid pixel consent looks like:

  • The banner has "Accept" clearly visible but "Manage preferences" buried several clicks deep
  • Consent is assumed from scrolling or continued browsing
  • The pixel loads on page load before the banner interaction
  • A pre-ticked "advertising" checkbox

DPAs in Germany, France, Belgium, Italy, and Spain have all issued fines and enforcement notices specifically for inadequate cookie consent that was used to build retargeting audiences.

2. Legitimate interest for retargeting: the real limits

Some data protection authorities have accepted legitimate interest as a basis for limited retargeting — specifically short-window remarketing to users who showed clear commercial intent (abandoned carts within 24–48 hours). But this acceptance is narrow and contested.

For legitimate interest to apply to retargeting:

  • You must conduct and document a balancing test showing your interest outweighs the user's privacy rights
  • The retargeting must be genuinely expected by users in context (e.g., an abandoned-cart reminder from a retailer)
  • The window must be short enough that the tracking is not disproportionate
  • You must give users an easy way to opt out

For anything beyond short-window cart abandonment — cross-site retargeting, behavioural profiling, long-window audience suppression — legitimate interest is legally fragile. Consent is the safer basis in most EU jurisdictions.

3. Google Consent Mode v2 and Meta's CAPI

Both Google and Meta now offer technical frameworks designed to help advertisers comply with EU consent requirements while preserving some measurement capability.

Google Consent Mode v2 allows advertisers to signal consent status to Google's tag infrastructure. When consent is denied, Google's models use aggregate-level modelling to estimate conversions without individual-level tracking. This does not eliminate the need for valid consent — it reduces the data you collect when consent is not given.

Meta's Conversions API (CAPI) allows server-side event sharing that bypasses browser-based pixel restrictions. CAPI does not change the consent requirement — it changes the technical mechanism. If the underlying data (emails, phone numbers matched to Meta users) was collected with consent, CAPI is a valid way to share it. If it wasn't, CAPI does not fix the lawful basis gap.

4. Article 9 risk in health and wellness retargeting

One of the most under-examined GDPR risks in retargeting involves health, wellness, supplement, and medical device advertisers. When you pixel a health product page and build a retargeting audience from visits to that page, you create a dataset that allows inference about users' health interests or conditions.

GDPR Article 9 covers "data concerning health" — which regulators have interpreted broadly to include data from which health conditions can be inferred. Building retargeting audiences from oncology clinic pages, supplement product pages, or mental wellness app landing pages can trigger Article 9 obligations even if you never directly collect health data.

Practical implications:

  • Retargeting audiences built from health product pages may require explicit consent (not just opt-in cookies) in some jurisdictions
  • Using those audiences for lookalike expansion compounds the risk (inferring health attributes at scale)
  • Ad copy in these campaigns should not lean into health outcomes or clinical claims

5. What your retargeting copy should and shouldn't say

The ad copy in a retargeting campaign doesn't usually contain the primary GDPR violation — that's in the pixel consent. But copy can create secondary exposure:

Avoid making tracking explicit in a way that suggests it happened without consent:

  • "We saw you visited our pricing page" — makes tracking visible, focuses scrutiny
  • "You left something behind" — fine for cart abandonment with valid consent; problematic without

Avoid implying you have more data than you do:

  • "Based on your interests" — acceptable if targeting is consent-based
  • "Based on your health profile" — almost certainly impermissible without explicit consent

Standard copy that is generally safe:

  • "Still thinking about [product]?" — neutral, doesn't imply surveillance
  • "Come back for 10% off" — commercial offer without data reference
  • "See why [X] teams choose us" — social proof without tracking reference

The principle: copy that works commercially without making the tracking mechanism visible carries lower risk. Copy that explicitly references the tracking behaviour raises the stakes for the underlying consent question.

Scan your retargeting copy before launch

The free GDPR Ad Copy Checker scans ad copy, lead forms, and landing pages for these exact GDPR and advertising-claim signals in seconds — flagging bundled consent, special-category inference, undisclosed third parties, and missing opt-outs, with safer rewrites for each. No login required.

This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.

Frequently asked questions

Is retargeting legal under GDPR?

Yes, retargeting is lawful under GDPR when built on a valid consent or legitimate interest basis. The key issue is the pixel that generates the retargeting audience — it must be loaded only after the user has given valid cookie consent. Retargeting built on non-consented pixel data carries significant enforcement risk.

What lawful basis covers retargeting under GDPR?

Most EU regulators expect explicit consent for advertising cookies and pixels. Legitimate interest has been accepted by some DPAs for limited retargeting scenarios, but the default position of regulators in Germany, France, and the Netherlands is that advertising cookies require opt-in consent, not just legitimate interest.

Does my retargeting ad copy need to change for GDPR?

The copy itself rarely contains the GDPR violation — the violation is usually in the pixel consent behind the audience. However, copy that makes tracking visible ('We saw you visited our site') signals to regulators that tracking is happening, and can focus scrutiny on whether that tracking was consented.

Can I use Google Ads remarketing for EU audiences under GDPR?

Yes, but only if the remarketing tag was loaded with valid consent. Google's EU User Consent Policy requires you to obtain consent before loading the Google Ads tag for advertising personalisation. Using Google's Consent Mode v2 is the recommended technical implementation.

What's the Article 9 risk in retargeting health products?

When you retarget users who visited a health product page, the targeting signal reveals that those users have a health-related interest. Building audiences from health page visits and using them for advertising can trigger Article 9 special category data obligations, since it involves inferring health status from behavioural data.

Free resource

Get the GDPR Ad Copy Checklist

12 checks every EU marketer should run before publishing. Free, instant, no spam.

No spam. Unsubscribe any time.

Check your ad copy for free

Paste your EU ad copy into the free GDPR Ad Copy Checker and get instant risk analysis — no login required.

Open the free GDPR checker
LLegalify

AI-powered GDPR and ad risk scanning for EU marketing agencies. Catch compliance issues before campaigns go live.

Designed for GDPR risk reviewSubprocessors listed in privacy policyDPA available on request

Product

  • Free GDPR Checker
  • Meta Ad Rejected?
  • GDPR Ad Compliance Guide
  • Legalify vs AuditSocials
  • How it works
  • Features
  • Pricing

Company

  • Blog
  • GDPR Guides
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • DPA
  • Security
© 2026 Legalify · Y-tunnus: 3610308-7 · Not a substitute for legal advice.
PrivacyTermsCookiesSecurity