Legalify shield logoLegalify
Free CheckerGDPR GuideFeaturesHow it worksPricing
Log inSign up
Home/Guides/TikTok Ad Compliance

Platform guide

TikTok Ad GDPR Compliance: What EU Marketers Need to Know

GDPR applies to every EU campaign you run on TikTok — from pixel consent to lead gen data and special category risks in health and wellness ads. Here is what you need to know before your next TikTok campaign goes live.

Scan your TikTok ad copy free

TikTok has become a major channel for EU performance marketers — but GDPR compliance on TikTok is not automatic. The platform's pixel, lead generation forms, custom audiences, and targeting signals all touch personal data, and the rules that govern that data come from GDPR and the ePrivacy Directive, not TikTok's own ad policies.

This guide focuses on the three areas where EU advertisers most frequently run into compliance problems on TikTok: pixel consent, special category data in ad copy, and lead gen data disclosures. The complete GDPR advertising compliance guide covers the broader legal framework.

The TikTok Pixel and EU consent requirements

The TikTok Pixel tracks conversions, retargeting signals, and custom audience data. In the EU, firing the pixel — or any non-essential cookie or tracking script — requires prior, valid consent under both GDPR Article 6(1)(a) and the ePrivacy Directive.

Valid consent for the pixel means a user must actively opt in before the script loads. Practices that do not constitute valid consent include:

  • A cookie banner with only an "Accept all" button and no equally accessible rejection option
  • Consent bundled into site terms of use or purchase flow (Art. 7(4) — bundled consent)
  • Pre-ticked toggles or consent assumed from continued browsing
  • Consent collected for one purpose (e.g. newsletter) re-used for ad targeting

Consent must also be withdrawable. There must be a persistent, easy route back to your cookie preferences — and withdrawing consent must be as easy as giving it.

Special category data: the health and wellness risk

GDPR Article 9 protects special category data — including health, medical, and biometric data. The key risk for TikTok advertisers is inference: if your ad promotes a product that reveals or implies a viewer's health status, the targeting signal (who saw or engaged with the ad) itself becomes health data.

Products that commonly trigger Article 9 inference on TikTok:

  • Supplements marketed for joint pain, inflammation, energy, or cognitive function
  • Mental health apps, therapy services, or stress relief products
  • Weight management products
  • Skincare products marketed for conditions (acne, eczema, psoriasis)
  • Fitness wearables or health-monitoring apps

For these product categories, you need explicit consent under Article 9(2)(a) — ordinary consent under Article 6 is not sufficient. This affects not just your landing page, but the ad copy and any lead gen form that collects data from viewers who saw the ad.

TikTok lead gen ads: what your copy must disclose

TikTok's native lead generation ads collect personal data directly in the platform. GDPR Articles 13 and 14 require that people are informed at the point of collection about: the identity of the data controller, the purpose and legal basis for processing, who the data will be shared with, and how long it will be retained.

In practice this means your lead gen ad and its attached form must include:

  • A clear statement of what data is being collected
  • The purpose (e.g. "to send you our newsletter" — not "for marketing purposes")
  • The legal basis (consent, legitimate interests, etc.)
  • Disclosure that TikTok processes the data as a recipient or joint controller
  • A link to your full privacy notice

Vague copy such as "Sign up to learn more" with no data disclosure is a common Art. 13/14 violation — and one that Legalify's GDPR ad scanner flags automatically.

Custom audiences and lookalikes in the EU

Custom audiences built from customer email lists require that the original consent explicitly covered use for advertising retargeting. Using consent collected for transactional purposes (order confirmation, account setup) to build a TikTok custom audience is likely an incompatible secondary purpose under Article 6(4).

Lookalike audiences inherit this requirement. If the seed audience was built on improperly repurposed data, the lookalike built from it carries the same compliance risk.

What to check before launching a TikTok campaign in the EU

  1. Confirm the TikTok Pixel only fires after valid consent from a compliant banner
  2. Check whether your product category triggers Article 9 health-data inference
  3. Review ad copy and lead gen forms for missing Art. 13/14 disclosures
  4. Verify custom audiences were built from consented data with advertising scope
  5. Ensure there is a visible and functional consent withdrawal mechanism on your site

The free GDPR Ad Copy Checker runs the ad copy and lead form text through the Article 6, 7, 9, and 13/14 checks automatically and returns a risk level, flagged sentences, and compliant rewrites. For the full GDPR framework, see the complete GDPR advertising compliance guide.

FAQ

TikTok GDPR compliance — questions

Does GDPR apply to TikTok ads targeting EU users?

Yes. If you target EU residents through TikTok, GDPR applies to any personal data processing involved — including the TikTok Pixel, custom audiences, and any data you collect via lead generation forms. GDPR applies based on where the data subject is located, not where your business is registered.

Do I need consent to use the TikTok Pixel in the EU?

Yes. The TikTok Pixel fires tracking and advertising cookies that require prior, freely given, specific consent under both GDPR and the ePrivacy Directive. You must obtain valid consent before the pixel loads — a cookie banner that only offers 'Accept all' without a clearly accessible 'Reject all' option is not valid consent.

What counts as a special category risk in TikTok ad copy?

Health, wellness, fitness, supplement, and medical products are the most common. If your ad promotes a product that allows TikTok (or you) to infer a viewer's health status — for example, a joint-pain supplement or a mental wellness app — GDPR Article 9 applies and you need explicit consent. Even if the ad copy itself is generic, the targeting signals and purchase data can constitute health-data inference.

What must TikTok lead gen ads disclose under GDPR?

TikTok's native lead generation forms collect personal data (name, email, phone). Your ad and form must disclose: what data is collected, the purpose, the legal basis, who it is shared with (including TikTok as a recipient or joint controller), and how long it is retained. Missing or vague scope disclosures breach Article 13.

Can I use TikTok custom audiences and lookalikes in the EU?

Only with a proper legal basis. Custom audiences based on customer lists require that you collected those emails with valid consent covering advertising use. Lookalike audiences built on those lists inherit the same requirement. Using consent collected for one purpose (e.g. order confirmation) to build ad audiences is likely an incompatible purpose under Article 6(4).

Scan your TikTok ad copy before launch

Paste your EU TikTok ad copy or lead gen form text into the free GDPR checker — get a risk level, the flagged sentences, and compliant rewrites. No login required.

Run a free scanFull GDPR guideCompare GDPR tools
LLegalify

AI-powered GDPR and ad risk scanning for EU marketing agencies. Catch compliance issues before campaigns go live.

Designed for GDPR risk reviewSubprocessors listed in privacy policyDPA available on request

Product

  • Free GDPR Checker
  • GDPR Ad Compliance Guide
  • Legalify vs AuditSocials
  • How it works
  • Features
  • Pricing

Company

  • Blog
  • GDPR Guides
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • DPA
  • Security
© 2026 Legalify · Y-tunnus: 3610308-7 · Not a substitute for legal advice.
PrivacyTermsCookiesSecurity