Scroll Top
19th Ave New York, NY 95822, USA

Retargeting in Personalised Ads: Balancing E-commerce Strategies with Data Protection

In the digital space, e-commerce platforms are leveraging personalised advertising to enhance customer experiences and boost sales. Retargeting, a form of personalised advertising, has become a game changer, enabling businesses to re-engage potential customers by displaying ads based on their previous online activities. While this approach can significantly uplift conversion rates, it also entails critical considerations regarding data protection and privacy compliance, notably in the light of the General Data Protection Regulation (GDPR).


Retargeting operates by utilising cookies or pixel tags to track the online behaviour of users and subsequently display relevant ads as they traverse different websites. For instance, a user visiting an e-commerce site might explore a particular product but leave without making a purchase. Retargeting enables the e-commerce platform to display ads for that specific product on different websites that the user visits subsequently, keeping the product in the user’s purview and increasing the likelihood of conversion.


A noteworthy instance that underscores the significance of compliance is the €40 million fine imposed on Criteo by the French data protection authority, CNIL. The authority highlighted that Criteo did not obtain valid consent for processing personal data for advertising purposes and failed to comply with the users’ right to object to the processing of their data for such purposes, among others.


E-commerce platforms must ensure that their retargeting strategies are not only aligned with their marketing objectives but are also meticulously crafted to adhere to data protection regulations.

  • Transparency: ensure that users are fully informed about the data being collected, the purposes of its use, and the mechanisms of retargeting.
  • Consent Management: implement robust consent management systems to obtain, manage, and document user consents, ensuring that they are freely given, specific, informed, and unambiguous. Find more tips on consent in this article.
  • Data Subject Rights: provide users with clear, accessible mechanisms to exercise their rights under data protection laws, such as the right to access, rectify, and erase their data.
  • Data Processing Agreements: establish robust data processing agreements with ad service providers, clearly defining data processing roles, responsibilities, scope and purpose of processing, security measures, protocols for data breaches, compliance with international data transfers, and provisions for auditing.


Collective actions, where a group of individuals come together to address common complaints, are emerging as a potent force in holding organisations responsible for data protection violations. For instance, the Dutch consumers’ association, Consumentenbond, together with the Privacy Protection Foundation, initiated legal proceedings against Google, representing a collective action aimed at safeguarding user privacy.

E-commerce platforms must be aware of the potential backlash, both financial and reputational, that may arise from collective actions, ensuring that their retargeting practices are legally compliant.


Navigating the world of personalised ads and data protection might seem like a tricky journey, but it’s one that can be incredibly rewarding and safe with the right steps! Balancing innovative retargeting strategies with respecting user data isn’t just about ticking regulatory boxes; it’s about building a trustworthy and transparent relationship with your users and creating a friendly and secure digital shopping space.

Pop in for a free 20-minute chat and let’s carve out a secure, compliant, and effective path for your personalised advertising.

| Image by Freepik | 

Anna Levitina

Senior Associate

More about Anna

Read other articles written by Anna Levitina