GDPR in Marketing: Newsletters, Cookies and Personalized Ads

Digital marketing is one of the most impacted areas by GDPR regulations. In 2026, European authorities increasingly focus on valid consent, transparency, and data protection in online campaigns.

1. Newsletters and email collection

To send newsletters, you must:

obtain explicit and informed consent from the user
keep proof of consent (date, IP, form)
include a clear unsubscribe option in every email

Email collection is prohibited via:

pre-filled subscription boxes
automatic sign-up during purchase without consent
sharing email lists with third parties without consent

2. Cookies and compliant banners

GDPR imposes strict rules on cookie usage:

users must actively choose which cookies to accept
banners must offer clear options: Accept / Reject / Customize
tracking cookies cannot be enabled by default

Examples of cookies:

necessary (site functionality) → no consent required
analytics (Google Analytics) → consent required
marketing (Facebook Pixel, remarketing) → consent required

3. Personalized ads and profiling

GDPR treats profiling as automated data processing. To display personalized ads:

clear consent for profiling is required
users must be informed about the purpose and logic
users must be able to opt out of profiling

Platforms like Google Ads and Meta Ads offer GDPR settings, but the website collecting the data holds final responsibility.

4. What the privacy policy must include

Any site collecting data must provide:

processing purposes
legal basis
data retention period
user rights
contact details of the data controller

The policy must be:

clear, accessible, free of legal jargon
available before data collection

5. Fines and audits in marketing

Most marketing-related sanctions result from:

lack of valid consent
cookies enabled without consent
missing proof of consent
unclear or missing information

In 2026, authorities are increasing audits of websites, online stores, and marketing agencies.