Guidesdata privacyGDPR

GDPR and ePrivacy: Frequently Asked Questions for AdTech Vendors

data controllerdata processorpseudonymous dataanonymous datacookiesdevice fingerprintinguser rightsright to be forgottendata portabilityconsent managementDPODPIAlegitimate interestdata protection by designDSPSSPad networksad serversbehavioral advertisingcookie-syncingencryptiondevice IDsadvertising IDsIP addressesCRMDMP

Despite the General Data Protection Regulation (GDPR) having been in force for several years, and the ongoing media coverage around data privacy, there remains a significant amount of confusion about what the GDPR and ePrivacy mean in practice for AdTech companies. The questions below address the most common — and most consequential — points of uncertainty for publishers, brands, agencies, and AdTech vendors.

Both the GDPR and ePrivacy are designed to protect user data, but they operate differently and cover different ground.

The GDPR — formally Regulation (EU) 2016/679 — is grounded in Article 8 of the EU Charter of Fundamental Rights. It aims to safeguard personal data, return control of that data to individuals within the EU, and simplify the regulatory environment for international business.

ePrivacy

ePrivacy, formally the Privacy and Electronic Communications Directive (2002/58/EC), is based on Article 7 of the EU Charter of Fundamental Rights. Its focus is narrower: respect for private life specifically within the context of electronic communications.

ePrivacy is also intended to address cases not covered by the GDPR. Importantly, ePrivacy is lex specialis of the GDPR — meaning that when the two regulations address the same situation, ePrivacy takes precedence.

A useful shorthand: think of the GDPR in terms of data protection broadly, and ePrivacy in terms of user privacy in digital communications specifically.

A common misconception is that because the GDPR and ePrivacy are European regulations, they only bind companies operating within the EU and European Economic Area (EEA). Many non-European companies treat these rules as someone else's problem.

That assumption is incorrect. If a company collects information about data subjects within the EU and EEA — whether directly or on behalf of clients — it must comply with the GDPR and ePrivacy, regardless of where it is incorporated or headquartered.

No — not if it collects data about EU/EEA citizens and residents. The GDPR's territorial scope is based on where data subjects are located, not where the company is based.

If a company genuinely collects no data from EU/EEA citizens or residents, compliance is not required. However, a single web visit from an EU citizen is enough to trigger GDPR obligations.

Is My Company a Data Controller or a Data Processor?

The distinction between controller and processor is relevant when a company uses software or services provided by a third-party vendor. When software is deployed on-premises and maintained entirely in-house, the company is typically considered both controller and processor.

Data Controller: A controller collects, controls, reviews, compares, and aggregates data about EU citizens and residents. It is a natural or legal person, public authority, agency, or other body that — alone or jointly with others — determines the purposes and means of processing personal data.

Examples: Publishers, e-commerce stores, individual bloggers, brands, and companies that collect user data either directly or indirectly through a third-party service.

Data Processor: A processor is any person or company that provides services or technology and collects data on behalf of a controller. It processes personal data on behalf of the controller, or delivers the tools used to collect it.

Examples: AdTech and MarTech vendors.

The distinction between the two is illustrated well in an infographic from the Piwik PRO team.

What Counts as Personal Data?

The GDPR defines personal data as any piece of information that can be used to identify a data subject. Identification here does not require knowing a person's name. If a user visits a website or sees an ad, and that person can later be recognized — via a cookie ID or other identifier — when they return, they are considered identifiable.

The GDPR explicitly adds device and advertising IDs, cookies, IP addresses, and location data to the list of personal data examples. In practice, this means virtually every AdTech company is already collecting personal data.

What is Pseudonymous Data?

Pseudonymous data is information that has been transformed into a non-identifiable format — for example, through hashing or encryption — such that it cannot identify a person without the use of additional data (e.g., the hashing function or the encryption keys).

Crucially, pseudonymous data is still classified as personal data under the GDPR, because it can be reverted to its original format. AdTech companies that pseudonymize data remain bound by GDPR and ePrivacy rules.

There is one meaningful benefit: the GDPR does not require companies to notify data subjects of a breach if appropriate technical and organizational protections — such as one-way pseudonymization or encryption without accessible keys — were applied to the data at the time of the breach.

What is Anonymous Data?

Truly anonymous data cannot be used to identify a person and is therefore not subject to GDPR rules. Companies collecting only anonymous data do not need to obtain user consent.

The practical implication for AdTech is significant: anonymous data has very limited utility, because it cannot support behavioral advertising, user targeting, or audience segmentation. Any vendor claiming to collect only anonymous data would, by extension, be unable to run targeted campaigns or apply any user-level parameters.

Can AdTech Companies (DSPs, SSPs, Ad Servers, Ad Networks, etc.) Still Collect Cookies, IP Addresses, and Device/Advertising IDs?

Yes — but only with user consent. While the GDPR's expanded definition of personal data now covers cookies, IP addresses, and device and advertising IDs, AdTech companies can still collect and use this data to run behavioral advertising campaigns, provided they have obtained clear consent from the user.

Yes. Because the GDPR classifies cookies, IDs stored in cookies, device and advertising IDs, and device fingerprints as personal data, companies must obtain clear and informed consent before dropping cookies or collecting user data.

For AdTech vendors and advertisers running targeted campaigns — including online behavioral advertising and retargeting — consent is a prerequisite. Without it, no advertising or marketing company can lawfully collect, use, or store user data.

In short, yes. If a technique involves "tracking" a user, it almost certainly falls under the GDPR. The only data type excluded is truly anonymous data, which renders tracking meaningless anyway.

Most cookieless tracking methods rely on creating device fingerprints, which are classified as personal data — bringing them squarely within the scope of the GDPR.

With respect to online advertising and marketing, there are very few circumstances that permit data collection without consent. The two primary exceptions are fraud prevention and billing — neither of which is useful from an advertising standpoint.

The vast majority of advertising and marketing activities today — including targeting, retargeting, and personalization — require explicit user consent.

There is no single universally mandated format, but the most common approach is a popup or overlay message presented to the user. To satisfy GDPR requirements, the consent message must include at minimum:

The reason why the user's personal data is being collected (e.g., behavioral advertising, analytics, personalization).
The names of the companies with whom the data will be shared.
The length of time the data will be stored (e.g., six months).

A number of companies have released consent management platforms to help publishers, advertisers, and AdTech vendors manage the technical implementation of obtaining, storing, and administering user-consent decisions and user rights — including Piwik PRO's consent manager.

The Interactive Advertising Bureau (IAB) has also released a Transparency and Consent Framework to help the industry navigate consent, though it has attracted significant criticism regarding its practical effectiveness.

Can AdTech Companies Claim 'Legitimate Interest' to Process Personal Data?

No — at least not for advertising purposes. Despite a common belief in parts of the AdTech industry, companies cannot claim legitimate interest as a legal basis for collecting and processing personal data for profiling or targeting.

The relevant GDPR text reads:

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

— GDPR Article 6, 1(f)

In practice, advertising-related processing is very likely to be overridden by the user's fundamental rights and freedoms, making legitimate interest an unavailable basis for AdTech data collection.

What Must Companies Do With Data Collected Before May 25, 2018?

Data controllers need to assess whether user data stored in their systems — CRM platforms, DMPs, DSPs — prior to the GDPR's enforcement date was collected in a manner consistent with the Regulation's rules on consent. Re-consent is not required if the original consent was gathered in a way that already satisfies GDPR standards, but that scenario is uncommon.

For marketers, this typically means reaching out to existing databases — usually via email — with a GDPR-compliant consent request asking data subjects to confirm their consent to use of their historical data.

For advertisers, the challenge is considerably more difficult. The indirect relationship between advertisers and the users who see their ads — compounded by the scale of cookie-syncing and similar data collection practices — makes systematic re-consent logistically impractical. The realistic options range from mass deletion of collected user data to doing nothing, with the latter carrying significant legal and financial risk.

Publishers are generally the entities responsible for collecting consent on behalf of advertisers and AdTech companies.

The GDPR grants users a defined set of rights over their personal data, and companies must allow users to exercise these rights without delay — within one month.

The right to be informed about the existence of profiling, the consequences of that profiling, the processing operation, and its purposes.

The right to access confirmation from the controller as to whether personal data about them is being processed. (This right existed under the earlier Data Protection Directive.)

The right to rectification of inaccurate personal data. Data subjects have the right to have incomplete data completed, including through a supplementary statement.

The right to erasure ("right to be forgotten") — personal data must be deleted without undue delay upon request, and controllers carry an obligation to act.

The right to restrict processing when the accuracy of the data is contested, the processing is unlawful, or the controller no longer needs the data for its original purpose.

The right to data portability — users can request personal data collected about them in a structured, commonly used, and machine-readable format.

The right to object at any time to the processing of personal data concerning them.

From a technical standpoint, AdTech companies need to address several requirements:

Ensuring proper consent has been obtained before data collection begins.
Abstaining from firing tags until user consent has been provided.
Managing user-consent decisions and enabling the exercise of user rights.
Applying additional data-protection measures — such as pseudonymization and encryption — to protect stored user data.
Adopting a "data protection by design and default" approach when building new platforms, tools, and features.

What Does 'Data Protection by Design and Default' Mean?

Data protection by design and default means embedding privacy protections into systems and processes from the outset, rather than treating them as an afterthought.

The concept is grounded in Ann Cavoukian's 7 Privacy by Design Principles and its inclusion in the GDPR elevates privacy from an optional feature to a core requirement of system design. This applies to new software applications — including AdTech platforms — as well as to internal policies and data-sharing agreements.

In practical terms, it means building software with privacy controls that give users meaningful choice over how their data is collected and used, while ensuring that default settings are configured to be data-protection friendly.

What is a DPO and What Do They Do?

A Data Protection Officer (DPO) is responsible for educating a company and its staff on compliance requirements, supporting employees involved in data processing, and conducting regular security audits. The role also involves serving as an intermediary between the company and supervisory authorities.

Under the GDPR, appointing a DPO is mandatory for companies collecting or processing personal data of EU citizens at scale.

The European Data Protection Supervisor specifies that DPOs must:

Ensure controllers and data subjects are informed about their data-protection rights, obligations, and responsibilities.
Give advice and recommendations to the organization about the interpretation or application of data-protection rules.
Maintain a register of processing operations and notify the EDPS of those presenting specific risks.
Ensure data-protection compliance within the organization and support accountability obligations.
Handle queries or complaints at the request of the organization, the controller, individuals, or on their own initiative.
Cooperate with the EDPS on investigations, complaint handling, and inspections.
Draw the organization's attention to any failure to comply with applicable data-protection rules.

What is a DPIA, and When Is One Required?

A Data Protection Impact Assessment (DPIA) is a formal process that certain companies must carry out as part of GDPR compliance. It is required when a company's data processing activities are likely to put individuals' rights and freedoms at high risk.

The Article 29 Data Protection Working Party (WP29) — now operating as the European Data Protection Board (EDPB) — provides guidance on when a DPIA is necessary. Key triggers include processing data at large scale and matching or combining datasets.

Because most AdTech companies do one or both of these things as a matter of routine, a DPIA is likely required for the majority of players in the industry.

What Are the Fines for Non-Compliance?

The GDPR establishes two tiers of administrative fines based on the severity of the infringement:

Tier 1

Fines up to €10,000,000, or up to 2% of total worldwide annual turnover from the preceding financial year — whichever is higher — for violations related to:

Obtaining consent from a child (Article 8).
Processing that does not require identification (Article 11).
Obligations related to Data Protection Officers (Article 39).
Obligations of certification and monitoring bodies (Articles 41, 42, and 43).
Data protection by design and default (Article 25).

Tier 2

Fines up to €20,000,000, or up to 4% of total worldwide annual turnover from the preceding financial year — whichever is higher — for violations related to:

The lawfulness of personal data processing (Articles 5 and 6).
Conditions for consent (Article 7).
Processing of special categories of personal data (Article 9).
User rights (Articles 12–22).
Transferring user data to recipients in a third country (Articles 44–49).

For further reading on GDPR obligations specific to AdTech and analytics vendors, the Piwik PRO blog offers detailed technical guidance on compliance implementation.