This article gives you a 10-step action plan to meet GDPR requirements with practical steps your marketing team can actually use.
Why Marketers Can’t Ignore GDPR
Enforcement has moved from theory to practice. In January 2025, the UK Information Commissioner’s Office (ICO) looked at 200 of the country’s most-visited websites and found 134 breaking GDPR cookie rules.
The ICO told those companies to fix banners that used pre-ticked boxes or hid the reject option. A few months later, in April 2025, Sweden’s privacy regulator IMY handed out fines to businesses running cookie banners with dark patterns that pushed people into clicking “accept all.”
Platforms aren’t waiting around either. Google now requires Consent Mode v2 and IAB TCF 2.2 signals through a certified CMP if you want to run personalized ads in the EU or UK. Without them, remarketing lists won’t fill and conversions may never show up in Google Ads reports.
Microsoft Ads has rolled out UET Consent Mode, and on October 31, 2025, Microsoft Clarity began limiting features like session replay and heatmaps for users in the EU, UK, and Switzerland unless consent was captured.
On the user side, requests for data access keep climbing. Companies are seeing more data subject rights requests (DSRs), and they’re not just about CRM records anymore. People now ask for ad identifiers, analytics logs, and even cross-device tracking data linked to their profiles. Missing those deadlines doesn’t just risk fines—it damages trust.
For marketers, GDPR isn’t background noise. It now shapes whether campaigns run, whether measurement is accurate, and whether audiences can be reached at all.
GDPR fines can reach €10 million or 2% of global turnover for procedural failures, and up to €20 million or 4% for serious violations like unlawful processing or missing consent.
Step 1: Map Your Data Collection & Processing
Step 1: Map your data collection & processing
Start by laying your cards on the table. What data do you collect? Where from? And what happens to it after? Without that map, you’re blind. GDPR calls it a Record of Processing Activities (RoPA), but in practice it’s just a working inventory that proves you know your own system.
Don’t skip these pieces:
- Collection points: forms, ad pixels, analytics scripts, SDKs, CRM imports.
- Data types: emails, cookie IDs, IPs, user behavior.
- Purposes: campaign reporting, remarketing, nurturing leads.
- Third parties: ad networks, analytics vendors, marketing platforms.
- Retention: how long you keep it, and when you actually delete it.
How do you pull it together? Run a scan of your site to see which cookies and scripts fire. Note what each marketing tool collects, and why it’s in your stack. Keep the RoPA lean—if it’s a spreadsheet, fine. Just keep it alive, not buried in a folder.
A clear data map makes audits easier and keeps your team from guessing when new campaigns go live.
Step 2: Identify Lawful bases for Marketing Activities
GDPR doesn’t care if your campaign depends on tracking. Every processing activity needs a lawful basis, written down and defensible. Nine times out of ten, that’s consent. Occasionally you can claim legitimate interests, but only if you’ve done a balancing test and your local eprivacy rules back you up.
Typical scenarios:
- Email (B2C): needs consent, with a one-click unsubscribe.
- Email (B2B): in some places you get a soft opt-in for existing customers, but forget about bought lists or cold blasts.
- Analytics: almost always consent; the rare exemption is tightly scoped First-party measurement with short retention and no ad use.
- Ads & retargeting: under IAB TCF 2.2, only consent counts. legitimate interest is off the table.
- Profiling/segmentation: if it feeds ads or personalization, it’s consent.
Write it down. Activity, purpose, lawful basis. Store consent records so you can show them if asked. If you lean on legitimate interests, make sure the balancing test is on file and users can opt out easily.
Clear documentation of lawful bases shows regulators you’ve done the homework, and it gives your team a single source of truth instead of debating “can we send this?” every time a new campaign goes live.
Step 3: Set Up a GDPR-compliant Consent Management Process
If you drop cookies, pixels, or tracking scripts on a user’s device, consent has to come first. That’s the rule — prior consent before anything fires. It’s not enough to show a vague banner or hide the reject button in a corner. GDPR expects real choice, not manipulation.
Here’s what that looks like in practice:
- Ask permission before loading non-essential cookies or trackers.
- Let people choose — analytics, marketing, personalization — separately.
- Make “reject” as visible as “accept.” Don’t hide it in small print.
- Give users a quick way to change their mind. Consent must be easy to withdraw.
- Keep a record of each consent: who gave it, when, and for which purposes.
- Drop the dark patterns — misleading colors or fake toggles will get flagged fast.
Consent design isn’t about formality. It’s about fairness. Keep the interface simple, the wording direct, and the options balanced. When people see a banner they can trust, they’re more likely to share data willingly — and you stay on the right side of regulators.
A properly designed consent process doesn’t just meet legal standards; it keeps your analytics, ads, and user data reliable enough to make marketing decisions you can defend.
Step 4: Configure Cookie Banners & Google Consent Mode v2 / IAB TCF 2.2
Getting consent is one thing. Passing that signal correctly to your ad and analytics tools is another. That’s where your Cookie Banner setup, Google Consent Mode v2, and IAB TCF 2.2 come together. When configured properly, they control what runs, what’s blocked, and how consent data feeds into your reporting.
Here’s what to get right:
- Build banners with clear, visible choices — Accept all, Reject all, or Customize. Each button should do exactly what it says.
- Load scripts conditionally. No tracker or tag should fire before consent.
- Connect your banner to Google Consent Mode v2 so Google Ads, Google Analytics 4, and Floodlight tags adjust automatically when users opt in or out.
- Enable event modeling in Consent Mode to fill in conversion gaps when users decline cookies — this keeps your reports closer to reality.
- Implement tag gating — only release marketing and analytics tags after consent is confirmed.
- If you serve personalized ads, register with the IAB TCF 2.2 framework and ensure your CMP transmits valid consent strings to participating ad partners.
This setup is where compliance meets performance. Valid consent signals mean ad platforms can still model conversions legally, while your analytics data stays aligned with user permissions.
A properly configured banner and consent framework protect your tracking accuracy, keep campaigns eligible for ad delivery, and maintain trust with both regulators and users.
Step 5: Update Privacy Policies & Notices
Most privacy policies sound like they were written five lawyers ago. GDPR doesn’t care how polished it looks — it cares whether it matches what you actually do. If your marketing stack has changed, your policy needs to catch up. Regulators notice when the banner says one thing and the notice says another.
Think of it like an owner’s manual for your data. Every claim should line up with your real data flows, not what you wish they were.
What needs to be clear:
- What data you collect — contact forms, cookies, analytics, ad tags, all of it.
- Why you collect it, and the lawful basis behind each use (consent, legitimate interests, contract, etc.).
- How long you keep data — list actual retention periods, not “as long as necessary.”
- Who you share it with — ad networks, CRM vendors, analytics providers, processors.
- Data transfers — if information leaves the EU, describe the safeguards.
- Cookies — spell out types and purposes: necessary, analytics, marketing.
Skip the filler. Drop the legal wallpaper. Write in plain language. People skim; regulators read. Both should leave with the same understanding of what happens to their data.
A policy that reflects your real setup protects you twice — it shows transparency under GDPR and helps your team stay honest about how data moves through your tools.
Step 6: Handle Data Subject Requests
GDPR gives people the right to see, delete, or move their data — and they’re using it. Most requests hit marketing first, because that’s where people notice their info being used. The trick is having a system ready before those emails land.
Build a playbook your team can follow:
- Access: pull every record tied to the person — CRM data, newsletter logs, ad platform exports, analytics identifiers if they’re linkable.
- Erasure: delete or anonymize data across all systems, including ad audiences and backup syncs.
- Portability: provide a structured file (usually CSV or JSON) if the user asks to take their data elsewhere.
Set internal SLAs. GDPR’s deadline is one month, but don’t aim for day 30 — aim for day 10. It keeps the scramble down.
Always verify identity before sharing anything. A copy of a reply from the same registered email is fine; asking for ID is only for edge cases.
And don’t forget the hard ones: ad IDs, analytics identifiers, device IDs. If they can be tied to a user, they count. Some tools now let you delete those directly through their privacy APIs — use them.
A strong DSR process keeps data clean, cuts audit risk, and prevents marketing systems from holding personal data longer than they should — exactly what regulators expect to see during a compliance review.
Step 7: Define Data Retention & Deletion Rules
Collecting data is easy. Knowing when to delete it — that’s where most teams fall short. GDPR expects retention limits that match your stated purposes: once data’s no longer needed for that purpose, it has to go.
Map this out system by system. Start with the big ones — your CRM, analytics, ad platforms, and data warehouse. Every record should have a clear retention period, not “until further notice.”
What to set up:
- Match every dataset to its purpose (lead nurturing, conversion tracking, remarketing).
- Define TTLs for cookies, user IDs, and analytics identifiers. If your Cookie Banner says 6 months, make sure the tech matches.
- Automate deletion workflows — CRMs can purge inactive contacts, ad accounts can refresh audiences, analytics tools can auto-delete after a set time.
- Keep a record of these schedules so you can show regulators you’ve thought it through.
Consistency matters. When one tool wipes data and another keeps it forever, you lose control and risk non-compliance.
Good retention rules don’t just keep you compliant — they also make your data better. Shorter retention means fewer stale profiles, cleaner analytics, and campaigns that reflect what’s actually happening now, not six months ago.
Step 8: Work With Third Parties & Processors
If you’re in marketing, you don’t work alone. You rely on email platforms, CRMs, ad networks, analytics tools — a full ecosystem of vendors that touch user data. Under GDPR, that makes them processors, but the accountability still sits with you.
Get the Data Processing Agreements (DPAs) in place before a single record moves. Those contracts should spell out what data is processed, how it’s protected, and what happens to it when the job’s done. And don’t stop there — look into each vendor’s sub-processors. You might be surprised how far a single signup form’s data can travel.
Things worth checking:
- Go through DPAs once a year. Vendors swap infrastructure without warning.
- Find out where data is stored or accessed. If it leaves the EU, make sure there’s a transfer safeguard — SCCs, an adequacy decision, or hosting inside the EEA.
- Keep a one-page list of vendors, what data they handle, and for what purpose — that’s your audit-readiness file.
- Ask what happens when a deletion request comes in and how quickly they notify you about a breach.
Marketing stacks grow fast and messy. A tracking script here, an API there — suddenly ten tools are talking to each other. When one ignores GDPR, it’s still your name on the paperwork.
Doing real due diligence doesn’t just keep you compliant. It keeps campaigns online when someone else’s system fails audit, and it proves your data pipeline can survive scrutiny from regulators or clients who ask the hard questions.
Step 9: Train Marketing Teams on GDPR Practices
Policies don’t protect you — people do. Most GDPR issues in marketing come from simple mistakes: someone uploads a contact list that shouldn’t exist, adds a pixel without consent, or launches a campaign before the legal team sees the copy. Training prevents that.
Make it role-based, not generic. Your copywriters don’t need a lecture on international data transfers, and your ad-ops team doesn’t need to memorize the entire regulation. Give each group what they actually use:
- For campaign managers: what “consent required” means in real life, and how to check it before launch.
- For analysts: how to read reports built on privacy-safe metrics — aggregated, modeled, or consent-based data.
- For growth and automation teams: when tags can load, how to handle remarketing lists, and what counts as a personal identifier.
Add pre-checks to campaign workflows. A simple privacy checklist — consent, lawful basis, retention, vendor approval — can save a lot of cleanup later.
Keep the training short, frequent, and tied to tools people actually use. When everyone knows how their piece connects to GDPR, compliance becomes routine instead of a roadblock.
A marketing team that understands GDPR isn’t just safer — it launches faster, fixes issues earlier, and keeps data usable without crossing the line.
Step 10: Monitor, Audit & Document Compliance Regularly
GDPR compliance isn’t something you set up once and walk away from. Marketing stacks evolve constantly — new pixels, new tags, new vendors. What was compliant a few months ago might not be now.
Keep it under control with ongoing checks and documentation:
- Run regular site scans to see which cookies and scripts are active. Tools get added quietly during updates.
- Watch for tag drift — scripts firing before consent or duplicating across platforms.
- Track consent rates and data subject requests (DSRs). A sudden drop in consent might mean a banner error; a spike in DSRs could hint at trust issues.
- Keep your Records of Processing Activities (RoPA) current. Add new vendors and remove old ones as they change.
- Maintain change logs for banners, cookie settings, and data policies so you can prove when and why something changed.
Think of this as maintenance, not paperwork. Small, steady audits keep your setup clean — no expired data, no missing consent logs, no surprises when regulators or partners ask how your tracking works.
A marketing team that monitors compliance regularly avoids firefighting later — campaigns stay live, data stays reliable, and audits become a formality instead of a crisis.
CookieScript Quick Wins for Marketers
Once your compliance setup is stable, automation keeps it that way. CookieScript gives marketers the tools to stay compliant, prove it, and still move fast — no endless manual updates or guesswork.
Marketers rely on it for a few practical advantages that save both time and stress.
- Consent logs — detailed, exportable records showing who gave consent, when, and for which purposes. They’re your evidence if an auditor or DPA ever asks for proof.
- Automatic blocking for third-party scripts — analytics and marketing tags stay paused until valid consent is received. You don’t need to track down rogue pixels or rewrite snippets manually.
- Google Consent Mode v2 & IAB TCF 2.2 integration — fully built in as part of CookieScript’s status as a Google-certified CMP. Tags like GA4, Ads, and Floodlight adjust automatically to each user’s consent status while preserving event modeling for accurate performance reporting.
- geo-targeting and 40+ languages — automatically show the right banner, in the right format, for each region. GDPR in the EU, CCPA in California, LGPD in Brazil — all localized and ready.
- Privacy Policy Generator — connected to your scan results, so disclosures stay aligned with your actual data use as new cookies or vendors appear.
- Monthly scans and advanced reports powered by CookieScript’s Cookie Scanner — automated sweeps that detect new cookies, scripts, or third-party tools added by plugins. Reports track consent rates, banner performance, and compliance changes over time.
- Banner sharing and self-hosted code — one setup that works across multiple sites or clients, with the option to host it yourself for full control and faster load times.
CookieScript earned its fourth consecutive G2 Leader badge in 2025, with the peer review platform recognizing it as the top Consent Management Platform (CMP) of the year.
Conclusion
GDPR isn’t paperwork you finish and file away. It’s the system that keeps your marketing honest — how you collect, use, and measure data without crossing lines. Once it’s built into everyday work, compliance becomes routine instead of a blocker.
Keep an eye on the small stuff: consent rates, cookie scans, privacy notices, vendor updates. Fix issues as they appear. That rhythm — review, adjust, repeat — is what turns compliance from a rule into a habit.
In the long run, privacy done right makes your marketing stronger. Clean data, clear rules, fewer surprises — and a brand that people actually trust with their information.
Frequently Asked Questions
What is Google Consent Mode v2, and why does it matter for marketers?
Google Consent Mode v2 lets your tags (GA4, Ads, Floodlight) adjust to users’ consent choices. If someone declines tracking, data is modeled instead of blocked. It keeps analytics and conversions accurate — as long as you use a Google-certified CMP like CookieScript to send valid consent signals.
What does IAB TCF 2.2 do?
It’s a framework for passing user consent and preference data between publishers, ad tech vendors, and CMPs. It standardizes how consent strings are shared so every party in the ad chain knows whether personalized ads are allowed.
Can B2B marketers rely on legitimate interests for email campaigns?
Sometimes — but only if the recipient is an existing business contact and you offer a clear opt-out. For cold outreach or lead lists, consent is still the safer and more defensible route under GDPR and eprivacy rules.
Do I need consent for analytics?
Yes, unless the analytics are strictly necessary and anonymized. Most third-party tools like Google Analytics 4 or Meta Pixel require prior consent under GDPR and ePrivacy because they use cookies or identifiers.
How long do I have to respond to a Data Subject Request (DSR)?
One month under GDPR. Complex cases can take longer, but you must acknowledge the request and explain any delay before the 30-day mark.
How long can I keep ad or analytics IDs?
Retention should match your declared purpose. If the data supports active campaigns, define a clear end date — often 6 to 13 months. Once the purpose expires, delete or anonymize the IDs.
Are cookie walls allowed under GDPR?
Only if users still have a genuine choice. Forcing consent in exchange for access is risky — regulators in several EU countries have warned against or fined sites using “take it or leave it” banners.
How do I prove consent if regulators ask?
Keep consent logs with timestamp, banner version, and user selection. A CMP like CookieScript automates this process so you can export evidence immediately if needed.
Can I show different banners by region?
Yes — that’s what geo-targeting is for. You can display GDPR-compliant banners in the EU, CCPA notices in California, and simplified consent prompts elsewhere. CookieScript handles this automatically in over 40 languages.