3 steps to stay compliant while using consent-driven targeted marketing

Using personalized, targeted ads? Make sure your organization obtains consent and follows these three steps to honor user privacy while providing them with the best user experience

Alex Cash
Director, OneTrust Consent and Preferences
January 4, 2023

Two women walking down the steps of a government building

In a recent enforcement action, the Irish Data Protection Commission (DPC) ruled that businesses can’t rely on “contractual necessity” as a legal basis for using behavioral advertising. The DPC also mentioned the importance of transparency when explaining the purpose of processing data to users. The main takeaway here is that user consent is a must when engaging in behavioral advertising. 

How can companies ensure compliance when delivering targeted ads? 

1. Know what regulations apply to you 

Have a comprehensive picture of what privacy and data protection laws apply to your business operations. For example, if your business has customers in the EU and California, you’ll have to look at the requirements the CPRA and GDPR have in place. 

Conduct a mapping exercise to lay out which regulations apply, and which parts of these applicable regulations you need to take note of in your data processing policies. 

2. Get user consent before delivering targeted ads 

The GDPR and CPRA both mention that businesses have a legal basis to process personal data if the use case is “necessary” for the business to function, or is a “contractual necessity” for the business to fulfill to its consumers. 

However, in the case of targeted advertising, showing personalized ads is usually not the core function of your business, as mentioned by the European Data Protection Board (EDPB) guidelines. This removes it from the scope of the “necessary to perform a contract” basis to process personal data, by the GDPR’s definition. E.g., using your shipping address to send you a product would be necessary data to complete the service, but providing you with targeted ads based on your interests would not. 

Targeted ads are a way to help customers view products or services that appeal to their interests and allow them to have a more enjoyable user experience when navigating through your site. However, as they are not a “contractual necessity,” getting consent from your users to provide personalized ads is the way to go. Under the GDPR, consent must be obtained by opting in, while under the CPRA this can be achieved via an opt-out mechanism. 

Apart from running targeted advertisements on your own platform, you may also have cases where you’re running these campaigns on other third-party platforms. You’ll also need to collect consent in this case, and ensure that your organization is clear on the policy requirements that third-party platforms have regarding user data. Your users’ privacy is ultimately your responsibility, so make sure to have the proper due diligence in place. 

3. Use transparent communication = clear, concise, and comprehensive

Keep the language clear, concise, and easy to understand for consumers. Disclose what data you’re collecting, and what you’re using this for as well. 

The GDPR stresses the need for transparency on personal data processing when communicating with data subjects, with Article 5(1)(a)Article 12, and Article 13(1)(c) as examples.

The CPRA also has certain clearly defined items that must be in place that include:

  • A “Do Not Sell or Share My Personal Data”, clearly visible and easy to navigate for users 
  • A “Limit the Use of My Sensitive Personal Information” page 
  • Honoring universal preference signals, like the Global Privacy Control (GPC) signal

How can OneTrust help your business stay compliant?

OneTrust Consent and Preferences enables you to manage the consent of your digital properties across all regions, privacy regulations, and devices through one platform. 

By providing brand-consistent notices and banners to your users throughout their interaction with your site, from accepting cookies to subscribing to a newsletter, we ensure that your customers get the best user experience and have their privacy honored at every touchpoint. 

After obtaining consent from your users, keeping track of this data with up-to-date records is no small task. OneTrust makes this easy with integrations with all major sales, marketing, and data platforms, along with a real-time database that stores user consent and preference data, making sure you’re always providing your customers with an optimal, privacy-first experience.

Learn more about how OneTrust Consent and Preferences can help your organization build trusted relationships with your customers by keeping their privacy as your priority. 

Request a demo today. 

You may also like


Consent & Preferences

Compliant omni-channel automation: How to be a responsible marketer?

Join this webinar and learn how to create a compliant privacy-first marketing program that respects customer consent across multiple channels.

October 12, 2023

Learn more


Consent & Preferences

Honoring consent throughout the data lifecycle

Watch our webinar and learn how consent can enrich your data while helping you build a brand your customers can trust.

October 04, 2023

Learn more


Consent & Preferences

Adobe + OneTrust: How to market responsibly with consent-based experiences

Join Adobe and OneTrust as we discuss best practices for deploying consent-based marketing campaigns and privacy-first experiences.

August 29, 2023

Learn more