Meta (Facebook & Instagram) GDPR Ad Compliance Guide
Meta is the EU's highest-risk ad platform for GDPR — both because of its data practices and because of what ad copy is allowed to imply. This guide covers the compliance obligations that apply specifically to the words in your Meta ads.
Updated 25 June 2026
Running Facebook or Instagram ads in the EU means operating under two overlapping compliance systems: GDPR, which governs personal data and consent, and Meta's own Special Ad Categories policy, which adds restrictions on top. Both affect what you can say in ad copy, not just what you can do with data. DPAs across the EU — particularly in Germany, France, and the Netherlands — have issued specific guidance on Meta advertising and consent for Custom Audiences. This guide focuses on what those obligations mean for your copy.
Lawful basis for Meta ad targeting (Art. 6)
Meta's personalised advertising in the EU now requires consent under Art. 6(1)(a) following the EDPB's decisions on Meta's 'contract' basis. If your campaign relies on interest-based targeting, the lawful basis chain runs: user consent at Meta level → your right to use that audience. Your ad copy must not make claims that contradict or overstate what that consent covers. For example, implying you already know detailed information about the user ('We know you've been searching for…') goes beyond what Meta's consent framework actually permits.
Custom Audiences and third-party data (Art. 13/14)
Uploading a customer list or website retargeting pixel data to Meta constitutes a data transfer to a third-party recipient (Meta). Under Art. 13/14, individuals whose data is used must be informed of this. Your ad copy does not replace the privacy notice obligation, but it must not contradict it. An ad that implies exclusive or private personalisation — when in fact the user's data was shared with Meta — can compound a transparency violation. Ensure landing-page privacy notices match what retargeting ads imply.
Special category data restrictions (Art. 9)
Meta's Special Ad Category rules prohibit targeting by health, religion, political views, sexual orientation, and race directly. But Art. 9 goes further: it is triggered when your ad copy implies a health condition, sexual orientation, or political view about the audience, even without explicit targeting. A supplement ad saying 'for people managing inflammation' to a broad audience infers a health condition. A product targeted at parents of children with learning difficulties does the same. The explicit consent required by Art. 9(2)(a) must be in place before such copy is shown — and obtaining it via a Meta ad click is almost certainly insufficient.
Consent language in lead-generation ads (Art. 7)
Meta's lead generation formats collect data inside the platform. GDPR Art. 7 requires that consent to data processing be freely given, specific, informed, and unambiguous. Pre-ticking the consent field, bundling consent with form submission, or writing consent copy that obscures the purpose all violate this. Check: Is the consent granular? Is it for a specific purpose? Can the user submit the form without consenting to everything?
Transparency in retargeting copy (Art. 13/14)
Users who see retargeting ads have a right to know that their data is being used for that purpose (Art. 13). Copy that makes retargeting invisible — 'You might like this', with no acknowledgment of why you're seeing the ad — does not itself violate Art. 13 (the notice obligation sits elsewhere), but copy that actively misleads about how the user was identified compounds the violation. Keep retargeting copy factual about what data is being used.
Common violations to avoid
- Health condition inference — promoting health or supplement products with claims that imply knowledge of the user's condition without Art. 9 explicit consent
- Bundled consent in lead ads — consent checkbox that is required for form submission, not optional
- Implied personal profiling — copy suggesting deep personal knowledge ('We saw you were looking for…') beyond what the lawful basis covers
- Missing recipient disclosure — retargeting ads that imply personalisation without any link to a transparency notice naming Meta as recipient
- Guaranteed results claims — 'Lose 10kg in 30 days' type claims that violate UCPD alongside GDPR
- Pre-ticked opt-ins — lead gen forms where the consent box is ticked by default
Get the GDPR Ad Copy Checklist
12 pre-launch compliance checks for EU campaigns. Free, instant delivery.
No spam. Unsubscribe any time.
Frequently asked questions
Does Meta handle GDPR compliance for my ads?
No. Meta handles data processing compliance for its own platform under the processor/controller framework. You remain the data controller for the data you collect and for the claims your ad copy makes. Your ad copy can breach GDPR independently of Meta's own compliance status.
What is the biggest GDPR risk in Facebook ad copy?
Special category data inference is the most commonly missed risk. When a supplement, health, or lifestyle product ad is shown to broad EU audiences and the copy implies knowledge of a health condition, Article 9 is triggered. The explicit consent required by Art. 9(2)(a) is almost never obtained through the ad funnel itself.
Do retargeting ads need a specific GDPR disclosure?
The disclosure obligation sits in your privacy notice (Art. 13/14), not in the ad itself. However, ad copy that actively misrepresents how the user was identified compounds the transparency violation. Keep retargeting copy factual.
How do I check if my Meta ad copy is GDPR-compliant?
Paste your ad copy into Legalify's free GDPR Ad Copy Checker. It scans for article-level GDPR risk including special category inference, consent language issues, and transparency gaps, and returns findings with compliant rewrites.
Check your Meta (Facebook & Instagram) ad copy now
Paste your ad copy into the free GDPR Ad Copy Checker and get article-level findings in seconds — no login, no card required.