Behavioral advertising is the practice of tracking users across the web and noting their interests to deliver ads that would be most relevant to them.

Given its sensitive nature, behavioral advertising sparks controversy between marketers, lawmakers, and customers alike. Still, it remains an effective technique to improve user experience and drive sales, if you observe legal requirements.

This article explains how to perform behavioral advertising in a compliant way under key legal jurisdictions.

What is Behavioral Advertising?

Behavioral advertising is the use of tracking technologies (like cookies, pixels, etc.) to analyze user behavior and serve ads based on their interests. It's otherwise known as interest-based advertising or Online Behavioral Advertising (OBA).

Criticisms aside, the primary purpose of behavioral advertising is to serve relevant ads to specific market segments. When done right, it can be a win-win for both customers and businesses.

How? Customers get adverts that actually interest them. And businesses increase their return on investment by targeting the right audience.

Case in point, McKinsey says companies that leverage behavioral insights outperform their competitors by 85% in sales growth and over 25% in gross margin.

How Does Behavioral Advertising Work?

Behavioral advertising can be broken down into a three-step process. First is gathering data about user behavior from various sources, including websites, mobile apps, CRM systems, etc.

Typically, tracking pixels or third-party cookies are used for data collection. Examples of user data collected for behavioral advertising include but aren't limited to:

  • Website visits
  • Frequency and recency of visits
  • Web browsing histories
  • IP addresses
  • Location data
  • Demographics
  • Search queries
  • Key metrics like clicks, pages viewed, etc.

This information is usually aggregated through a Data Management Platform (DMP). With enough data, a picture of customers' interests and habits emerges.

Next, users with similar behavior are grouped into segments. For example, an online book-seller would group fiction readers separately from non-fiction readers.

The final step is designing ad campaigns tailored to specific segments. Since these ads are more relevant to users, there's a higher chance of engagement and conversion.

Key players in behavioral advertising

To understand how the behavioral advertising ecosystem works, it's important to know its key players: advertisers, publishers, and ad network providers.

Simply put:

  • Advertisers work to promote their products/services to specific audiences
  • Publishers offer ad space for sale on their online platforms
  • Ad network providers connect publishers with advertisers and distribute ads efficiently

In many cases, an automated auction system called real-time bidding is used to allocate ads, considering the target audience, user behavior, and ad space requirements.

What Are The Privacy Implications of Behavioral Advertising?

By its very nature, behavioral advertising involves tracking people online. This naturally raises concerns about intrusion into personal privacy.

But beyond that, the technical data collected for behavioral advertising (such as IP address and browser history) qualifies as personal information under privacy laws.

What's more, behavioral advertising works hand-in-hand with techniques like inferences and cross-context tracking, which also contributes to privacy concerns.

Let's take a closer look.

Inferences and Behavioral Advertising

Inferences are educated guesses about a person's interests and characteristics. Every click, hover, and scroll becomes a data point that paints a picture of their online behavior.

For instance, repeated searches for "new food recipes" could infer that the searcher is a budding chef or cooking enthusiast. As a result, they might get ads for kitchen tools.

Inferences play a big role in behavioral advertising. In specific instances, they can be considered personal information under data privacy laws.

For example, here's how the California Consumer Privacy Act (CCPA/CPRA) highlights inferences as personal information:

CCPA (CPRA) Definition of personal information with inferences section highlighted

And here's the UK Information Commissioner's Office (ICO) backing this sentiment under the UK GDPR:

UK ICO Article on Direct Marketing - Definition of personal data

Cross-Context Tracking and Behavioral Advertising

Cross-context tracking involves monitoring users across websites, apps, and services to create a comprehensive profile of their behavior. In other words, it's the use of trackers (like cookies) to "connect the dots" about a user across different platforms.

Cross-context tracking is essentially a variant of behavioral advertising that also toes the line of privacy concerns.

In fact, the CCPA (CPRA) considers cross-context behavioral advertising as a sale or sharing of personal information. As such, it gives California's residents the right to opt out.

Despite its sensitivity, behavioral advertising (and its related techniques) can be applied legally in many jurisdictions as long as specific requirements are observed.

Behavioral advertising invites strict legal attention in many regions worldwide, and for good reason. Let's look at how the laws of modern privacy pioneers like the EU and the U.S. approach it.

In the EU/EEA, the General Data Protection Regulation (GDPR) and EU Cookie Law regulate all activities relating to personal data protection and digital privacy.

When it comes to behavioral advertising, the most applicable provisions of the GDPR are as follows:

  • Process data (including for behavioral advertising) only when you have one of the GDPR's six lawful bases.
  • If you're using the legal basis of consent (and you should for behavioral advertising), observe the GDPR's consent standards. (Articles 6 and 7)
  • Give consumers clear and transparent information about how and why you use their data, including for behavioral advertising. (Articles 13 and 14)
  • Honor consumers' GDPR rights, including the right to object to data processing for direct marketing, which includes behavioral advertising. (Articles 15 to 21)
  • Allow consumers to opt out of solely automated decisions, including profiling (which is used in behavioral advertising), that could affect them legally or in a similar capacity. (Article 22)

Since behavioral advertising involves using trackers like cookies, the EU Cookie Law also applies. Its major requirements are as follows:

  1. Obtain GDPR-style consent for advertising cookies and similar trackers
  2. Provide clear, comprehensive information about your use of cookies and similar trackers (typically through a Cookies Policy)

Here's how the legal text explains this under Article 5(3):

EUR-Lex ePrivacy Directive Article 5 3 with the beginning highlighted

Keep in mind that violations of the GDPR and EU Cookie Law attract a maximum fine of €20 million or 4% of a company's global annual turnover from the preceding financial year.

Under the CCPA (CPRA), behavioral advertising revolves around the sale or sharing of personal information.

Specifically, the CCPA (CPRA) defines "sharing" as disclosing a consumer's personal information to a third party for cross-context behavioral advertising:

CCPA Definition of sharing

To ethically apply behavioral advertising, the CCPA (CPRA) sets out the following requirements:

  1. Provide consumers with comprehensive information about how you collect, use, disclose, sell, or share personal information, including for behavioral advertising purposes.
  2. Give consumers a simple way to opt out of the sale and sharing of their personal information, including opting out of behavioral advertising (more on this below).

Though less than the GDPR, fines for CCPA (CPRA) violations are pretty significant, going as high as $7,500 for each violation.

Following California's lead, other states in the U.S. have set out rules for compliant behavioral advertising in their respective privacy laws.

At the time of this writing, the following laws are in force and include provisions for behavioral advertising:

  • Colorado Privacy Act (CPA)
  • Utah Consumer Privacy Act (UCPA)
  • Connecticut's Data Privacy Act (CTDPA)
  • Virginia's Consumer Data Protection Act (VCDPA)

By and large, the behavioral advertising requirements across these laws are identical. They include:

  1. Be transparent about your data processing practices, including behavioral advertising.
  2. Honor consumers' right to opt out of targeted advertising and profiling.

While other U.S. states have upcoming privacy laws in the works, their behavioral advertising requirements aren't far off this path.

Now that we've seen the implications and legal requirements of behavioral advertising, let's unpack how to comply accordingly.

How Do You Perform Behavioral Advertising in a Compliant Way?

Here's our list of practical steps to keep your behavioral advertising practices legally sound:

  • Be transparent about your behavioral advertising practices
  • Obtain valid, opt-in consent when needed
  • Give users a simple way to opt out of behavioral advertising
  • Only engage compliant partners and third-party services

Let's go over each in more detail.

Be transparent about your behavioral advertising practices

Virtually every privacy law requires you to be transparent about your data processing practices. This is especially critical for behavioral advertising.

At a minimum, you'll need to disclose the following information:

  • A notice about your behavioral advertising practices
  • The types of personal information you collect for behavioral advertising and why
  • Whether you share data with third parties for behavioral advertising purposes
  • The categories of third parties with whom you share data for behavioral advertising
  • Whether or not you sell or share personal information, including for cross-context behavioral advertising (under the CCPA/CPRA)

In practice, you should disclose your behavioral advertising practices in three key locations on your online platform:

  1. Before placing trackers on users' devices (typically on your cookie consent solution)
  2. In your website/app Privacy Policy
  3. In your website/app Cookies Policy

For example, here's how France24 discloses its use of targeted advertising cookies on its cookie consent solution and links to its Privacy Policy for more information:

France24 Cookie Consent Solution

And here's how Grindr explains its behavioral advertising practices in comprehensive detail within its Privacy Policy:

Grindr Privacy Policy: Behavioral advertising clause

Similarly, People Force explains its behavioral advertising practices using a more concise clause in its Cookies Policy:

People Force Cookies Policy: Targeting or 'Behavioral Advertising' cookies clause

Consent is arguably the most important requirement for behavioral advertising across jurisdictions.

In the EU/EEA, consent is now the most appropriate legal basis for behavioral advertising under the GDPR. Meta's legal troubles further confirm this.

In the U.S., privacy laws like the CCPA (CPRA) don't explicitly require consent for behavioral advertising. However, the growing concern in this area of law may prompt new regulatory updates soon.

For now, the GDPR's consent requirements remain the most relevant. If you're using consent for behavioral advertising, the GDPR requires you to keep to the following standards:

  • Freely-given: Consent must be given freely without the threat of negative consequences.
  • Specific: Consent can only be obtained for a single, explicitly defined purpose at a time. For instance, consent for email subscriptions must be separate from consent for data sharing.
  • Informed and Unambiguous: Data subjects must be given every relevant information about what they're consenting to. In addition, the process for getting consent must be simple and straightforward.
  • Clear, affirmative action: Data subjects must take some kind of action (i.e., opt-in) to confirm their consent, such as clicking a button, flipping a switch, or ticking an empty checkbox.

For example, here's how Eightcap's cookie consent banner satisfies the GDPR's standards by explaining how it uses cookies for targeted ads and requesting specific, opt-in consent through a switch:

Eightcap Cookie Consent Notice Banner with Marketing Cookies highlighted

Similarly, Sky's cookie consent banner explains its use of cookies for personalized ads, and requests consent through simple buttons:

Sky cookie consent notice banner

Importantly, consent must be just as easy to withdraw as it was for users to give in the first place.

Here's an example from Dreamdata's cookie settings with simple options for users to withdraw or update their consent:

Dreamdata Cookie Consent Settings

Give users a simple way to opt out of behavioral advertising

As mentioned, privacy laws require you to give consumers a simple way to opt out of behavioral advertising.

Under the GDPR, consumers have the right to object to direct marketing, which includes behavioral advertising:

GDPR Article 21: Right to object with section 3 highlighted

Under the CCPA (CPRA), consumers have the right to opt out of the sale or sharing of their personal information, including for cross-context behavioral advertising:

California Privacy Protection Agency FAQs: Right to opt out of cross-context behavioral advertising

In practice, you can honor opt-out rights in many different ways, such as:

  • Providing a dedicated link, button, or switch on your website/app
  • Including an unsubscribe link in your email marketing campaigns
  • Setting out simple instructions within legal agreements like your Privacy Policy
  • Supporting industry-standard opt-out mechanisms like Global Privacy Control (GPC)

Grindr does this well by providing a dedicated page on its website to explain its various opt-out processes for behavioral advertising:

Grindr Opt out of behavioral advertising page

In its Privacy Policy, Portnox clarifies how Virginia's residents can submit opt-out rights for behavioral advertising:

Portnox Privacy Policy: Notice for Virginia - Right to opt out section highlighted

Similarly, InVision sets out clear opt-out instructions for behavioral advertising in its Privacy Policy:

InVision Privacy Policy: Your right to opt out of behavioral advertising and tracking tools clause

Choose compliant partners and third parties

Compliance is a collective effort. To avoid issues as an advertiser, only engage reputable partners and third parties with similar compliance commitments.

Relevant certifications or compliance with standards like the IAB's Transparency & Consent Framework (TCF) can indicate reliable publishers or ad networks to partner with.

For example, here's how Amazon highlights its commitment to share information only with subsidiaries who follow its Privacy Notice or observe equally protective practices:

Amazon Privacy Notice: Does Amazon share your personal information clause

From the constant push by privacy activists to evolving regulations, the future of behavioral advertising appears bleak. The biggest example in support of this is the ban placed on Meta's behavioral advertising practices in the EU/EEA.

To get more context on the declining state of behavioral advertising, let's briefly go through the highlights:

  • Increased regulatory heat: After several complaints from NOYB (a privacy-focused consumer association) against Meta, the EU banned the tech giant's behavioral advertising practices on October 27, 2023. This indicates a shift toward stricter rules in this area of law.
  • The pivot to consent: In response to regulatory pressures, Meta changed its legal basis for behavioral advertising from legitimate interests to consent. Going forward, this implies that consent is the only acceptable legal basis for targeted ads in the EU.
  • The decline of third-party cookies: Once the most dominant tools for tracking users, third-party cookies (and, in turn, behavioral advertising) are on the decline. Google's decision to phase out third-party cookies in Chrome reflects this shift.
  • Upcoming regulation: The upcoming EU AI Act will likely add another layer of complexity, requiring transparency and human oversight in AI-powered advertising.

In light of these developments, many experts predict the end of behavioral advertising is near. Here's a Tweet by Max Schrems - a leading privacy activist and chairperson of NOYB - supporting this narrative:

Max Schrems tweet on the end of targeted ads

Is There a Privacy-Friendly Alternative to Behavioral Advertising?

Since behavioral advertising became outed as a privacy hazard, marketers have been scrambling for a more privacy-friendly alternative. For many, the answer is contextual advertising.

Unlike behavioral advertising, contextual advertising doesn't rely on personal data or online tracking practices. Instead, it works by showing personalized ads related to the content on the web page users are currently visiting.

Examples of contextual advertising at work include:

  • Seeing an advert for gym equipment in a fitness blog
  • Getting an ad for blenders in an article about smoothie recips
  • Receiving an ad for smart alarms while reading about security technology

With the strict legal attention on behavioral advertising, contextual advertising is quickly becoming a popular choice. In fact, some industry experts label it a much better alternative, both legally and practically.


Behavioral advertising is a marketing technique that involves using trackers to collect data on user behavior in order to deliver ads that appeal to them.

While behavioral advertising can still be carried out legally, it's getting a lot of kickback from privacy activists, lawmakers, and consumers worldwide. In other words, the future (and longevity) of this marketing technique is uncertain.

For now, compliant behavioral advertising in major jurisdictions means observing the following requirements:

  • Get explicit, opt-in consent as a precautionary measure
  • Be transparent about your behavioral advertising practices
  • Provide a simple way for users to opt out of behavioral advertising
  • Only work with compliant partners and third parties to avoid issues

Remember, illicit behavioral advertising not only triggers costly financial penalties but puts your reputation at risk - an arguably more damaging consequence.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy