Remarketing, also known as retargeting, is a powerful tool to use in your marketing campaigns.

It's important that you reflect and disclose your use of remarketing platforms to your users.

There are two main reasons why you need a Privacy Policy:

✓ Privacy Policies are legally required. A Privacy Policy is required by global privacy laws if you collect or use personal information.

✓ Consumers expect to see them: Place your Privacy Policy link in your website footer, and anywhere else where you request personal information.

Generate an up-to-date 2023 Privacy Policy for your business website and mobile app with our Privacy Policy Generator.

One of our many testimonials:

"I needed an updated Privacy Policy for my website with GDPR coming up. I didn't want to try and write one myself, so TermsFeed was really helpful. I figured it was worth the cost for me, even though I'm a small fry and don't have a big business. Thanks for making it easy."

Stephanie P. generated a Privacy Policy

Laws on remarketing

Countries around the world have data privacy legislation in place that you need to consider before investing in a remarketing campaign that requires you to tell your users what information you're collecting from them and for what purpose.

This includes disclosing your use of remarketing platforms because of how they work: Google AdWords works by collecting information about your users in order to track them, and then shows them your ads later on.

This means that, for users visiting your website, you need to ensure that you have a comprehensive legal agreement (the Privacy Policy agreement) in place to disclose this.

US Flag

In the US, the main data protection law in the US is a state law (rather than an overarching federal law), the California Online Privacy Protection Act (or CalOPPA). This legislation requires you, as a business owner, to display your legal agreement prominently and to tell your users:

  • What kind of information you collect
  • How that collected information may be shared
  • How can users review and/or change the collected information you have on them
  • Your agreement's effective date and a description of any changes since then, if any.

Here's an example of a "California Privacy Notice", from Sony's website:

California Privacy Rights Notice from Sony

Flag of UK (Great Britain)

UK law is a little different, and is currently covered in the Data Protection Act 1998. This law is informed by and brings into force the principles of the EU Data Protection Directive.

If you're based in the UK but have users from California, you need to comply with both: CalOPPA in the U.S., and the Data Protection Act in the UK.

You may also need to comply with other countries' laws as well if your customers are international, or if you have branch offices around the world. Most countries have similar privacy requirements, but the EU is one of the most rigorous.

If you haven't got a handle on users' privacy in your business, and you aren't transparent about your personal information collecting practices through, not only will you be in breach of the law but you may also be losing valuable customer trust.

Current best practice "includes being proactive in letting users know what you collect, when, how, and what you plan to use it for."

Gordon Daniell, of online marketing platform Kentico, notes that:

If customers know that you're collecting this data, why, and you can make them comfortable; there is a better chance they'll stay loyal, and keep buying, rather than flee at the first highly targeted ad.

Requirements for remarketing

The first requirement is to update your Privacy Policy agreement because all remarketing platforms are now requiring businesses to inform their users that their website/mobile app might use third-party vendors to show ads across other web sites or apps that users are visiting based on their past visit to the business' service:

If you've started using remarketing campaigns, but you haven't yet included the above information in your legal agreement, do so to properly inform users.

Third parties

This update isn't required just so that you can meet your legal obligations to your customers, it's also so that you can comply with the third party's requirements for using their service.

Google requires you to include certain information in your Privacy Policy when you start using the remarketing features of AdWords. These are:

  • Disclosing how you're using remarketing
  • Disclosing that (and how) third-party vendors (including Google), show the you've created ads in your remarketing campaign on other websites across the Internet
  • Disclosing how third-party vendors (including Google), use "cookies" to show your ads based on someone's past visits to your website
  • Informing how users can opt out of such third-party's use of cookies (including Google)


Bureau of Customer Protection Logo

In many remarketing campaigns, businesses will show ads on other websites to past visitors. If these visitors will click these ads, they will be redirected to a landing page where the business can ask these visitors for their email address to receive a discount or download ebooks etc.

Because these visitors are now subscribing to an email newsletter, the business now needs to make sure it complies with the CAN-SPAM Act.

CAN-SPAM applies to businesses operating in the United States, but the principles as detailed in "A Compliance Guide for Business" by the Bureau of Customer Protection are also found in other legislations across the globe, e.g. Canada's CASL (Anti-Spam Legislation).

CAN-SPAM applies to any commercial messages that you send as a business.

Each email that violates this Act can have fines up to $16,000 USD.

The Act doesn't apply only to commercial emails you may send, but to all commercial messages ("any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service"). This can be a simple informative message that you send to your customers announcing a new product.

Compliance with CAN-SPAM in the US is pretty straightforward.

The first step when complying with CAN-SPAM should be to review your Privacy Policy to make sure you are informing users about what information you collect and how will this information be used.

The second step of the compliance plan is to review that you comply with CAN-SPAM's main requirements:

  • Don't use false or misleading header information.
  • Don't use deceptive subject lines.
  • Identify the message as an ad.
  • Tell recipients where you're located.
  • Tell recipients how to opt out of receiving future email from you.
  • Honor opt-out requests promptly.
  • Monitor what others are doing on your behalf.

Consider the 3 type of messages that a business sends to customers:

  • Commercial content (promoting a new product, advertising etc.)
  • Transactional or relationship content (updating a customer about a certain order etc.)
  • Other content (anything that isn't informative or with commercial content)

If your message has commercial content, it falls under the CAN-SPAM Act.

If it's only transactional or informative (with no commercial content), it "may not contain false or misleading routing information", but otherwise it doesn't fall under the CAN-SPAM Act.

The Bureau of Customer Protection mentions this:

If the message contains only commercial content, its primary purpose is commercial and it must comply with the requirements of CAM-SPAM. If it contains only transactional or relationship content, its primary purpose is transactional or relationship. In that case, it may not contain false or misleading routing information, but is otherwise exempt from most provisions of the CAN-SPAM Act.

EU Cookies Directive

ICO Logo

Remarketing services by Google AdWords or other third-party vendors (AdRoll, Perfect Audience, AppNexus etc.) must use cookies in order to keep track of visitors. Thus, complying with the EU Cookie Directive is a must.

The so-called "Cookies Law" was introduced in Europe through amendments to a 2003 EU e-privacy directive that requires websites to get the consent of users before using tracking technologies such as cookies.

The British Information Commissioner's Office (ICO) fines UK-based web sites up to £500,000 if they do not comply with this law.

You need to comply with this directive if you're using any kind of cookies, either you directly (via your website or mobile app) or through third party vendors that you're using (Google AdWords, Google Analytics etc.)

Let's say your website is running a remarketing campaign with Google AdWords (or through the Google Analytics List) and a visitor just left your web site for another website, without buying your product.

Google remembers this visit and will display the ads you want within the websites that this specific user is visiting. Google can only show the ads in websites that are part of the Google Display Network.

Google AdWords keeps track of everyone through their browser's cookies.

Besides the vendors providing you with remarketing capabilities, your website or mobile app can also use various type of cookies, such as authentication cookies (the remember me option found on login pages).

There are various ways to comply with this directive for EU-based businesses:

Inform users about cookies in your Privacy Policy agreement.

Your Privacy Policy should be updated with a section "Cookies" informing users that you (and third parties that you use) are using and storing cookies.

You can also use a Cookies Policy agreement instead.

A fixed footer notification.

This is followed by the ICO itself. Their website has a fixed footer across all pages to let users know how they collect and use cookies.

ICO Notification: Cookies are in use on website

As you can see, it's not found at the bottom of the page like most Privacy Policy or Terms and Conditions pages.

ICO places a link to the "Change your cookie settings" page within the notification text box, where you can see the name of cookies they store and for what purposes.

You are not required to inform users of your remarketing campaigns using this type of notification. This notification is to inform that you are using cookies.

A top header notification.

This kind of notification usually begins with "We use cookies on (name of the website here)."

When a visitor hits something like "Yes, I agree to cookies usage" or "Continue" button that means that the user has given the website consent to collect and use cookies.

BBC Notification: Cookies on website

The top header notification message bar doesn't disappear unless the consumer has taken action, either by clicking "Yes, I agree" or pressing the continue button that equals the permission to use cookies.

The inline header notification.

This is usually placed below the logo but above any content.

GOV UK Notification on Cookies

The Gov.UK web site and The Economist uses an inline notification to inform users on cookies. In the case of the latter, the notification bar moves between the top section of the website and just right before the beginning the content.

The box notification.

This kind of notification usually comes in a small box that will always be on the bottom right of the website regardless of how you scroll.

Similarly to the top header notification, it can disappear when the user gives consent on the cookies usage ("I Agree", "I Accept")

ICO Small Box Notification on Cookies

All these types of notifications are to inform users that the website or its third-party vendors are using and storing cookies when users are visiting the website.


CASL is similar to CAN-SPAM. The Canadian Anti-Spam Legislation (CASL) exists to deter companies from sending contacts and messages, whether in form of e-mail, text messages, social media and other forms of electronic communication, to users without their consent.

It's a measure to avoid, or at least reduce, incidences of phishing, message routing, misrepresentation, malware, spyware and automatic collection. It also serves to restore people's trust on electronic commerce.

  • Get consent. The business must get the consent of users to receive commercial messages.
  • Identify yourself. The business must have contact details displayed: phone number, web site, mailing address etc. in order to identify who is sending that message.
  • Unsubscribe methods. Users must be able to unsubscribe if they choose to do so.
  • Not false or misleads. The message must not be false or misleading in any way.

If you've already had a Privacy Policy agreement up and running for a while, make sure you notify your users of this update. You can do that through an email or a clear notice on your website.

Here's an example of this kind of notice done through an email campaign, from Bing of Microsoft:

Bing Ads: Terms and Conditions Updated

Here's another example, from Facebook, that shows a banner on their website informing users that there has been an update to Facebook's legal agreements:

Notification example from Facebook on legal agreements update

It's very important that you don't just make a change on your legal agreements that may impact your users and not tell anyone.

A legal case, Roling v. E*Trade, held that it's not sufficient to just upload a copy of the new terms to your website. You must notify your users in some way that the document has changed or been updated.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy