YouTube is the largest video advertising platform in the EU — and one of the most technically complex from a GDPR compliance perspective. The combination of Google's identity-based targeting, conversion tracking infrastructure, Customer Match, and the consent framework changes that came into effect in 2024 create compliance obligations that most campaign teams are still working through.
This guide covers what GDPR requires for YouTube advertising campaigns targeting EU users, how Google Consent Mode v2 fits in, and the ad copy considerations that get overlooked.
The GDPR framework for YouTube advertising
YouTube advertising involves multiple intersecting data processing activities:
- Targeting — using Google's audience signals (demographics, interests, in-market segments, affinity audiences) based on users' Google account data and browsing history
- Conversion tracking — using the Google Ads tag to record what happens after an ad is clicked
- Remarketing — serving ads to users based on prior site visits or app interactions recorded by the Google Ads tag
- Customer Match — uploading hashed email lists to match against Google account users for targeting
Each of these involves personal data and requires a lawful basis under GDPR. The lawful basis that applies to advertising personalisation is consent — Google's consent policy and GDPR both point to opt-in consent for advertising cookies and data use.
Google Consent Mode v2: what it does and doesn't do
Since March 2024, Google requires all advertisers using Google's advertising products for EU/EEA users to implement Consent Mode v2 as part of the EU User Consent Policy. Consent Mode allows you to signal to Google's infrastructure whether the user has consented to advertising cookies and analytics cookies.
What Consent Mode does:
- Adjusts tag behaviour based on consent signals — full data collection with consent, modelled conversion data without consent
- Satisfies Google's policy requirement for continued access to personalised advertising features
- Enables conversion modelling to partially compensate for consent gaps
What Consent Mode doesn't do:
- Fix a fundamentally non-compliant cookie banner — the consent must be collected validly for the signal to be meaningful
- Eliminate your GDPR obligations — you are still the data controller, and the lawful basis for processing must exist
- Substitute for a data processing agreement with Google — which you need as a processor relationship
If your cookie banner doesn't meet the standard for valid consent under GDPR, Consent Mode signals based on that banner are also non-compliant. The technology doesn't fix the legal problem.
Customer Match and your own data
Google Customer Match allows you to upload hashed email lists to target your own customers or prospects on YouTube. From a GDPR perspective, you are the data controller for those email lists, and the following requirements apply:
- Each email on the list must have been collected with a lawful basis for the marketing use you're putting it to
- If the lawful basis is consent, the original consent must have covered the processing of the email for advertising matching purposes
- You need a data processing agreement with Google covering the Customer Match upload
- You must honor data subject rights — if a user requests erasure, they should be removed from your Customer Match lists
The most common gap: email lists built from old data with vague or bundled consent, uploaded to Customer Match without reviewing whether the original consent covers advertising matching. This is a legitimate enforcement risk.
Ad copy requirements for YouTube campaigns
The visual and audio content of YouTube ads is subject to the same EU advertising rules as static copy. For EU-targeted campaigns:
Advertising claims:
- Any claim that implies clinical evidence ("Scientifically proven") requires substantiation under UCPD rules
- Guaranteed outcome language ("You will lose weight," "Guaranteed to improve your credit score") is prohibited in most EU advertising contexts
- Comparative advertising claims must be based on verifiable criteria
Data collection disclosure:
- If the YouTube ad drives to a landing page that collects personal data, the ad is part of the informed consent chain
- Ads that create expectations about what data will or won't be collected must be consistent with what the landing page actually does
Health and financial product copy:
- Supplement, medical device, and health service ads face national advertising regulations on top of GDPR — many EU countries have specific rules about health claims in advertising
- Financial product ads must meet MiFID II and national financial promotion requirements in addition to GDPR
The measurement gap and how to manage it
The practical challenge for YouTube advertising in the EU is measurement: when a significant portion of EU users decline advertising consent, conversion data becomes incomplete. Google's modelled conversions help, but there is always a measurement gap.
Strategies for managing compliant measurement:
- Use server-side tagging where possible to reduce reliance on browser cookies
- Implement GA4's consent mode features to get the most out of modelled data
- Set up first-party data collection through your own CRM to track customer journeys that don't depend on Google's cookies
- Use offline conversion imports for B2B lead gen where the final conversion happens offline
The goal is not to circumvent consent but to build a measurement architecture that gives you useful data from the consented portion of your audience, plus modelled estimates for the rest.
Scan your YouTube ad script before launch
The free GDPR Ad Copy Checker scans ad copy, lead forms, and landing pages for these exact GDPR and advertising-claim signals in seconds — flagging bundled consent, special-category inference, undisclosed third parties, and missing opt-outs, with safer rewrites for each. No login required.
This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.