GDPR Compliance for Retail Media Networks

Retail media networks are thriving, but ensuring GDPR compliance is critical to avoid fines and build customer trust. With ad spend projected to surpass $168 billion globally by 2027, these networks process vast amounts of personal data, including IP addresses, browsing habits, and even biometric data. Non-compliance can lead to severe penalties - European regulators issued €1.65 billion in fines in 2022 alone.

To navigate GDPR requirements, retail media networks must:

• Map and classify all data collection points (e.g., in-store sensors, cookies, CRM systems).
• Secure explicit user consent via tools like Consent Management Platforms (CMPs).
• Minimise data collection and ensure every activity aligns with a lawful purpose.
• Protect data in real-time bidding (RTB) systems using encryption and access controls.
• Shift to privacy-preserving campaign reporting, such as aggregate data insights.

GDPR compliance isn’t a one-time task - it requires regular audits, real-time monitoring, and clear documentation. By embedding these practices into operations, retail media networks can safeguard user data, maintain legal compliance, and strengthen consumer confidence.

What Is GDPR? | EU Privacy Law Explained: Rights, Principles, Fines & Compliance

sbb-itb-c231c83

Steps to Achieve GDPR Compliance

To protect personal data effectively, it's crucial to follow a structured approach. These steps outline how to ensure your retail media operations align with GDPR requirements, safeguarding customer data while keeping your advertising systems efficient.

Mapping and Classifying Data

Before you can protect data, you need to know where it comes from. Start by identifying all the points where personal data enters your retail media network. This includes in-store systems like Wi-Fi MAC addresses, beacons, sensors, and facial recognition cameras, as well as online sources such as first-party cookies, navigation data, and off-site channels like third-party scripts and header bidding wrappers.

It’s also important to audit external JavaScript. For instance, Google Analytics tags, ad scripts, and social media widgets may collect IP addresses or device identifiers without your full knowledge. Use your Consent Management Platform (CMP) to scan cookies and third-party scripts to create a complete data map.

Once you've mapped all data collection points, categorise the information. Break it into personal identifiers (e.g., names and email addresses), behavioural data (e.g., purchase history and browsing habits), and special category data (e.g., biometrics from facial recognition). Special category data requires the highest level of protection. GDPR’s Article 30 mandates that you maintain a Record of Processing Activities (ROPA), documenting what data you collect, why you process it, your lawful basis, who has access to it, and retention periods.

For large-scale profiling or advanced technology like IoT sensors, conduct a Data Protection Impact Assessment (DPIA) to assess risks and necessity. If you’re using a Customer Data Platform to unify data from stores, apps, and e-commerce, ensure this centralised view is accurately reflected in your ROPA.

With a detailed data map in hand, the next step is implementing strong consent management practices.

Setting Up Consent Management

Your retail media network must integrate a Consent Management Platform (CMP) certified by Google and registered with the IAB Transparency and Consent Framework to deliver personalised ads in the EEA and UK. A good CMP provides granular controls, allowing users to make specific choices for analytics, advertising, and personalisation instead of an all-or-nothing approach.

The French regulator CNIL fined Google €150 million for making it harder to reject cookies than to accept them. To avoid similar penalties, design your consent banners so that "Reject All" is as easy to access as "Accept All." Avoid using dark patterns that pressure users into agreeing.

Consent protocols should also extend to physical retail spaces. Use tools like dynamic signage or interactive kiosks to direct shoppers to detailed privacy policies. Ensure that consent preferences are synchronised across all connected systems, including your CRM, Customer Data Platform, and email marketing tools.

As third-party cookies phase out, focus on building consented first-party data through loyalty programs and transaction records. Implement Google Consent Mode v2 in "Advanced Mode" to recover 50–80% of conversion data lost when users decline cookies. This uses behavioural modelling while respecting user choices. Configure the gtag('consent', 'default', …) command to activate before loading any Google tags or GTM scripts, preventing unauthorised data collection.

Once consent is under control, shift your attention to limiting data collection and usage.

Limiting Data Collection and Use

The GDPR emphasises data minimisation - collect only what’s necessary for your specific purpose. For example, if anonymised sensor data can analyse traffic patterns, there’s no need to collect device identifiers. Eliminate any data that doesn’t serve a documented purpose.

Each processing activity should align with a single, explicit purpose. Data collected to optimise in-store customer flow shouldn’t be reused for targeted marketing unless you obtain new consent. Set clear retention schedules and delete or anonymise data - like in-store heat maps - once it’s no longer needed for its original purpose.

Consider using Data Clean Rooms for secure collaboration with brand partners. These spaces allow joint data analysis without exposing raw personal information. Similarly, opt for contextual advertising that targets content rather than individual behaviours. This approach supports effective real-time bidding without relying on cookies or cross-site tracking.

Be selective with your vendor list. Reducing the number of third-party vendors in your CMP simplifies user experiences and can improve consent rates, as shorter, more familiar lists are less overwhelming. Keep in mind that in Europe alone, personal data related to online behaviour is collected and shared 197 billion times daily by over 1,000 firms within the RTB ecosystem. Limiting vendor relationships reduces both complexity and risk.

Technical Security and Governance

After ensuring consent and limiting data collection, the next critical step is safeguarding the remaining data. Strong technical measures are essential for complying with GDPR, as they protect both data and user privacy.

Securing Data in RTB Systems

Real-time bidding (RTB) operates on an enormous scale - Google's RTB system alone spans around 33.7 million websites. To secure this data, encryption should be applied at every stage of bid requests. Cookies used in RTB systems are typically encrypted or encoded to block unauthorised access to user identifiers.

The IAB Transparency and Consent Framework (TCF) 2.3 became mandatory on 28 February 2026, introducing a "Disclosed Vendors" segment. This segment, a binary bitfield in the TC String, confirms which vendors were presented to users in the Consent Management Platform (CMP) interface. Publishers who continue using outdated TCF 2.2 strings face CPM reductions of 60–80%, as major demand-side platforms (DSPs) treat such inventory as lacking user consent.

"TCF 2.3's defining change introduces a mandatory Disclosed Vendors segment in the TC String. This technical fix eliminates the 'ghost vendor' problem where vendors received consent signals despite never being shown to users." - Secure Privacy

To avoid revenue loss, ensure your CMP is Google-certified and supports TCF 2.3. Also, make sure TC strings remain intact through OpenRTB bid requests to supply-side platforms (SSPs) and DSPs, keeping the disclosure bitfield unaltered throughout the process. For collaborative campaigns, consider using Data Clean Rooms, which encrypt and anonymise data to maintain privacy.

Additionally, enforce strict access controls and monitor all activity to protect your network's data.

Access Controls and Activity Monitoring

Limit data access strictly to those whose roles necessitate it. Clearly define roles in Data Processing Agreements (DPAs) to determine whether your organisation functions as a Data Controller or Data Processor, as this distinction carries specific legal responsibilities.

"Agencies must urgently clarify their role. Are they data controllers or processors? This isn't semantics; it's a legal distinction with serious consequences." - Natalie Hatch, Audience and Data Partnership Lead, Kinesso Australia

Maintain detailed, time-stamped logs that record who accessed data and when. Strengthen security with multi-factor authentication and enforce strong, unique passwords across all systems handling customer data. In the event of a breach exposing personal information, authorities and affected individuals must be notified within 72 hours. Non-compliance with GDPR can lead to fines of up to €20 million or 4% of global annual turnover, whichever is higher. In 2024 alone, over €1 billion in fines were issued by data protection regulators.

Audit contracts with third-party vendors to ensure they meet the same access control standards. Require employees and subcontractors handling personal data to sign confidentiality agreements, and conduct regular privacy audits to uncover potential risks or compliance gaps.

Strong access controls lay the groundwork for privacy-conscious campaign reporting, which is discussed next.

Campaign Reporting Without Personal Data

You don’t need personal identifiers for effective campaign reporting. Shift to aggregate reports that provide insights like ROI and total spend, without tracking individual users. Privacy-preserving systems, such as Apple’s PCM, limit reporting to 256 parallel ad campaigns and 16 conversion event types per website or app. Attribution reports are sent after a random delay of 24 to 48 hours.

Google Consent Mode v2 Advanced can help model conversion data while maintaining privacy. Implement server-side tagging to ensure no personally identifiable information leaves your internal systems before reaching analytics platforms. Tools like Google Analytics can anonymise IP addresses, enabling you to measure performance while safeguarding user identities.

"New tools will have to balance the limitations on the breadth of metrics and granularity of reports, so that users cannot be identifiable." - Mateusz Rumiński, RTB House

For an alternative approach, consider contextual targeting. This method places ads based on the content or topic of a page rather than tracking individual users, providing effective performance insights without personal data. This aligns with GDPR's "data protection by design" principle, embedding privacy into your reporting systems from the outset.

Maintaining Compliance Over Time

Staying GDPR-compliant isn’t a one-and-done task. Privacy laws evolve, websites undergo changes, and the ad tech landscape is constantly shifting.

Detecting Issues in Real-Time

Automated monitoring tools are essential for catching potential issues before they turn into regulatory violations. A Consent Management Platform (CMP) can track consent signals in real-time, flagging anomalies like sudden spikes or drops in consent rates that might signal a technical glitch in your system. Automating data deletion or anonymisation for unnecessary information is another key step. Interestingly, 59% of global marketers credit AI with driving campaign optimisation - highlighting the importance of regularly auditing AI datasets for potential biases or inaccuracies.

"GDPR compliance is not a one-time project. Privacy regulations evolve, your website changes, and the ad tech ecosystem shifts."

• Clickio

Real-time monitoring lays the groundwork for scheduled audits, ensuring your systems remain compliant and functional.

Scheduling Regular Audits

Set reminders to review your compliance efforts quarterly and conduct a full technical audit annually . Additional audits should also be triggered whenever you introduce new tracking scripts, update consent mechanisms, or integrate third-party services. These audits should include rigorous technical checks. For example, test various user scenarios - like no interaction, "Reject All", "Accept All", or granular consent choices. Use browser developer tools to confirm that no personal data (e.g., IP addresses, cookies, or device IDs) is transmitted before consent is explicitly given.

Additionally, run tabletop exercises at least once a year to ensure your Security Breach Response Plan can meet the 72-hour notification requirement. These regular reviews help maintain accurate and up-to-date compliance records.

Monitoring Activity	Frequency	Key Objective
ROPA Update	Ongoing / Per Change	Document new data flows and third-party scripts
Privacy Policy Review	Every 6 Months	Ensure transparency about current data processors
Breach Response Testing	Annually	Test the 72-hour notification procedure
Vendor List Audit	Quarterly	Remove inactive vendors to improve consent rates

Recording Compliance Activities

Maintaining a Record of Processing Activities (ROPA) is crucial. This document should outline what personal data you’re collecting, why you’re collecting it, the lawful basis for processing it, and how long it will be retained. Update this record whenever you add or remove a third-party service.

Detailed consent logs are equally important. These logs should include timestamps, user actions, and notice versions. Supervisory authorities might request HAR files, server logs, or consent records during investigations. Additionally, ensure that Data Processing Agreements (DPAs) are in place for all third-party services, and keep your vendor list current.

With 77% of Australians prioritising privacy over personalisation, thorough documentation not only protects compliance but also helps safeguard your organisation’s reputation.

"Ignorance is not bliss here; it's a liability. Agencies must swiftly assess their position and ensure DPAs are air-tight."

• Natalie Hatch, Audience and Data Partnership Lead, Kinesso Australia

Using Adflux CMS for GDPR Compliance

Adflux CMS combines effective governance tools with built-in privacy controls to align with GDPR requirements while maintaining campaign efficiency. These features integrate privacy measures directly into campaign workflows, ensuring compliance without sacrificing performance.

Privacy-Focused Programmatic Integration

Adflux CMS employs AI-powered vision analytics to estimate customer demographics, such as age, when shoppers approach screens. This approach adheres to GDPR's data minimisation principle by using real-time, anonymous signals instead of tracking individuals over time. Remote monitoring ensures playback status is verified and detects any unauthorised content or irregularities. Automated playback reports create a clear audit trail. Considering that 87% of consumers would avoid businesses they distrust with security practices, these features not only support compliance but also strengthen customer confidence.

Centralised Data Governance

Adflux CMS restricts access to sensitive campaign data and system settings, ensuring only authorised personnel can make changes. Administrators can assign role-based permissions and revoke access when responsibilities shift, upholding GDPR's principles of integrity and confidentiality. The screen grouping tool allows retailers to organise displays by region, ensuring that location-specific compliance requirements and privacy notices are accurately deployed. By integrating with external databases like inventory systems via APIs, the CMS facilitates dynamic, error-free content updates. Advanced scheduling tools further enhance compliance by allowing teams to pre-approve content to meet privacy standards.

Real-time compliance monitoring adds another layer of protection, keeping your network secure and aligned with GDPR requirements.

AI Tools for Compliance Monitoring

Real-time health checks ensure screens are functioning and network integrity is maintained, while automated monitoring identifies potential issues early, reducing the need for manual intervention.

"The future of digital advertisement belongs to the ad tech companies that can devise innovative solutions to balance privacy with profitability."

• Scarlett Zhu

Adflux CMS also supports the industry's shift toward contextual advertising by enabling content adjustments based on environmental factors rather than individual browsing history. This privacy-conscious approach aligns with the move away from behavioural tracking, particularly after the June 2025 Belgian court ruling that deemed the Transparency & Consent Framework - used by around 80% of tracking-based advertising - as illegal.

Conclusion

GDPR compliance has become a key advantage for retail media networks. Retailers that emphasise transparent data practices are better equipped to tap into the growing opportunities in this market. Strong privacy measures not only meet legal requirements but also influence purchasing decisions and build lasting brand loyalty.

The decline of third-party cookies has amplified the value of first-party data and the need for privacy-by-design. By leveraging purchase history and loyalty data while maintaining compliance, retailers can establish trust with their customers. Giulia Sala, Partner and Co-Head of Data Protection at DGRS, highlights this efficiency:

"In some cases, having a single DPIA for multiple marketing activities... is not only legally more correct but also a significant advantage in terms of saving the company's time and resources, thereby gaining efficiency".

This shift calls for integrated systems that simplify privacy management while maintaining performance. Tools like Adflux CMS embed privacy controls directly into campaign workflows, centralising governance, automating compliance monitoring, and integrating privacy into programmatic processes. By automating tasks like content generation, partner management, and campaign execution, retailers can reduce manual effort while adhering to strict data protection standards.

Compliance isn’t a one-off task - it’s an ongoing process. Regular audits, real-time monitoring, and clear accountability are essential. By staying committed to these practices, retailers not only meet their legal obligations but also strengthen customer relationships. Continuous compliance is the foundation for securing both your legal standing and your customers' trust.

FAQs

Do we need a DPIA for our retail media network?

Absolutely. Conducting a Data Protection Impact Assessment (DPIA) is a smart move for retail media networks. Why? It helps identify and address potential risks tied to processing personal data. This is especially crucial in areas like GDPR compliance and real-time bidding, where user data is often at the core of operations.

By performing a DPIA, you ensure that your network not only meets data privacy standards but also protects user information effectively. It’s a proactive step towards maintaining trust and avoiding privacy pitfalls.

How do we keep RTB compliant without losing revenue?

To keep RTB compliance intact while protecting revenue, it's crucial to prioritise robust data privacy practices that align with GDPR and local laws. Focus on clear user consent, leveraging first-party data, maintaining transparency in how data is handled, and incorporating privacy-first programmatic approaches into your strategy. Tools like Adflux CMS can help streamline this process, offering secure and efficient campaign management designed specifically to meet compliance needs.

What GDPR proofs should we keep for audits?

When conducting audits, it's crucial to keep timestamped, reproducible records of all data processing activities. This includes maintaining detailed logs of user consent, compliance documentation, and any responses to data-related requests. Be sure to also document cookie management processes and ensure everything aligns with GDPR requirements. These records should be well-organised and easily accessible for review when needed.