Marketing sits at the intersection of personal data and business growth — which makes it the highest-risk department for GDPR enforcement. Every major fine category touches marketing activities: unlawful email marketing, retargeting without valid consent, tracking cookies fired before consent, social custom audiences built from data subjects who never agreed to cross-platform profiling.
Regulators know where to look. The Irish DPC fined Meta €390 million for unlawful behavioral advertising. The French CNIL fined Google and Facebook hundreds of millions for cookie consent failures. The Spanish AEPD regularly fines companies for email marketing without valid consent.
Lawful Basis for Marketing Activities
Before any marketing processing can happen, you need a lawful basis under Article 6 of the GDPR. For marketing, the two relevant bases are consent and legitimate interests.
Consent (Article 6(1)(a))
Consent must be freely given, specific, informed, and unambiguous. For marketing purposes this means:
- The data subject actively opted in — unticked box, clear language, specific purpose stated
- Consent was not bundled with terms of service or made a condition of a service
- You can prove consent was given: timestamp, consent text, the version shown, the user identifier
- The data subject can withdraw consent as easily as they gave it
Consent is the appropriate basis for sending direct marketing emails to prospects, for placing non-essential cookies (including analytics and advertising cookies), and for behavioral advertising to new audiences.
Legitimate Interests (Article 6(1)(f))
Legitimate interests can be used for marketing in limited circumstances, but it requires a three-part test: the interest must be legitimate, the processing must be necessary, and the interest must not be overridden by the data subject's rights and freedoms.
Regulators have consistently held that direct marketing can be a legitimate interest — but only where the data subject reasonably expects it and where the impact on their rights is minimal. This means:
- Sending relevant content to existing customers about similar products or services
- B2B marketing to contacts in their professional capacity where you have an existing relationship
- Analytics and attribution that do not involve cross-site tracking or profiling
Legitimate interests does not justify cold email marketing to purchased lists. It does not justify behavioral advertising. It does not justify tracking across multiple websites without consent.
Consent vs. Legitimate Interests: Decision Framework
| Activity | Appropriate Basis |
|---|---|
| Cold email to purchased list | Neither — unlawful |
| Email to existing customers re: similar products | Legitimate interests (soft opt-in) |
| Newsletter subscription | Consent |
| Retargeting via cookies | Consent |
| B2B outreach to professional contacts | Legitimate interests (with caveats) |
| Behavioral advertising | Consent |
| Website analytics | Consent (or LI for privacy-preserving tools) |
| Personalization based on past purchases | Contract / Legitimate interests |
Email Marketing Rules
What Valid Consent Looks Like
For email marketing to prospects, you need GDPR-compliant consent before sending. Your signup form must clearly explain that they are signing up for marketing emails, use an unticked opt-in checkbox, name your company, and link to your privacy policy. Pre-ticked boxes, bundled consent, and vague language like "stay in touch" do not meet the standard.
Soft Opt-In for Existing Customers
Under the ePrivacy Directive Article 13, there is a "soft opt-in" exception that allows you to send marketing emails to existing customers without fresh consent, provided:
- You obtained their contact details in the course of a sale or negotiation of a sale
- You are marketing similar products or services to those they purchased
- You gave them the opportunity to opt out at the time of collection
- Every subsequent email includes a clear, easy opt-out mechanism
This exception does not apply to prospects, cold leads, or B2B contacts from databases.
Every Marketing Email Must Include
- Your company name and registered address
- A working unsubscribe mechanism that processes immediately
- A link to your privacy policy
- No misleading subject lines or sender identities
Retargeting and Behavioral Advertising Post-GDPR
Retargeting relies on cookies and device identifiers placed on a user's browser during a previous visit. Under GDPR and the ePrivacy Directive, these are non-essential cookies that require prior, informed consent before placement.
This means your consent banner must appear before any retargeting pixels fire, consent must be specific to advertising cookies, and if the user declines, no retargeting pixel may be placed. You cannot use a "legitimate interests" basis for advertising cookies — multiple DPAs have confirmed this.
For the Meta Pixel, Google Ads remarketing tags, LinkedIn Insight Tag, and any other advertising pixels: all must be gated behind consent. Google Consent Mode provides a framework for signaling consent state to Google's ad products — but implementing Consent Mode does not replace the need for valid consent.
Personalization and Profiling Obligations
Personalization based on browsing history, purchase history, or demographic inferences is a form of profiling under GDPR Article 4(4). For most marketing personalization, Article 22 does not apply because no significant automated decision is being made. However, the profiling itself still requires a lawful basis.
You can use legitimate interests for personalization based on a customer's own purchase history with you. You need consent for profiling based on inferred characteristics, third-party data, or cross-site behavioral data.
Your privacy policy must describe the profiling you conduct, the basis for it, and the data subject's right to object under Article 21.
Marketing Analytics and Consent Mode
The ICO and most EU DPAs have taken the position that analytics cookies require consent, even where the data is partially anonymized. Using a privacy-preserving analytics tool (Fathom, Plausible, Umami) sidesteps the consent question entirely.
If you are using GA4, you must:
- Implement Google Consent Mode v2 so that GA4 does not fire before consent
- Use the consent banner to gather explicit consent for analytics
- Enable IP anonymization (on by default in GA4, but verify)
- Ensure your GA4 data is stored in an EU region if you are processing EU data
- Execute Google's Data Processing Amendment
UTM Tracking and First-Party Data Strategy
As third-party cookies are deprecated and consent rates for advertising cookies hover around 50–70% in most markets, marketing teams need to invest in:
- First-party email lists built with proper consent — your most durable marketing asset
- On-site behavioral data captured for logged-in users under contract basis
- CRM enrichment based on data the customer directly provided
- Zero-party data — preferences, interests, survey responses the customer actively shares
UTM tracking feeding into a CRM is fine under legitimate interests when you are attributing marketing spend to pipeline. Document this in your Records of Processing Activities (ROPA) and ensure your privacy policy covers it.
Working with Agencies and Ensuring They Have DPAs
Marketing agencies, media buyers, PR firms, and creative studios often process personal data on your behalf. Under GDPR, if they are processing personal data on your instructions, they are data processors and you must have a Data Processing Agreement (DPA) in place before they begin processing.
A DPA must cover:
- The subject matter, duration, and nature of the processing
- The type of personal data and categories of data subjects
- Your obligations as controller and theirs as processor
- Sub-processing restrictions
- Security measures
- Assistance with data subject rights requests and breach notification
- Deletion or return of data at contract end
If an agency refuses to sign a DPA, that is a red flag. If the agency is based outside the EEA, you also need a valid transfer mechanism — Standard Contractual Clauses (SCCs) are the most common.
Marketing Database Hygiene
Suppression Lists
Every marketing database should maintain suppression lists for unsubscribes, permanent bounces, spam complaints, and data deletion requests. Deleting a contact from your active list is not the same as suppressing them — if you delete without suppressing, you risk re-adding them in a future import.
Re-Permission Campaigns
If your email list has not been contacted in 12+ months, was built before GDPR came into force, or uses consent that does not meet current standards, you need a re-permission campaign. Send a final email asking contacts to confirm they want to continue receiving communications. Those who do not respond are suppressed.
Social Media Advertising and Custom Audiences
Custom audiences — uploading your email list to Facebook, LinkedIn, or Google — involve transferring personal data to a third-party platform. The ICO's position is that using customer data for custom audience targeting requires consent, because users would not reasonably expect their email address to be used to enable cross-platform advertising targeting.
If you use custom audiences:
- Your privacy policy must disclose this use
- You should have consent or a documented legitimate interests assessment
- Use hashed data where the platform supports it
- Review the platform's own GDPR terms and ensure their DPA covers your use case
Marketing Team Compliance Checklist
Consent and Lists
- All email marketing lists have documented consent records with timestamps
- Signup forms use unticked checkboxes and clear marketing language
- Unsubscribe mechanism works and processes immediately
- Suppression lists are maintained and synced across tools
- Legacy lists have been re-permissioned or suppressed
Tracking and Analytics
- Consent banner appears before any non-essential cookies fire
- Analytics tags (GA4, etc.) gated behind consent
- Advertising pixels (Meta, Google Ads, LinkedIn) gated behind consent
- Google Consent Mode v2 implemented if using Google Ads
- Privacy policy accurately describes all tracking technologies in use
Agencies and Tools
- DPA in place with every agency that processes your marketing data
- DPA in place with every marketing SaaS tool (email platform, CRM, analytics)
- Transfer mechanisms in place for US-based tools (SCCs or DPF)
- Agency sub-processor list reviewed
Personalization and Social
- Privacy policy describes profiling and segmentation activities
- Right to object to profiling is accessible
- Lawful basis documented for custom audience uploads
- Privacy policy discloses custom audience use
Audit Your Marketing Stack
The fastest way to identify gaps in your marketing compliance is to see what your website is actually sending — which third-party scripts are firing, what data they collect, and whether anything runs before consent is given.
Custodia scans your website and maps every tracker, pixel, and third-party tool in seconds. Free, no signup required.
Scan your website free at app.custodia-privacy.com/scan
This post provides general information about GDPR as it applies to marketing activities. It does not constitute legal advice. Consult a qualified data protection lawyer or DPO for advice specific to your situation.
Top comments (0)