The rules governing targeted advertising boil down to three questions: did you have the right to collect the data, did you give people a way to opt out (or opt in), and are you avoiding protected categories you’re not allowed to target on? In the U.S., targeting is opt-out by default under CCPA/CPRA-style laws; in the EU, it’s opt-in under . On top of privacy law, platform policies and civil-rights rules restrict targeting for housing, employment, and credit. This is general guidance, not legal advice.
Key Takeaways
- Data rights first: you can only target on data you collected lawfully, with the required consent or opt-out.
- Two consent models: GDPR requires opt-in before tracking; /CPRA lets consumers opt out of “sale or sharing” for cross-context behavioral ads.
- Protected categories are off-limits: housing, employment, and credit ads face civil-rights restrictions on targeting.
- Sensitive data needs a lighter touch: the CPRA lets consumers limit use of sensitive personal information.
- Platform rules stack on top of law — Meta, Google, and others enforce their own targeting limits.
What counts as targeted advertising?
Targeted advertising is showing ads to people based on data about who they are or what they’ve done — demographics, interests, browsing behavior, location, purchase history, or membership in a modeled audience. It spans retargeting (ads following a site visitor), interest and demographic targeting, lookalike audiences, and cross-context behavioral advertising that tracks a person across different sites and apps. The reason it’s heavily regulated is that all of it runs on personal data, and the more precisely an ad follows an individual, the more privacy law has to say about it. Cross-context behavioral advertising — the practice of building a profile from someone’s activity across unrelated sites — sits at the center of most targeting rules because it’s the most invasive and the least visible to the person being tracked.
Which consent model applies — opt-in or opt-out?
It depends on jurisdiction, and the two dominant models are opposites.
- GDPR (EU/EEA): opt-in. You generally need prior, informed consent before setting the cookies or processing the data that power targeting. No consent, no tracking.
- CCPA/CPRA (California and similar state laws): opt-out. Targeting is allowed by default, but consumers can opt out of the “sale or sharing” of their data for cross-context behavioral advertising, and you must post a “Do Not Sell or Share My Personal Information” link and honor Global Privacy Control signals.
Because many U.S. states have adopted CCPA-style laws, and because you often can’t tell exactly where a given user sits, the safe operating posture is to honor opt-out signals broadly and get consent where any EU traffic is involved.
Why are some targeting categories restricted entirely?
Because targeting can quietly become discrimination. Beyond privacy law, civil-rights rules restrict how ads for housing, employment, and credit can be targeted — you generally can’t use or exclude audiences in ways that deny protected groups access to these opportunities. Platforms have built dedicated “special ad category” restrictions in response, limiting the demographic and geographic targeting available for those verticals. Separately, the CPRA carves out sensitive personal information — precise geolocation, health, race, sexual orientation and similar categories — and gives consumers the right to limit its use, which constrains targeting built on those attributes. The through-line: the more a targeting decision could harm a protected group or expose intimate data, the more the law and platforms lock it down. Knowing which vertical you’re in is the first compliance question, because housing, jobs, and credit play by stricter rules than a shoe ad.
How do you build a compliant targeting program?
Start from lawful data and layer controls from there. Confirm every data source has the right consent or opt-out mechanism attached before you target on it. Deploy a platform that captures GDPR-style opt-in for EU users and honors CCPA-style opt-out — including automated signals like Global Privacy Control — for U.S. users. Flag any campaign in housing, employment, or credit and route it through the platform’s special-category rules with the tighter targeting they require. Wall off sensitive personal information so it isn’t feeding your audiences unless you’ve cleared the extra CPRA limits. Then read the platform policy for each channel, because Meta, Google, and others impose their own targeting restrictions that sit on top of the law. Finally, keep records of consent and opt-out fulfillment — as of 2026, California’s enforcement no longer offers a blanket window to cure violations after the fact.
What are the alternatives to invasive behavioral targeting?
The privacy-safe alternatives have gotten strong enough to be a primary strategy, not a fallback.
- Contextual targeting. What it is: ads matched to the content of the page, not the person. Best for: reach with zero personal-data risk. Outcome: relevance without tracking.
- First-party audiences. What it is: targeting built on data you collected directly with consent. Best for: durable, compliant precision. Outcome: owned audiences that survive cookie and platform changes.
- Modeled and aggregated cohorts. What it is: platform tools that target groups rather than tracked individuals. Best for: replacing third-party retargeting. Outcome: scale without individual profiles.
Choose contextual when you want reach without data exposure; choose first-party audiences when precision matters and you’ve earned the consent to power it.
How is the cookieless shift changing the targeting rules game?
The regulatory rules aren’t the only pressure on targeting — the technical foundations are eroding at the same time, and the two trends point the same direction. Browsers have been phasing out third-party cookies, mobile operating systems restrict cross-app identifiers, and privacy laws penalize the profile-everyone approach that was built on. The result is that the most invasive targeting is getting both riskier legally and weaker technically. Advertisers who over-invested in third-party data are watching their audiences shrink and their match rates fall, while those who built consented first-party relationships are comparatively insulated. The strategic read is that privacy compliance and marketing performance have converged: the same move — shifting toward first-party data, contextual placement, and platform-modeled cohorts — reduces legal exposure and future-proofs reach at once. Treating targeting rules as a pure compliance cost misses the point; the rules are accelerating a shift that was going to reshape targeting regardless.
Frequently Asked Questions
Do I need consent to retarget website visitors?
In the EU under GDPR, generally yes — retargeting relies on tracking that needs opt-in consent. In the U.S. under CCPA/CPRA, you must offer an opt-out of sharing for cross-context behavioral advertising and honor it. This is general guidance, not legal advice.
Can I target ads by age, gender, or location?
Usually yes for ordinary products, but housing, employment, and credit ads face civil-rights restrictions and platform “special ad category” limits that curb demographic and geographic targeting. Check the vertical before you build the audience.
What is cross-context behavioral advertising?
Targeting based on a profile built from a person’s activity across different, unrelated sites and apps. It’s the category most restricted by CCPA/CPRA, which gives consumers a right to opt out of the sharing that enables it.
Do platform rules or privacy laws take priority?
Both apply, and you must satisfy the stricter of the two. Meta and Google enforce targeting policies that often go beyond what the law requires, and a campaign has to clear platform rules and the law.