Remarketing is one of the best things that's ever happened to online advertisers. However, this method of targeting specific website visitors may become a legal minefield when the General Data Protection Regulation (GDPR) comes into force on May 25th, 2018.

If remarketing is your go-to method to bring in repeat customers, be prepared to make some changes.

We'll fill you in on the changes that are going to occur and how to keep remarketing in compliance with the GDPR.

Remarketing Essentials

Remarketing is a personalized form of online advertising that implements a user's browsing history to target them with products that they have previously shown interest in.

Because it is so personalized, remarketing campaigns are highly effective in bringing back recent website visitors and creating repeat customers.

However, the very nature of remarketing relies on the collection of analytical data about consumers and placing tracking cookies on their web browsers.

Therein lies the problem with the upcoming GDPR regulation.

The GDPR and Remarketing

The GDPR requires that online businesses obtain the express, unambiguous consent of EU residents before collecting their analytical data or placing any advertising cookies in their browsers.

These requirements go far beyond a passive cookies policy or informative cookies banner.

EU visitors must be given an opportunity to click to consent to advertising cookies or opt-out of them completely before they may be placed.

If you're thinking "Well, I don't run a business in the EU, so this doesn't apply to me," you will receive an unpleasant surprise in May.

The GDPR can and will be enforced on any business that collects so much as an IP address from an EU resident, regardless of where the business is located.

The internet is an international marketplace. Can you really guarantee that no visitor from the EU will ever come across your website or mobile application?

Google Setting the Stage

Google has declared its full support for the GDPR since it launched in 2016. Being the largest provider of remarketing services, Google is leading the charge on compliance.

Recently Google sent the following message out to all AdWords advertisers to inform them of the upcoming changes:

Google AdWords email notice about updated EU User Consent Policy - GDPR

As you can see, Google will now require all AdWords clients to obtain legally-valid consent to collect data for personalized ads from EU residents.

Since the vast majority of advertisers use Google as their remarketing provider, these advertisers will have no choice but to comply if they wish to continue using Google tools.

According to Google's new EU User Consent Policy, advertisers will need to meet the following requirements in order to use Google's analytics and remarketing tools when it comes to end-users in the EU:

  • Obtain valid consent from EU residents before collecting their personal information for the purposes of marketing analytics or personalized advertising.
  • Obtain valid consent before placing any analytical or advertising cookies.
  • Maintain records of consent given by each user.
  • Provide users with clear instructions on how to revoke consent.
  • Clearly identify any third-party that may collect, receive, or utilize users' personal data.

Make Your Remarketing Campaigns GDPR-Compliant

This list of action items will bring your Google Analytics and remarketing campaigns up to GDPR standards.

1. Update Your Privacy Policy

First, make sure your Privacy Policy includes a section dedicated to personalized advertising.

In this section, you will need to disclose exactly which kinds of information you collect about users and how that information is shared and used for advertising. Full disclosure is very important for GDPR compliance.

Second, include instructions in the Privacy Policy for users to opt-out of personalized advertising.

This can be as simple as linking to your provider's ads setting interface, such as Google's Ads Manager.

This paragraph from Clickseed's Privacy Policy describes their methods of data collection and sharing for advertising purposes. It also includes links to opt out of personalized ads.

Clickseed Privacy Policy: This website uses Google AdWords and Facebook Remarketing Tags clause

Another solution is to provide users with your own custom opt-out solution, like this one from Adobe:

Adobe Opt-Out Page: Set Preferences: Interest-based ads and cookies tool

Adobe also provides an entire page where users can control how their data is used, including communications and targeted ads:

Adobe Opt-Out Page: Your data. Your Choices. Intro clause with links

In addition to the topics described above, your Privacy Policy will need to provide instructions on how end users can access and delete their personal information if they want to.

While basic account information can usually be erased by the end user within your account setting interface, the analytics data you hold on them will only be accessible to the account holder of the remarketing provider.

Start generating the necessary legal agreements for your website or app in minutes with TermsFeed.

We also offer different solutions and tools for your website or app:

In other words, if an EU customer wishes you to erase their analytics data permanently, you or one of your employees will need to personally log into your remarketing provider's client interface (such as the Google Adwords administrative interface) in order to delete analytics or remarketing data for specific end users.

Provide consumers with instructions on how to make this request.

Globalscape lets visitors know of their right to be erased and provides a method of contact for them to make this request:

Globalscape Privacy Policy: Right to Erasure clause

Since the Privacy Policy describes your remarketing methods as well as users' rights regarding opting-out and erasure, it's a good idea to request users to consent to the Privacy Policy as soon as possible after they access your website or mobile app.

One great way to request consent right away is to incorporate a link to your Privacy Policy within the GDPR notice or cookies banner that pops up as soon as a visitor enters your platform.

Here is a very simple yet compliant example from Globalscape:

Globalscape cookies notice with Privacy Policy link and Accept button

Of course, it is also highly recommended to require users to consent to your Privacy Policy before they use your service or send you any type of personal information within a webform:

Jimmy Choo has a clearly marked checkbox that visitors must tick to consent to the Privacy Policy before registering on the website:

Jimmy Choo account registration form with checkboxes for opting in to marketing communications and agreeing to Privacy Policy

3. Update Your Cookies Policy

If you don't already have a dedicated Cookies Policy, it's time to implement one. The GDPR is all about transparency, and a thorough Cookies Policy is one way to create transparency for visitors.

Here is a summary of the BBC's Cookies Policy to illustrate some of the subject matter included in a typical Cookies Policy:

BBC: About Cookies and Cookie Settings menus

First of all, you'll need to define cookies and explain to your visitors what they are and why you use them. Be as detailed as possible and help consumers understand why cookies are necessary.

As far remarketing goes, you'll need to be very specific about third-party advertising and analytics cookies.

The GDPR requires that you specify which third-party cookies you use and why.

Here, Shell Global explains why and how they use third-party cookies, as well as how cookies are used for advertising purposes. Users are also informed about how to reject and delete cookies:

Shell Global Cookie Policy: Advertising purposes, third party cookies and how to reject and delete cookies clauses

Shell also includes a detailed cookie chart that specifies each type of cookie that is used by the site and what its purpose is:

Shell Global Cookie Policy: Description chart with opt-out links

Note that there is a link provided to opt-out of each cookie. This is one way to provide users with a method to opt-out of specific cookies.

We will go into more detail on this topic below.

Consent for advertising and analytics cookies will be the cornerstone of compliance for remarketing under the GDPR.

These are the tools that remarketing and personalized advertising campaigns use to collect data about individuals, so they must be disclosed to visitors and specifically consented to before they are placed.

The Hewlett Packard Enterprises data collection and cookies notice pops up upon navigation to their homepage. It specifically mentions cookies and the collection of information for marketing and promotional efforts, asking that users click to consent and continue:

Hewlett Packard cookies notice with Continue button for consent

It's important to remember that when it comes to valid consent under the GDPR, the visitor must take a decisive action, such as a click or the tick of a checkbox before any remarketing cookies may be placed in the browser.

Within its Privacy Statement, HPE offers an opt-out interface for visitors to opt-out of marketing and analytics cookies.

This step is vital in order to make remarketing legal under the GDPR:

Hewlett Packard Privacy Statement: My privacy preferences with opt-in/opt-out permissions options

5. Keep Good Records

The final step in ensuring a GDPR-compliant remarketing campaign is to update your consent recordkeeping system.

None of your consent methods will matter if you are not keep meticulous records of obtaining consent.

Both the GDPR and remarketing service providers like Google require you to keep a record of valid consent for remarketing for every EU user in your database.

A Few Good Examples

Here are a few online businesses that are continuing their remarketing campaigns while maintaining GDPR-compliance:


We've already touched on Google's compliance with the GDPR as a remarketing provider, but they follow the same level of compliance protocols when dealing with end users.

First off, check out this comprehensive GDPR notice that pops up when an EU resident accesses the Google homepage:

Google privacy reminder notice about data processing with I Agree button

This notice covers everything from a description of the data Google collects via cookies to a link to their Privacy Policy, as well as a specific mention of personalized advertising.

Finally, a prominent "I Agree" button and "Other Options" link gives visitors the opportunity to consent or opt-out.

When the user clicks "Other Options," this interface appears:

Google privacy reminder notice: Other Options with edit settings

Here, the user can control the information that Google collects about them in minute detail. This is transparency at its best.

Within its Privacy Policy, Google describes the information it collects about users for marketing purposes and how it is shared:

Google Privacy Policy: Information we collect: Cookies and similar technologies clause

Google goes on to list out every possible way that customers may access, control, or delete their information. Note that there is also a link to control advertising preferences:

Google Privacy Policy: Transparency and choice clause

Finally, Google gives a more in-depth description of the different types of cookies that it uses, including third-party and advertising cookies:

Google Privacy and Terms: Types of cookies used by Google chart


The UK's most famous news network is also working hard to reach GDPR compliance. They provide visitors with this information upon navigation to the BBC's website:

BBC's updated cookie policy notification

Note that this cookies notification isn't actually GDPR-compliant because it does still use browsewrap and doesn't obtain clear consent for placing cookies. The sentence that says, "If you continue without changing your settings, we'll assume that you are happy to receive all cookies on the BBC website" is the sentence that ruins this notice.

By deleting that sentence and requiring users to click Continue to consent to have cookies placed on their devices, this notice would be a great example of GDPR compliance.

Aside from that browsewrap sentence, there are some good things going on in this notice.

It links users to an explanation of the data the BBC collects, includes a "Continue" button to accept collection of data, has a link to the Privacy Policy and also has a link to where users can change cookie settings.

When visitors click the "Change settings" button, they are directed to this interface where they can choose which cookies to accept or block:

BBC's page for changing cookies settings with toggle choices

The BBC's Privacy Policy appropriately contains information about the company's use of third-party advertising. There are also simple instructions on how to opt-out of personalized ads:

BBC Privacy Policy: Will I be contacted for marketing purposes clause - Third party advertising section

Here you can also find instructions for how to delete consumer information held by the BBC:

BBC Privacy Policy: Can I delete my data clause

A clause about cookies explains how the BBC uses cookies to serve targeted advertising. Further information and instructions on how to opt out of this is linked within the clause:

BBC Privacy Policy: How does the BBC use cookies clause mentioning targeted advertising

The BBC informs users about its remarketing practices and provides easy-to-find information for opting out or adjusting relevant settings.

Aside from the use of browsewrap in the cookies notice, the BBC is doing a great job towards achieving compliance for remarketing under the GDPR.


To continue remarketing compliantly with the GDPR, remember to do the following:

  • Update your Privacy Policy to disclose your use of third-party advertising services and that you collect and use personal information for such purposes.
  • Update your Cookies Policy with detailed information about what cookies you use that involve remarketing.
  • Get clear, active consent for both of these policies, as well as for placing cookies. Get this consent before you ever place a remarketing cookie!
  • Provide users with a way to adjust cookies settings, as well as edit or delete personal information you use for remarketing. Let them opt out even after they've opted in.
  • Keep records of all consent you've acquired.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy