What GDPR requires
GDPR came into force in May 2018 and remains the most influential data protection regulation in the world. The core obligations for any business doing marketing in the EU:
- Lawful basis. Every processing of personal data must be justified, typically by consent (for marketing), contract (for fulfillment), or legitimate interest (carefully).
- Consent must be specific, informed, and freely given. Pre-ticked boxes don’t count. Bundled consent (“agree to everything”) doesn’t count.
- Data minimisation. Collect only what you need for the stated purpose.
- Storage limitation. Don’t keep data longer than necessary.
- Security. Appropriate technical and organisational measures.
- Accountability. Document everything. Be able to demonstrate compliance.
What GDPR considers personal data
Broader than most teams expect:
- Name, email, phone, address, obvious
- IP address, device ID, cookie ID, also personal data
- Pseudonymised data (hashed email), still personal data
- Aggregated data, usually NOT personal data if truly anonymous
For marketing tracking specifically: the IP address alone is personal data. The cookie alone is personal data. You need a lawful basis to collect them.
Consent for marketing tracking
The 2026 reality:
- A user lands on your EU site
- Your CMP (Consent Management Platform) shows a banner with clear, granular options
- Until the user actively consents, you do NOT load tracking pixels, set tracking cookies, or fire conversion events with personal data
- If the user rejects, you respect that, Consent Mode V2 mechanisms let ad platforms still receive “consent-rejected” signals for measurement modeling, but no personal data flows
The “soft opt-in” or “implied consent” patterns common in pre-GDPR tracking are not lawful under GDPR.
How tracking architecture interacts with GDPR
First-party server-side tracking is generally more GDPR-friendly than client-side pixels because:
- You decide what gets forwarded. Server-side, you can strip PII, hash identifiers, and route only what’s necessary.
- You control the lawful basis. No third-party script loads before consent.
- You can honour consent revocation in real time. A user opting out can be propagated through your server-to-server pipelines.
This doesn’t make tracking automatically compliant, you still need consent and a clear privacy notice. But the architecture is more controllable.
Common mistakes
- Loading the pixel before consent. Strict violation. Cookie banner must block the pixel until consent is given.
- Treating IP address as not personal. It is. Anonymise or aggregate.
- Bundling marketing consent with terms acceptance. Not freely given. Not valid.
- Forgetting the right to erasure. Customers can ask you to delete their data. You must have a process to honour that across all systems they touch.
FAQ about GDPR (General Data Protection Regulation)
What is GDPR?
GDPR (General Data Protection Regulation) is the EU’s comprehensive data protection law. It requires a lawful basis for processing personal data, gives individuals rights over their data, and imposes fines up to 4% of global revenue or €20M.
Does GDPR apply to my business if I am not based in the EU?
Yes. GDPR applies to any business processing personal data of EU residents, regardless of where the business is incorporated.
What counts as personal data under GDPR?
Anything that identifies a person, name, email, phone, IP address, device ID, cookie ID, hashed identifiers. Even pseudonymised data is still personal data. Only true aggregated data is exempt.
Is consent always required?
No. Consent is one of several lawful bases. Contract performance, legal obligation, vital interests, public task, and legitimate interest are others. For marketing tracking, consent is almost always the appropriate basis.