GDPR Marketing 2026: Newsletter, Advertising, Profiling

April 27, 2026· Category: GDPR· As of: 2026-05-02· Reading time: ~6 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

Newsletter: Active consent and double opt-in required; logging of IP, timestamp and form is mandatory
Cookies and pixels: Section 25 TDDDG requires consent BEFORE tag load; equal-choice rule applies
Profiling under Art. 22: Automated advertising personalization needs explicit consent; CJEU C-446/21 prohibits inference of sensitive data
Retargeting (Meta Pixel, Google Ads): Third-country transfer — SCC, TIA and consent required
Recent fines: Vodafone EUR 1.3m (2024), Cosmos Direkt EUR 45k (2024) for cookie/marketing breaches

1. Newsletter Consent and Double Opt-In

Active consent, double opt-in confirmation, and an unsubscribe option as easy as the sign-up are mandatory. Log each consent with IP address, timestamp and form used. Pre-checked boxes or bundled consent fail the GDPR standard.

2. Cookies and Tracking Pixels

Section 25 TDDDG (German Telecommunications and Digital Services Data Protection Act) requires consent before any tracking tag loads. Reject must be as prominent as Accept (equal-choice). Recent enforcement: Vodafone fined EUR 1.3 million in 2024; Cosmos Direkt EUR 45,000 in 2024 for non-compliant cookie banners.

3. Profiling under Art. 22 GDPR

Purely automated advertising personalization triggers Art. 22 plus explicit consent. CJEU ruling C-446/21 confirms that sensitive data (health, sexual orientation, political views) must not be inferred from non-sensitive inputs. Audit ad-platform algorithms for inferred categories.

4. Retargeting via Pixel and Lookalike Audiences

Meta Pixel, Google Ads tag and similar transmit data to US controllers. The full transfer chain requires Standard Contractual Clauses, a Transfer Impact Assessment, and explicit user consent. DPF participation alone does not eliminate the consent requirement for tracking.

5. Email Marketing Data Sharing

Mailchimp tracking data, Brevo click tracking and similar features require a Data Processing Agreement (DPA) plus separate consent for personalization. Transactional emails (order confirmations) follow contractual lawful basis; marketing emails always require consent.

6. Custom Audiences from Existing Customers

Hash uploads to Meta or Google still require fresh consent from existing customers for the advertising context — the original purchase consent does not extend to ad targeting. Document this consent separately.

Summary

GDPR-compliant marketing rests on six pillars: clean newsletter consent, cookie banner equal-choice, careful Art. 22 profiling, third-country safeguards for retargeting, DPA discipline for email tools, and fresh consent for Custom Audiences. The safe baseline: double opt-in newsletter plus engagement-only tracking without personalization. Anything more requires legal review.

View GDPR Kit →

Frequently Asked Questions

Is 'legitimate interest' sufficient for advertising?

For existing customers, minimally (Art. 6 lit. f + Section 7 para. 3 UWG (German Act Against Unfair Competition)). For profiling: no.

What is legally safe?

Newsletters with double opt-in + pure engagement tracking (without personalization).

Sources

Regulation (EU) 2016/679 — GDPR (Art. 6, 7, 22) (As of: 2026-05-02)
German Federal Data Protection Act (BDSG) (as of: ongoing)
European Commission — Data Protection (as of: ongoing)