X (Twitter) Ad GDPR Compliance Guide for EU Advertisers
X's advertising platform in the EU carries specific compliance risks — particularly around sensitive categories, political advertising restrictions, and the platform's evolving data practices post-2022. This guide covers what matters for your ad copy.
Updated 25 June 2026
X advertising in the EU has become more complex since 2022. The platform's consent mechanisms have faced DPA scrutiny in multiple member states, and its advertising policies on sensitive categories have changed. From a GDPR perspective, the obligations around lawful basis, special category data, and transparency still apply in full — and are not reduced by any platform-level compliance claim X may make. This guide focuses on the ad copy layer.
Sensitive categories on X (Art. 9)
X prohibits advertising in certain sensitive categories and restricts others (financial products, healthcare). GDPR Art. 9 adds a further layer: any ad copy that implies a health condition, sexual orientation, or political view about the audience triggers explicit consent requirements regardless of how the campaign is targeted. On X, where users publicly share views that can be used for interest targeting, the Art. 9 inference risk is elevated. Health-related products, political-adjacent copy, and LGBTQ+ targeted campaigns need particular care.
Political advertising restrictions (EU Digital Services Act)
The EU's Digital Services Act (DSA), which applies alongside GDPR, restricts political advertising targeting based on sensitive characteristics including political opinion, religion, and union membership. X is a designated Very Large Online Platform under the DSA. Copy that implies or targets political affiliation in EU campaigns needs to comply with both GDPR Art. 9 and DSA political advertising restrictions. These are separate obligations with separate enforcement authorities.
Lead generation and consent on X (Art. 7)
X's lead generation card formats collect email addresses and other user data within the platform. GDPR Art. 7 requires that consent to data processing be freely given, specific, informed, and unambiguous. The consent copy in your lead card must clearly state what the data will be used for. Bundling newsletter consent with lead form submission, or using pre-populated consent, breaches Art. 7(4).
Retargeting and tailored audiences (Art. 13/14)
X's tailored audience features allow you to upload customer lists or target website visitors (via the X pixel). Using these audiences constitutes a data transfer to X as a third party. Your privacy notice must disclose X as a data recipient and the purpose of the transfer. Ad copy in tailored audience campaigns must not imply a level of personalisation that goes beyond what your privacy notice discloses.
Common violations to avoid
- Health or condition inference — copy for health, wellness, or supplement products that implies knowledge of the user's health status
- Political targeting language — copy that implies political opinion-based targeting without meeting Art. 9 and DSA requirements
- Bundled consent in lead cards — single consent checkbox covering both form submission and ongoing marketing
- Implied profiling — copy suggesting you know personal details about the user beyond what tailored audience consent covers
- Missing disclosure for retargeting — campaigns using X pixel data without disclosing X as a data recipient in the privacy notice
Get the GDPR Ad Copy Checklist
12 pre-launch compliance checks for EU campaigns. Free, instant delivery.
No spam. Unsubscribe any time.
Frequently asked questions
Are X ads subject to GDPR?
Yes. If you are an EU-based advertiser or targeting EU users, GDPR applies to how you collect and use personal data in your X campaigns, regardless of where X as a company is based. The lawful basis, consent, and transparency obligations all apply to your ad copy and lead generation activity.
What is the main GDPR risk in X ad copy for EU campaigns?
Special category data inference is the highest risk. X's interest-based targeting includes political, religious, and health interests. Copy that targets or implies these characteristics triggers Art. 9, which requires explicit consent — a standard almost no ad funnel meets.
Do X's political advertising restrictions replace GDPR obligations?
No. X's internal policies and GDPR are separate. X may approve or reject ads based on its platform policies, but GDPR obligations on your processing of personal data apply independently. An ad that passes X's policy review may still breach GDPR.
How do I check my X ad copy for EU compliance?
Paste your X ad copy into Legalify's free GDPR Ad Copy Checker. It scans for GDPR article-level risk including special category inference, consent language issues, and transparency gaps, and returns findings with compliant rewrites.
Check your X (Twitter) ad copy now
Paste your ad copy into the free GDPR Ad Copy Checker and get article-level findings in seconds — no login, no card required.