linkutm Logo
Glossary Term

GDPR

glossary gdpr featured

GDPR stands for the General Data Protection Regulation, the European Union’s law governing how organizations collect, store, and use the personal data of people in the EU. It took effect on May 25, 2018, replacing the 1995 Data Protection Directive. Any company that handles data on EU residents must comply, no matter where the company is based.

Why GDPR Matters

GDPR sets the global benchmark for data privacy. Its rules apply to any organization processing the personal data of people in the EU or EEA, even if that organization sits in the United States or Asia. This extraterritorial reach, defined in Article 3, is why GDPR affects businesses worldwide.

The financial stakes are high. Regulators can fine violators up to 20 million euros or 4% of global annual turnover, whichever is higher. In May 2023, Ireland’s Data Protection Commission fined Meta 1.2 billion euros, the largest GDPR penalty to date.

GDPR also reshaped how marketers track users. Cookies, IP addresses, and other online identifiers count as personal data under Article 4. That means most analytics and advertising tracking now needs a lawful basis before it can run.

What Counts as Personal Data

Personal data is any information relating to an identified or identifiable person. GDPR defines this broadly, so it covers more than names and email addresses.

Examples of personal data include:

  • Names, email addresses, and phone numbers
  • IP addresses and device identifiers
  • Cookie IDs and advertising identifiers
  • Location data
  • Online behavior tied to an individual

A special category of sensitive data (health, race, religion, biometrics, political views) carries stricter rules and usually requires explicit consent.

The Seven GDPR Principles

Article 5 sets out seven principles that govern all data processing. Every activity involving personal data must follow them:

  1. Lawfulness, fairness, and transparency. Process data legally and tell people how you use it.
  2. Purpose limitation. Collect data only for specific, stated reasons.
  3. Data minimisation. Gather only what you actually need.
  4. Accuracy. Keep data correct and up to date.
  5. Storage limitation. Delete data once its purpose ends.
  6. Integrity and confidentiality. Protect data with appropriate security.
  7. Accountability. Prove you comply, not just claim it.

Lawful Bases for Processing

GDPR requires a lawful basis before you process any personal data. Article 6 lists six options, and you must pick the right one for each activity:

  • Consent. The person gave clear, freely given permission.
  • Contract. Processing is needed to fulfill an agreement.
  • Legal obligation. A law requires the processing.
  • Vital interests. Processing protects someone’s life.
  • Public task. Processing serves an official function.
  • Legitimate interests. The business has a genuine need that does not override the person’s rights.

For marketing, consent and legitimate interests are the two bases most often used.

Data Subject Rights

GDPR gives individuals eight rights over their personal data. Organizations must respond to most requests within one month:

  • The right to be informed about data collection
  • The right of access to their data
  • The right to rectification of inaccurate data
  • The right to erasure, known as the right to be forgotten
  • The right to restrict processing
  • The right to data portability
  • The right to object, including to direct marketing
  • Rights around automated decision-making and profiling

GDPR for Marketing

GDPR changed how marketers collect and use data. Any tracking that can identify a person needs a lawful basis, and for cookies and pixels that basis is almost always consent.

Key implications for marketing teams:

  • Cookie consent is mandatory. Non-essential analytics and advertising cookies cannot load until the user opts in. See cookie consent for how compliant banners work.
  • Email marketing needs a lawful basis. Most lists rely on consent or a narrow legitimate-interest “soft opt-in” for existing customers.
  • Reporting gaps appear. When users reject tracking, cookies never fire, so analytics undercount real traffic. Google’s Consent Mode helps model some of that lost data.

UTM parameters sit in the page URL, not in a cookie, so they still identify which campaign sent a visitor even after cookies are declined. They do not store personal data on their own, which makes them a privacy-friendly layer of campaign attribution.

GDPR Penalties

GDPR uses a two-tier fine structure based on the severity of the breach. Lower-tier violations, such as poor record-keeping, cap at 10 million euros or 2% of global turnover. Higher-tier violations, such as breaching the core principles or ignoring data subject rights, cap at 20 million euros or 4% of global turnover.

National Data Protection Authorities enforce the rules in each country. The European Data Protection Board coordinates decisions across member states to keep enforcement consistent.

Frequently Asked Questions

What does GDPR stand for?

GDPR stands for the General Data Protection Regulation. It is a European Union law, formally known as Regulation 2016/679, that governs how personal data is collected and processed. It replaced the older Data Protection Directive from 1995.

When did GDPR come into effect?

GDPR came into effect on May 25, 2018. It was adopted by the EU in April 2016, giving organizations a two-year window to prepare for compliance. The rules have applied continuously since that date.

Does GDPR apply to companies outside the EU?

Yes. GDPR applies to any organization that processes the personal data of people in the EU, regardless of where the company is located. A US or Asian business with EU customers or website visitors must comply. This is known as the regulation’s extraterritorial scope.

What does GDPR mean for marketing?

GDPR requires a lawful basis before any marketing activity uses personal data. Cookie tracking needs opt-in consent, and email lists need consent or a valid legitimate interest. Marketers must also honor requests to unsubscribe or delete data.

To keep campaign attribution accurate even when visitors reject cookies, tag your links with the free UTM builder at linkutm.