GuidesGDPR complianceuser consent

GDPR and AdTech/MarTech: What Obtaining User Consent Looks Like

GDPRuser consentpersonal datacookie barePrivacy directiveconsent managerbehavioral targetingremarketingdata processingEU/EEAMay 25 2018cookie policy

Of all the hurdles publishers and AdTech/MarTech companies face in complying with the General Data Protection Regulation (GDPR), user consent is the most demanding.

Since May 25, 2018, any organization that wants to collect, process, and store personal data from individuals in the EU and EEA must:

  • Obtain clear, unambiguous, and freely given consent from users for each data-processing activity — behavioural targeting and remarketing included. Pre-ticked boxes do not meet this standard.
  • Disclose exactly what the collected data will be used for.
  • List every organization the data will be shared with.
  • State how long the data will be retained.
  • Manage website tags based on each user's consent decision — meaning tags should only fire after consent has been granted.
  • Store each user's consent decisions and privacy preferences for future reference and audit purposes.

But what does all of this look like in practice? The infographic below illustrates the full process.

Visit almost any EU-based website before GDPR's arrival and you'd encounter a cookie bar — a banner informing you that the site uses cookies. Under the ePrivacy directive, that notification alone was sufficient. No affirmative consent for data processing was required; websites simply had to inform users that cookies existed.

This approach was never adequate as a privacy mechanism. Cookie bars under the ePrivacy directive allowed data to be shared and leaked without users' meaningful knowledge or agreement, and they delivered a poor user experience to boot.

GDPR's consent requirements are fundamentally different. Passive notification is no longer enough; consent must be active, specific, and informed.

Technical and Practical Challenges

The process of obtaining, storing, and managing user consent decisions introduces real technical complexity. The standard approaches for handling this are either adopting a dedicated consent management platform — such as Piwik Pro's consent manager — or building a custom user consent tool tailored to the publisher's or vendor's specific data flows.

Either path requires thoughtful implementation: consent signals need to be captured accurately, tied to the correct tags and data-processing activities, and stored in a way that satisfies audit requirements.

The deeper challenge, however, is not purely technical. For publishers, AdTech vendors, and advertisers alike, the harder problem is persuading users to grant consent in the first place. As consent becomes an explicit, informed choice rather than an assumed default, opt-in rates are likely to fall — with direct consequences for addressable audience sizes and behavioural targeting reach.

<Related />