Is Dynamic Marketing Compliant with GDPR? The Case of GDPR Marketing


This article is a guest post from the team at Cookiebot. They share their insights into GDPR and how it affects online businesses. This topic is of interest to you, and you have to watch out for this kind of things with your WordPress configuration. 


In this post, Cookiebot will clarify the issues between dynamic marketing and GDPR compliance.

First, we’ll take a look at what exactly dynamic marketing is, after which we’ll get into the General Data Protection Regulation (GDPR) and what, specifically, it has to say regarding this particular area of interest. 

We’ll look at what consent means in the context of this EU law, and ultimately what it means for your prospects of dynamic marketing.

What is Dynamic Marketing?

Dynamic marketing is the recording of the activity – the comings and goings – of a website visitor and potential customer, and the use of this information for the purpose of optimizing sales.

It is the tracking of user behavior, potentially down to every click, scroll and hover in order to personalize, push and follow-up on their activity on the website with a targeted advertisement.

Heatmaps example
Heatmaps example

So, dynamic marketing relies on an accumulation of data about each user: how they arrive at a website, what they click on, the speed with which they scroll, where their mouse rests and for how long, what they’ve purchased in the past, whether they look at an offer or not and whether they buy it or not.

That’s the dynamic part.

The marketing part is the persistent, personalized and targeted follow-up by the commercial entity with the effort of trying to persuade the visitor to buy what they’ve expressed interest in.

Now, all that dynamic information is actually personal data, according to the GDPR.

But what does that mean and what consequences does it have for dynamic marketers? 

What is the GDPR?

The General Data Protection Regulation came into effect on May 25, 2018, and is binding and uniform law in all EU member states.

Its scope is global in the sense that any website in the world who has a visitor from the EU is bound to be compliant with the GDPR or risk fines up to €20 million or 4% of the company’s annual global turnover, whichever is highest.

So, what does GDPR compliance mean?

Well first off, personal data is defined in Article 4 of the GDPR as “any information relating to an identified or identifiable natural person”. 

Article 4 GDPR

A user’s online behavior, IP-address, e-mail and other information that can identify them after a visit to a website is therefore personal data under the GDPR, even data that in itself is not personal, but that can identify an individual if accumulated and combined with other data.

For example for the purpose of targeted marketing. 

This is known as processing and is defined, also in Article 4, as “any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, or not.”

What this means is that if a website either directly or by means of third party services records, collects, stores, organizes and/or uses any of this data for targeted marketing purposes (as you do in dynamic marketing), you must first obtain consent from the user.

The GDPR unambiguously prohibits any processing of personal data without the prior consent of the user (Article 7).

This means that none of the behavioral data – clicks, scrolls, past purchases, IP-addresses, geo-location, etc. – is allowed to be harvested, stored and used for marketing purposes, or sold, alternatively, to third-party ad tech companies, without the individual giving their consent – their “okay”.

The GDPR makes it very explicit and pronounced that “consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data”.

Last but not least, consent is only real if it can be withdrawn again, and “it shall be as easy to withdraw as to give consent”.

So, how is consent obtained?

GDPR Marketing Checklist: How is Consent Obtained Compliantly?

Most websites in the world use cookies – small text files installed on a user’s device with the purpose of obtaining information about the visitor.

Some cookies are activated upon arrival on a website, others are activated when a user clicks, scrolls, visits sub-pages and so on.

Cookie notice
Example of cookie notice you receive on Alkalab’s website

While some cookies are non-intrusive and necessary for the basic functions of the website, other cookies serve analytical and marketing purposes, allowing third-party trackers to collect personal data for behavioral advertisement and many other purposes, some of which are hidden and obscure.

A website must, according to the GDPR, inform their visitors upon arrival of the cookies and other tracking technology present and operating on their website prior to the setting of all cookies but the strictly necessary. This is typically done in a cookie banner that pops up on the landing page. 

Illegal cookie banners are banners that do not provide the visitor with any information on the specific cookies, their function, and purpose, nor enables the visitor to consent to – or opt-out of – any cookies apart from the necessary ones.

Legal cookie banners, on the other hand, are banners that explicitly and clearly lists all cookies and all tracking – their function, purpose and operator.

They enable the visitor to properly consent by giving them the full control of opting out of marketing cookies, if they don’t want their personal data to be used for targeted, behavioral advertisement or shared with unknown third-parties.

More advanced cookie notice from Cookiebot
More advanced cookie notice from Cookiebot

There’s more! Fully compliant cookie banners must have marketing cookies deactivated by default, i.e. marketing cookies have to be switched on manually by the visitor before activated by the website.

This is not the same as the visitor clicking “okay” on a banner, because the banner must have marketing cookies deactivated by default – so if the visitor quickly clicks “okay”, then what they are clicking “okay” to is, in fact, the deactivated marketing cookies.


Well, remember from above that real consent is a “clear and affirmative act”. Affirmative is the keyword.

The visitor must actively consent marketing cookies, which means they have to actively, affirmatively spend those extra seconds turning the marketing cookies on.

Phew… with us so far?

Consensual dynamic marketing?

In this post-GDPR world of ours, there is only one scenario of compliant dynamic marketing. 

It is this – 

A visitor lands on a website and is presented with a cookie banner that informs them about all cookies and tracking on the website.

The visitor spends a couple of seconds glancing over the different cookies.

Or perhaps they don’t, maybe they suffer from consent fatigue, like so many other users, as a result of having been overexposed to non-compliant banners leaving them no true choice but to accept. 

But let’s say, in this scenario, that the user, in fact, does choose to activate marketing cookies.

This means that they consent to have their personal data used for behavioral advertisement.

In that case, yes, a website owner and company is free to use this data to pursue dynamic marketing towards a visitor with all that that entails.

Is WordPress GDPR Compliant?

And what about WordPress websites in all of that? Alkalab could not accept an article without talking about WordPress.

So they have added their part below.

WordPress core software is GDPR compliant, since WordPress version 4.9.6.

There has been an integration of several GDPR enhancements by the WordPress development team to make sure that WordPress is GDPR compliant.

Due to the dynamic nature of most websites, no single platform, extension or solution can provide 100% GDPR compliance.

The compliance process of GDPR will vary based on the type of website, the type of collected and stored, and the procedure of data processing on the website site.

By default, WordPress now comes with the following GDPR enhancement features:

1. Comments Consent

Formerly WordPress used to store information like commenter’s name, email and website as a cookie on the browser of the user by default and this made it very easy for users to comment on their favorite blogs because those fields were already pre-populated.

Due to the consent requirement of GDPR, WordPress has integrated the comment consent checkbox which enables the user to leave a comment without checking this box.

This means that they would have to enter their name, email, and website manually every time they leave a comment.

2. Data Export and Erase Feature

WordPress provides website owners with the ability to comply with the data handling requirements of GDPR and honor the request of users for exporting personal data and removal of the user’s personal data.

The data handling features of GDPR can be found under the Tools menu inside WordPress’ admin dashboard.

3. Privacy Policy Generator

WordPress now comes with an inbuilt privacy policy generator features, to provide a pre-made privacy policy template.

This makes it easy for the website owner to be transparent with the users as regarding the type of data acquired, stored and how the data is used.

Pro Tip: Use a cookie manager plugin on your website. Guess what? Cookiebot has a WordPress plugin available for free on WordPress.org.

Conclusion: How to Get GDPR Compliant Dynamic Marketing?

In order to continue using dynamic marketing in compliance with the GDPR, your website needs to obtain prior consent from the user, i.e. that the user activates your website’s marketing cookies. 

According to the GDPR, the control of a user’s personal data must be in the hands of the user themselves. 

So if you want to continue exercising dynamic marketing on your website, your task is to persuade your visitors to opt-in for the marketing cookies.

You’ll have to tell them why it’s a good idea, what you can offer, how their experience of your site and your products will be enhanced by this opt-in.

In this post-GDPR world, the currency of transparency and privacy is worth more and more in the context of marketing.

As your customers become more informed and critical users, they will also expect and demand autonomy and security in how their data is handled online.

The balance to be struck for websites doing dynamic marketing now is to be totally GDPR compliant while offering safe and privacy-respecting advertisement options that can persuade users to activate those marketing cookies.