• EN
    • DE
  • Login
Consent Management Platform
Consent Management Platform (CMP) Usercentrics
  • ProductsHolistic Consent Management Software
    • Website Consent Management
    • Mobile Consent Management
    • AMP Consent Management (BETA)
    • Smart Data Protector
    • Automatic Privacy Policy
  • Solutions
    • GDPR
    • CCPA
    • CMP for Publishers
  • Pricing
  • Resources
    • Developer Documentation
    • Videos
    • FAQ
    • Knowledge Hub
    • Whitepaper
    • Webinars
    • RFI Template
    • What’s new?
  • Partner
    • Find a partner
    • Become a partner
    • Tech Partner
    • Expert Partner
    • Reselling Partner
    • Referral Partner
  • Company
    • About us
    • Career
    • Press
    • Events
    • Contact
  • GET STARTED NOW
  • Menu
Marketing & GDPR
May 22, 2019 | 4 min read

Do I need a user’s consent for retargeting?

Resources
Knowledge Hub
Do I need a user’s consent for retargeting?

Table of contents

Show more Show less

What is retargeting?

With retargeting, a user’s browser history is analyzed to address the user with products that he/she showed interest in before.

Because of a personalized address, retargeting campaigns are extremely effective to bring back former website visitors and turn them into lucrative recurring customers.

But retargeting only works on the basis of user and behavioral data, which are generated through tracking cookies.

The GDPR and retargeting

Retargeting uses the personal data that is obtained and processed by cookies.

This usually includes the IP-address, which has already been classified by the German Courts as personal data to the GDPR.

Furthermore the usage behavior of the website visitor, e.g. which products the visitor looks at, which landing pages the user visits, where he/she clicks, will be captured.

In addition, the online behavior outside a website can be enriched with these data, so that a user profile can be generated.

For obtaining and processing these data, the GDPR requires a legal basis according to Article 6 GDPR, e.g. obtaining a consent.

Justified interest or consent for retargeting?

The question, whether retargeting can be based on justified interest (Article 6 (1f) GDPR) or on the user’s consent (Article 6 (1a) GDPR) is controversial.

To prove “justified interest” in accordance with article 6 (1f) GDPR the company has to be able to proof a corresponding balance of interests in favor of their own economic interests against the data protection interests of the users.

This is because comprehensive profiling and the “tracking” of a user with products, that he/she looked at on several websites, is hard to justify.

As a yardstick the GDPR takes what the average user could expect.
The majority of privacy advocates, especially data protection authorities, clearly see the consent as a prerequisite for retargeting with tracking cookies. Large providers of retargeting technologies such as Google and Facebook are in favor of unambiguous consent as the basis for retargeting and also stipulate this in their terms of contract.

When providing consent, it must be ensured that all the criteria for a valid consent pursuant to the GDPR are met.

Consents for Google Remarketing Services

The biggest provider of remarketing services (e.g. Google Ads, Google Remarketing) is Google – which means that Google sets the tone when it comes to the implementation of the GDPR.

Google describes in its “EU standard for consents”, that advertisers need to obtain and proof the legally watertight consent for their advertising services, especially retargeting.

That means that all Google Ads customers have the duty to obtain the explicit and freely given consent of their website visitors before Google Ads cookies collect data for personalized retargeting advertising.

Advertisers have no long-term choice but to fulfill all criteria, if they would like to profit from and use Google Tools.

In the future, Google will demand the consent to be obtained from the advertisers not only legally but also programmatically: Google has once again confirmed its agreement to join the IAB Transparency & Consent Framework.

Consent for Retargeting on Social Media Channels like Facebook, LinkedIn, Twitter, etc.

Unique cases exist such as if the advertiser happens to use a special pixel or cookie from a social media channel such as the Facebook Pixel and displays its website visitors with personalized advertisement.

According to Article 6 (1) GDPR, this will cause legal issues seeing as in order to use retargeting and personalization, explicit consent is necessary.

Therefore, the advertiser has to obtain consent from users in a freely, informed, and explicit, manner when using data for Facebook.

Although, the user may indeed have given – deeply buried within the terms and conditions – consent to create a profile through the data which he/she has provided and which is being collected by pixels on external sites, it must be noted that this type of consent does not comply with the DSGVO.

Still, these cookies and pixels collect data from all visitors. Even those who do not have an account with a social network.

Incidentally, this consent can not be extended to all advertisers who may advertise on social networks such as Facebook.

In this regards, Facebook Custom Audiences is strongly condemned by authorities and courts and is only possible with the consent of the user.

Facebook requires the consent

Similar to Google, Facebook states in its “Policy for Consent to Developers” that advertisers who have Facebook Pixel installed on their website or in their app must be able to obtain and prove their users’ consent.

Consent for retargeting with AdTech technologies like Criteo

Consent for retargeting with AdTech technologies like Criteo.
Criteo itself does not stipulate in their terms and conditions that one must obtain consent.

Thus, it is up to the advertiser to decide if he or she sees the requirements for legitimate interest.

As stated above, there lacks a strong basis of argumentation under the GDPR. The interests of the person concerned predominate regularly.

Result: Retargeting is only possible with given consent.

Sources and related links:

  • Press release of the BayLDA on the need for a consent for Facebook Custom Audiences: https://www.lda.bayern.de/media/pm2018_18.pdf
  • Facebook policy of consent for advertisers who use the Pixel: https://developers.facebook.com/docs/privacy?locale=de_DE
  • Google EU Consent Policy: https://www.google.com/intl/de/about/company/user-consent-policy.html
  • Google confirms membership of the IAB Transparency & Consent Framework: https://martechtoday.com/exclusive-iab-europe-to-release-updated-consent-framework-google-to-sign-on-230704

Disclaimer

Usercentrics GmbH does not offer legal advice. The content of this article is not legally binding. The article represents the opinion of Usercentrics.

Related Articles

The latest ePrivacy Regulation: when will it come, what will change, and how can companies get prepared?
February 24, 2021
6 min read
GDPR ComplianceMarketing & GDPR

The latest ePrivacy Regulation: when will it come, what will change, and how can companies get prepared?

Are you looking forward to the end of the ePrivacy Regulation? After all, the discussion about a Europe-wide, uniform...

Read more
Google Consent Mode: everything you need to know in 5 minutesGoogle Consent Mode
January 15, 2021
4 min read
Google Analytics & GDPRMarketing & GDPR

Google Consent Mode: everything you need to know in 5 minutes

Use Google Analytics, Google Tag Manager or Google Ads while being GDPR-compliant simultaneously? Don’t think it’s possible? Well think...

Read more about Consent Mode
5 Reasons why you should become a Usercentrics PartnerPartnership
January 15, 2021
Marketing & GDPR

5 Reasons why you should become a Usercentrics Partner

With stringent data protection regulations increasing at rocket speed, we have made it our business to offer a consent...

Read more about our Partnership

Next Steps

Scan your website

Scan your website

Check your privacy compliance
Request a demo

Request a demo

Schedule for free
Get started

Get started

See our pricing

Legal Update

Always up-to-date: With our legal update, we keep you up to date with the latest trends around data protection.

Products

  • Website Consent Management
  • CMP for Publishers
  • Mobile App Consent
  • Automatic Privacy Policy
  • Smart Data Protector
  • AMP Consent Management (closed beta)

Resources

  • Whitepaper
  • Case Study
  • On Demand Webinars
  • Live Webinars
  • Knowledge Hub
  • RFI Template
  • Videos
  • FAQ
  • Developer Documentation

About Us

  • Who we are
  • Career
  • Press
  • Events
  • Contact

Our Mission

Helping companies to achieve compliance in harmony with their marketing strategy.

Legal

  • Legal Notice
  • Privacy Policy
  • Terms and Conditions

Address

Usercentrics GmbH
Sendlinger Straße 7
80331 Munich
Germany

© Copyright 2021 Usercentrics

This website and all services provided by Usercentrics are not intended for users and companies outside of the European Union, U.K. or Switzerland.

What are cookies? Are Cookies personal data Results Analysis European Elections European elections: Websites of German top candidates checked on GDPR compl...
Scroll to top