GDPR Advertising Compliance: The Complete Guide for EU Marketers

Most marketing teams treat GDPR as a backend concern — privacy policies, cookie banners, data processing agreements managed by someone else. But the General Data Protection Regulation governs the moment you collect personal data, and in advertising that moment is the ad copy, the lead form, and the landing page themselves. The words you write set the expectations the law then holds you to.

This guide walks through GDPR advertising compliance the way it actually applies to campaigns: the five articles that do most of the work, the violations that recur across audits, the platform-specific risks on Meta, Google, email, and cookies, and a repeatable process for auditing copy before it ships. It is written for EU marketers, performance teams, and agencies who need their campaigns to be both effective and defensible.

The two rulebooks every EU ad answers to

Before the articles, one framing point. Every EU advertisement is governed by two parallel systems. The first is GDPR, which controls personal data — how you collect it, the basis you rely on, and what you disclose. The second is the Unfair Commercial Practices Directive (UCPD), which controls whether your claims mislead consumers. A campaign can be flawless on data and still get pulled for a guaranteed-outcome claim, or perfectly honest in its claims and still breach transparency. A complete compliance review checks both. This guide focuses on the GDPR side, with pointers to the claim side where they intersect — and they intersect often.

Article 6: you need a lawful basis

GDPR doesn't let you process personal data just because it's useful. Article 6 requires a lawful basis, and you must identify it before you collect. There are six bases; two matter most in advertising:

• Consent — the person actively agreed to the specific processing. The standard basis for marketing email, cookies, and ad personalization.
• Legitimate interest— you have a genuine business interest that isn't overridden by the person's rights. Common for some lead generation and first-party analytics, but it requires a documented balancing test and an easy way to object.

The mistake teams make is claiming both at once — "we rely on consent and/or legitimate interest" — which signals you haven't actually decided. Each processing activity needs one clear basis. For marketing that personalizes ads or sends email, consent is usually the honest answer; for a B2B quote request, legitimate interest may be cleaner, provided your copy is upfront about the commercial intent. Picking the basis is the first step of any audit, because everything downstream — what consent you need, what you must disclose — flows from it.

Article 7: the conditions for valid consent

When consent is your basis, Article 7 sets the bar, and it's higher than most checkbox copy clears. Valid consent must be:

• Freely given — not bundled with an unrelated action, and not a condition of access (Article 7(4)).
• Specific — consent for email marketing is not consent for ad targeting or data sharing.
• Informed — the person knows who, what, and why before they agree.
• Unambiguous — a clear affirmative action, never a pre-ticked box or silence.

The single most common violation in this area is bundled consent. Copy like "by clicking you agree we may use your data for personalized ads" fuses a purchase or click action with marketing consent, which means the user can't complete the core action without also accepting marketing. That isn't freely given, and it's invalid. The fix is separation: a distinct, unticked opt-in for marketing that the user can decline without losing access. Withdrawing consent must also be as easy as giving it (Article 7(3)) — a one-click unsubscribe or a preference centre, not an email request.

These conditions show up everywhere consent does. Our guides on GDPR-compliant newsletter signups and writing a compliant cookie consent banner apply Article 7 to the two surfaces where it bites hardest.

Article 9: special category data and the inference trap

Some data is so sensitive that GDPR gives it extra protection. Article 9 special category data includes health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, sex life, and sexual orientation. Processing it generally requires explicit consent and heightened safeguards — a much higher bar than ordinary marketing consent.

In advertising, the danger is rarely a form field labelled "health." It's inference. Promote a joint-pain or inflammation supplement and collect buyer data, and you can infer the health status of everyone who converts. Advertise a fertility product, a debt-relief service, or a mental-health app, and the same logic applies — the purchase reveals something special. The copy doesn't have to mention health for Article 9 to engage; the inference is enough. This is the gap most broad compliance tools miss and the one that most often makes a campaign high-risk. If your product touches a health, financial, or otherwise sensitive condition, assume Article 9 is in play and treat the campaign as requiring explicit consent and documented safeguards until a lawyer or DPO signs off.

Articles 13 and 14: the transparency obligations

Articles 13 and 14 are the heart of advertising compliance because they govern what you must tell people when you collect their data. At or near the point of collection, you owe the person a clear account of:

• Who is collecting the data — the actual legal entity (the data controller), not just a brand name.
• What you collect and the purpose of processing it.
• The lawful basis you rely on.
• Who receives the data — including categories of recipients such as advertising networks.
• How long you retain it.

Three transparency failures dominate audits. The first is missing collection scope: copy that uses personal data without stating what is collected, why, or for how long. The second is undisclosed third-party recipients: "personalized ads" implies recipients such as Meta and Google, and Articles 13(1)(e) and 14(1)(e) require you to disclose them, yet most ad copy names none. The third is the expectation gap: "enter your email to see pricing" that quietly triggers a marketing sequence the user was never told about. Each is a transparency violation regardless of how clean your backend is, because the duty is to inform at the point of collection. The landing page GDPR checklist turns these obligations into concrete pre-launch checks.

The most common GDPR advertising violations

Across the five articles, a handful of violations recur often enough to be worth memorising. If you catch these, you catch most of the exposure:

• Bundled consent — marketing consent stapled to a purchase, click, or download (Art. 7(4)).
• Special category inference — health, financial, or other sensitive status inferable from a product purchase without explicit consent (Art. 9).
• Undisclosed recipients — ad personalization or data sharing with no named or categorised recipients (Art. 13/14).
• Missing collection scope — no statement of what data, why, or for how long (Art. 13/14).
• No withdrawal path — consent collected with no easy way to opt out or withdraw (Art. 7(3)).
• Pre-ticked boxes and implied consent— "by continuing you agree," default-on toggles, silence treated as agreement (Art. 7).
• Vague lawful basis — claiming consent and legitimate interest at once, or naming neither (Art. 6).

Platform-specific risks

The articles are constant, but how they bite varies by channel. Each major advertising surface has its own characteristic failure mode.

Meta and Facebook

Lead Ads collect personal data directly, so the form copy carries heavy Article 13/14 weight, and custom audiences and lookalikes process data in ways the ad never reveals. The recurring trap is acquisition copy that promises one thing ("a quote") while the data feeds retargeting and audience-building the user wasn't told about. See GDPR rules for Facebook & Meta ad copy.

Google Ads

Search ads inherit the GDPR obligations of their landing page, and responsive search ads assemble headline and description combinations no human explicitly approved — multiplying both claim and consent risk. The claim side dominates here; see Google Ads compliance in the EU.

Email marketing

Email risk starts at collection (was consent valid and unbundled?) and runs through the send (is there a clear opt-out, and does the subject line mislead?). The email subject line guide and the newsletter signup guide cover the two ends of this.

Cookies and tracking

Cookie consent is where Article 7 meets ePrivacy. The dominant failures are unequal Accept/Reject buttons, pixels firing before consent, and banner copy that under-describes the real data flow. The cookie consent banner guide addresses each.

TikTok

TikTok campaigns combine pixel consent requirements, health-product Article 9 inference risk, and lead gen form disclosures. See the TikTok ad GDPR compliance guide for the platform-specific detail.

LinkedIn

B2B advertisers often assume professional data is treated differently — it is not. The LinkedIn Insight Tag, Matched Audiences, and lead gen forms all require the same GDPR consent and transparency as any consumer channel. See the LinkedIn ad GDPR compliance guide.

Landing pages

The landing page usually carries the most risk because it's where data is actually collected. Over-collection, buried privacy notices, bundled consent, and unsubstantiated claims all converge here — the 12-point landing page checklist is the gate to run before launch.

How to audit your advertising for GDPR compliance

A reliable audit works through the articles in order, then layers the claim check. Run this on every meaningful piece of copy before it ships:

1. Identify the lawful basis (Art. 6).What basis does this processing rely on? Is it stated, and is it the right one? Reject "both" and "neither."
2. Validate consent if relied on (Art. 7). Is it unbundled, specific, unambiguous, and withdrawable? Look hard for consent stapled to a conversion.
3. Flag special category inferences (Art. 9). Does the product or targeting let health, financial, or other sensitive status be inferred? If so, escalate to explicit consent and safeguards.
4. Check transparency (Art. 13/14).Does the copy name the controller, state what's collected and why, disclose recipients, and set accurate expectations?
5. Layer the advertising-claim check (UCPD). Are claims substantiated, superlatives qualified, and guarantees avoided? See the UCPD guide.
6. Document the review.Record the copy, the basis, and the result — GDPR's accountability principle expects you to show your working.

Doing this by hand on every variant, under deadline, is where mistakes slip through — and the riskiest copy is usually the highest-performing, which optimisation pushes you toward. That's the case for moving the check upstream into the workflow and making it fast enough that no one skips it.

Where Legalify fits

Legalify automates the first pass of this audit. The free GDPR Ad Copy Checker scans ad copy, lead forms, landing pages, and emails against exactly these signals — bundled consent, Article 9 inference, undisclosed recipients, missing collection scope, missing opt-outs, and advertising-claim risk — and returns a risk level, a transparency score, the flagged sentences, and a before/after rewrite for each issue. It runs the full AI engine with no login, so you can check a campaign in seconds and keep human review for the judgement calls. For teams, a free account adds saved reports, history, and PDF export for approvals.