What Is GDPR? EU Privacy Law Every Marketer Must Know
The General Data Protection Regulation (GDPR) is a European Union privacy law that took effect on May 25, 2018, governing how organizations collect, store, and use personal data belonging to EU residents. For marketers, it reshapes every touchpoint where customer data is involved: email lists, ad targeting, website analytics, and CRM systems. Non-compliance carries fines of up to €20 million or 4% of global annual turnover, whichever is higher.
Why GDPR Matters to Marketers
GDPR applies to any organization that processes the personal data of people in the EU, regardless of where the organization is headquartered. A U.S.-based brand running Facebook ads targeted at German consumers falls within scope. The regulation treats personal data broadly: names, email addresses, IP addresses, cookie identifiers, and behavioral profiles all qualify.
The practical effect on marketing is significant. Behavioral retargeting, lookalike audiences, and email campaigns all require a valid legal basis for data processing. Consent, once easy to manufacture through pre-ticked boxes or buried opt-ins, now requires an affirmative, specific, and freely given action from the user.
The Six Lawful Bases for Processing
Under Article 6 of GDPR, every data processing activity must rest on one of six lawful bases:
| Lawful Basis | Marketing Relevance |
|---|---|
| Consent | Email newsletters, retargeting cookies, SMS campaigns |
| Contract | Order confirmations, transactional emails |
| Legal obligation | Fraud prevention records |
| Vital interests | Rarely applicable to marketing |
| Public task | Rarely applicable to marketing |
| Legitimate interests | B2B prospecting, analytics, fraud detection |
Consent and legitimate interests are the two bases most commonly invoked by marketing teams. Consent is stricter but cleaner to document. Legitimate interests requires a three-part balancing test: the organization must have a genuine interest, the processing must be necessary to achieve it, and that interest must not override the individual’s rights. Relying on legitimate interests for cold email campaigns to consumers is generally considered a weak legal position under GDPR.
Consent Requirements Under GDPR
Article 7 sets the standard for valid consent. It must be:
- Freely given: Consent bundled with terms of service or conditioned on accessing a service does not qualify
- Specific: A single checkbox covering email marketing, analytics, and third-party sharing is insufficient
- Informed: The individual must understand who is collecting data, for what purpose, and for how long
- Unambiguous: Pre-ticked boxes, silence, or inactivity do not constitute consent
Consent can also be withdrawn at any time, and withdrawal must be as easy as giving consent. This requirement directly affects consent management platforms and the architecture of cookie banners. A “Reject All” button must be as prominent as “Accept All.”
Data Subject Rights That Affect Marketing Operations
GDPR grants individuals eight rights. Three create direct operational demands for marketing teams:
Right to Erasure (Article 17)
An individual can request deletion of their personal data. For marketers, this means suppression lists must be maintained to prevent re-acquisition campaigns from inadvertently re-contacting opted-out users. Deleting a record and removing it from suppression are two different actions.
Right to Data Portability (Article 20)
Individuals can request their data in a machine-readable format and transfer it to a competitor. This applies to data processed by consent or contract.
Right to Object (Article 21)
Individuals can object to processing based on legitimate interests, including direct marketing. Once an objection is received, processing for that purpose must stop.
Enforcement: What the Fines Look Like in Practice
Regulators have demonstrated willingness to impose landmark fines against major brands. Ireland’s Data Protection Commission fined Meta Platforms €1.2 billion in May 2023 for transferring EU user data to U.S. servers without adequate protections. Luxembourg’s data authority fined Amazon €746 million in 2021 for targeted advertising practices. France’s CNIL issued a €50 million fine against Google in 2019, one of the first major GDPR penalties, over inadequate consent disclosures for ad personalization.
The fine formula:
Maximum fine = Higher of: €20,000,000 OR 4% of total worldwide annual turnover (prior financial year)
For a company with €10 billion in global revenue, the theoretical maximum fine reaches €400 million. Smaller violations involving procedural breaches or insufficient records carry a lower tier: up to €10 million or 2% of turnover.
GDPR’s Impact on Digital Advertising
Third-party cookie deprecation accelerated alongside GDPR enforcement, pushing advertisers toward first-party data strategies. Brands that built compliant consent pipelines before 2020 found themselves with defensible data assets as retargeting infrastructure eroded.
Programmatic advertising also changed. The Interactive Advertising Bureau developed its Transparency and Consent Framework (TCF) specifically to standardize GDPR consent signals across the ad tech supply chain. Publishers must pass valid consent strings to demand-side platforms; without them, personalized bidding cannot occur. This dynamic reduced addressable inventory in European markets by a measurable margin and raised CPMs for consented audiences.
Customer data platforms and server-side tracking emerged as GDPR-compliant alternatives to client-side pixel tracking. Server-side implementations can strip personally identifiable information before it reaches third-party vendors.
GDPR vs. Other Privacy Regulations
GDPR set the template for data privacy legislation globally. California’s CCPA (2020) and CPRA (2023), Brazil’s LGPD (2020), and Canada’s PIPEDA all share structural similarities with GDPR. Each differs in meaningful ways, however: scope, opt-out vs. opt-in defaults, and enforcement mechanisms vary significantly across jurisdictions. Marketers building global data programs generally treat GDPR compliance as the baseline, since its requirements tend to be the most demanding.
Key Takeaways for Marketing Teams
- Audit every data collection touchpoint for a valid lawful basis before processing begins
- Design consent flows that meet the freely given, specific, informed, and unambiguous standard
- Maintain suppression lists separately from deletion records to prevent re-contact of opted-out individuals
- Assess legitimate interests claims rigorously using the three-part balancing test before relying on them for direct marketing
- Treat first-party data collection as a competitive asset, since compliant data is increasingly scarce in European markets
GDPR compliance is not a one-time project but an ongoing operational requirement. As enforcement patterns evolve and regulators issue new guidance, marketing teams benefit from maintaining direct relationships with legal counsel and data protection officers. Treating privacy as a checkbox exercise is a recurring theme in the major enforcement actions that have cost brands hundreds of millions of euros.
Frequently Asked Questions About GDPR
Does GDPR apply to companies outside the EU?
Yes. GDPR applies to any organization that processes the personal data of people located in the EU, regardless of where the organization is based. A U.S. company running ads targeted at German consumers falls within scope, even with no EU office or employees.
What is the maximum GDPR fine?
The maximum GDPR fine is €20 million or 4% of a company’s total worldwide annual turnover from the prior financial year, whichever is higher. For large companies, the turnover-based calculation typically produces the larger number — Meta’s 2023 fine of €1.2 billion illustrates the scale.
What is the difference between consent and legitimate interests under GDPR?
Consent requires an affirmative, specific, freely given action from the individual. Legitimate interests allows processing without consent, but only after a three-part balancing test confirms the organization’s interest is genuine, the processing is necessary, and it does not override individual rights. For consumer direct marketing, regulators consistently treat consent as the safer legal basis.
How does GDPR affect email marketing?
GDPR requires a valid legal basis for every marketing email sent to EU residents. In most cases, this means obtaining explicit, affirmative consent before adding someone to a list. Pre-ticked boxes, implied opt-ins, and bundled consent do not qualify. Suppression lists must also be maintained to honor opt-out requests on a permanent basis.
What is the right to erasure under GDPR?
The right to erasure, defined in Article 17, allows individuals to request deletion of their personal data. For marketing teams, deletion and suppression are separate obligations: a deleted record must still be reflected in suppression lists to prevent re-contact through re-acquisition campaigns.
Related: Consent Management Platform, First-Party Data, Cookie Consent, Data Privacy