Digital Marketing – The impact of GDPR

GDPR and Digital Marketing

In the past decade, digital marketing has evolved rapidly. Prospective customers could easily be reached using email newsletters. Personal data became a currency: businesses offer free services like email, entertainment, news, and search facilities, and in return, they collect data and sell advertising. Today various tracking mechanisms make it possible to predict what products and services a visitor on a website will be interested in. Advertisements can be personalized to the individual visitor this way, minimizing the irritation of advertising and maximizing the chances to conversion.

And then came the GDPR with its principle of transparency and fairness, with its ruling that anybody processing personal data needs a valid, legitimate purpose. Impacting about every kind of marketing activities and with a ‘bite’ in the sense of serious fines in case of non-compliance. The GDPR requires a new way of thinking.

Impact on email marketing

The main rule for email marketing is that you need consent before it is allowed to send any commercial message. That is not new, but the AVG is more strict in its ruling that consent must be a ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes’.

Most companies solve this by asking visitors on their website to subscribe to their newsletter. The idea is to publish some interesting texts on your website more or less related to the products and services you offer, and ask the visitor of the site to opt-in (i.e. give consent) to your email newsletter. A newsletter as an advertising medium, however, will only work in practice as long as you publish at regular times content the data subject is interested in.


Analytics check the performance of a website and the way visitors use it. It needs cookies, so both consent to store cookies and consent to process personal data like an IP address is needed. Often, websites use third party software, like Google Analytics (GA). In that case and depending on the agreement you have with Google you might need to inform the visitor that his data is being sent outside the EU and the related information required by GDPR articles 13 and 14. Some analytics software (including GA) can be set up so that it only uses a part of the IP address, anonymizing the data used.

Tracking and profiling

The largest impact of the GDPR will certainly be in this area. Over the last decade, online marketing became dependent on the use of tracking pixels and cookies to record a user’s browsing behavior. Most websites will tell you about this in sentences like ‘we use cookies to give you a better user experience and to show you ads that fit your personal interests’.  That sounds like the online bookstore telling you that ‘others like you also bought …’, or YouTube suggesting that given the music you listened to ‘you might also like …’, which result in interesting tips.  What they usually do not tell you that in order to do that, they need to track your path from website to website, aggregating a very detailed profile about your age group, social status, interests, shopping history, political ideas, cultural background, etc.

It is clear that tracking the behavior of internet users this way is in breach of the GDPR. It violates the principle of fairness and transparency, violates the requirement to have a legitimate processing purpose and informed and freely given consent,  etc.  In an article on tracking EDRi – the association of European civil and human rights organizations –  quotes Eurobarometer: ‘71% of (respondents) say it is unacceptable for companies to share information about them without their permission, even if it helps companies provide new services they may like.

Quite a number of websites still use a ‘cookie wall’ or ‘tracking wall’, i.e. you can’t access their website unless you accept cookies and other trackers. It is clear that this consent is not ‘freely given’, hence processing on the basis of it is illegal. The ePrivacy Regulation proposal (EPR) which is expected to become European law in 2019 will also require consent to store cookies to be ‘freely given specific, informed and unambiguous …’ and forbid the use of tracking walls.

Advertising and automated bidding

‘Targeted advertising’ is the most common way to personalize advertising. This system uses tracking apps, pixels or cookies. As soon as a user connects to an app or website, his/her personal data are sent to automatic bidding platforms which ultimately transfer them to advertising intermediaries wishing to buy ad space for their advertiser clients. Intermediaries rely on such data to adjust the value of their bidding request for the given ad space, depending on whether the user’s profile matches the targeted audience of advertisers. The advertiser can ask for a very ‘focused’ target audience, based on hundreds of attributes from your online profile, on the time and day of the week and your current location. The French supervisory authority CNIL has recently issued public formal notices to a number of advertising companies using targeted advertising for not having obtained valid consent[1].

New opportunities for Digital Marketing

As soon as the GDPR and EPR will really be enforced, advertising companies will surely find ways to show advertising within the rule of law. Websites showing articles we pay for with personal data will also need to find another revenue model. Privacy-friendly browser Brave already introduced a system to pay for website content using the cryptocurrency Etherium, making it possible to pay for articles you read online without spreading your personal data. Quite a number of free browsers and browser add-ons[2] that can be set (or are preset) to block tracking and unsolicited advertising are already a fact.


[1] Source: Proust, O & Defromont, J. (6 December 2018). Fieldfisher Privacy and information law blog

[2] Browsers: Brave, Cliqz, Epic, Firefox, Tor; extensions: Firefox Forget-me-not, Google Analytics opt-out, Privacy Badger.


This article has been written by guest author Leo Besemer.