Quick Answer: Retargeting done right means re-engaging users who have already shown interest in your brand, but only with their explicit consent, using first-party data and privacy-preserving technologies. With 172 countries now enforcing data protection laws [10] and Google Ads losing 25-40% of data due to cookie rejections [8], the old pixel-and-cookie approach is both legally risky and technically unreliable. The path forward combines consent management, server-side tracking, and contextual strategies.
Key Takeaways
- Retargeted ads achieve a click-through rate of 0.9%,1.2%, roughly ten times higher than standard display ads, and retargeted visitors are 70% more likely to convert [4].
- Under GDPR and CCPA/CPRA, retargeting pixels constitute regulated data-sharing events that require explicit user consent before firing [2][7].
- First-party data, collected directly from users with consent, is now the most reliable and legally sound foundation for retargeting audiences.
- Server-side tracking and conversion APIs can recover up to 28% more accurate conversion attribution compared to client-side methods [5].
- Google's Privacy Sandbox recovered approximately 46.3% of lost ad clicks after third-party cookie removal [3].
- As of January 2026, states including Kentucky, Rhode Island, and Indiana enacted privacy laws requiring clear opt-out mechanisms for targeted advertising [1].
- Frequency capping is not optional: overexposure to retargeting ads drives ad fatigue and damages brand perception.
- A consent management platform (CMP) such as Biscotti CMP is a practical starting point for ensuring compliant consent collection before any retargeting pixel fires.
What Is Retargeting and How Does It Work
Retargeting is a digital advertising technique that serves ads to users who have previously visited a website, engaged with an app, or interacted with brand content, but did not complete a desired action such as a purchase or sign-up. It works by placing a tracking pixel or JavaScript tag on a web property; when a user visits, that tag records their behavior and adds them to an audience segment that ad platforms can later target.
The mechanism traditionally relied on third-party cookies stored in the user's browser. When the user visited another site in the same ad network, the cookie identified them and triggered a relevant ad. This approach is now under significant legal and technical pressure, which is precisely why retargeting done right requires a fundamentally different architecture in 2026.
How the basic flow works:
- User visits your website and a consent layer is presented.
- If the user consents, a tracking pixel fires and records their session behavior.
- The user is added to an audience segment on an ad platform.
- When that user browses elsewhere, they see a targeted ad from your brand.
- Click-through and conversion data flows back to your analytics stack.
Retargeting vs. Remarketing: What Is the Difference
These terms are often used interchangeably, but there is a meaningful distinction. Retargeting primarily refers to paid ad campaigns served to anonymous or identified users based on prior web behavior, typically via pixel-based audience lists. Remarketing more commonly refers to re-engaging known contacts, such as email subscribers or past customers, through direct channels like email or SMS.
The practical implication: remarketing operates on data you already own with established consent, making it inherently lower-risk from a privacy standpoint. Retargeting, because it involves third-party ad platforms and behavioral tracking, requires more rigorous consent infrastructure.
How to Do Retargeting Without Violating Privacy Laws
Retargeting done right without violating privacy laws requires three non-negotiable foundations: lawful consent collection, data minimization, and transparent disclosure. Every retargeting campaign must begin with a documented legal basis for processing user data, in most jurisdictions, that means explicit, informed consent.
Core compliance requirements by framework:
| Regulation | Key Requirement for Retargeting |
|---|---|
| GDPR (EU) | Explicit opt-in consent before any tracking pixel fires [2] |
| CCPA/CPRA (California) | Opt-out right; pixels classified as "sharing" personal data [7] |
| U.S. State Laws (2026) | Clear opt-out for targeted advertising (Kentucky, Indiana, Rhode Island, etc.) [1] |
| Global (172 countries) | Data protection laws now cover 79% of nations worldwide [10] |
The most common compliance failure is firing retargeting pixels before consent is obtained. A properly configured CMP, such as Biscotti CMP, blocks all non-essential scripts, including advertising pixels, until the user has actively consented. This single architectural decision eliminates the most significant legal exposure.
GDPR-Compliant Retargeting Strategies
Under GDPR, retargeting pixels that drop advertising identifiers are regulated events requiring explicit user consent prior to execution [2]. Consent must be freely given, specific, informed, and unambiguous, pre-ticked boxes and implied consent do not meet the standard.
Strategies that hold up under GDPR scrutiny:
- Consent-gated pixel firing: Use a CMP to ensure pixels only fire post-consent. Biscotti CMP (www.biscotti-cmp.com) supports granular consent categories so users can accept analytics while rejecting advertising trackers.
- First-party audience lists: Build audiences from CRM data and email subscribers who have explicitly opted into marketing communications.
- Contextual targeting as a complement: Serve ads based on page content rather than user identity, no personal data required.
- Data retention limits: Audience lists must not retain user data longer than necessary. Define and enforce expiry windows on all retargeting segments.
First-Party Data vs. Third-Party Cookies for Retargeting
First-party data is information collected directly from users on your own properties, with their knowledge and consent. Third-party cookies are identifiers set by external ad networks that track users across sites they did not directly visit. For retargeting, first-party data is now the superior choice on every dimension: legal compliance, data accuracy, and longevity.
Google Ads experienced a 25-40% data loss due to cookie rejections in 2026 [8], and Google's own Privacy Sandbox, designed to replace third-party cookies, recovered only about 46.3% of lost ad clicks [3]. That gap represents real campaign performance that cannot be recovered without a first-party data strategy.
First-party data sources for retargeting audiences:
- Email and SMS subscriber lists (with documented opt-in)
- Customer purchase and behavioral history from your CRM
- On-site behavioral data collected via server-side tracking with consent
- Loyalty program participation data
- Gated content downloads and webinar registrations
How to Build Retargeting Audiences Ethically
Building retargeting audiences ethically means treating data collection as a value exchange, not an extraction. Users who understand what data is collected and why, and who see relevant, non-intrusive ads as a result, are far more likely to remain engaged. A 2022 study found 76% of consumers were comfortable being targeted based on media consumption, while 42% expressed concern about online data privacy [6]. The gap between those two numbers is where trust is built or lost.
Ethical audience-building checklist:
- Present a clear, honest consent notice before any tracking begins.
- Offer genuine control: let users opt out of advertising cookies while keeping functional ones.
- Segment audiences by intent level, not just by visit recency.
- Apply frequency caps to prevent overexposure, ad fatigue is both a user experience failure and a budget drain.
- Exclude users who have already converted from acquisition-focused campaigns.
- Honor opt-out requests promptly and suppress those users from all audience lists.
Best Retargeting Platforms That Respect Privacy
No retargeting platform is inherently privacy-compliant, compliance depends on how the platform is configured and what consent infrastructure sits in front of it. That said, platforms that support server-side event APIs, consent signal integration, and audience suppression tools give marketers the best foundation for compliant campaigns.
Features to require from any retargeting platform:
- Consent Mode support (ability to receive and respect user consent signals)
- Server-side API for conversion and audience data (reduces browser-side exposure)
- Audience suppression and exclusion list functionality
- Data retention controls at the audience segment level
- Documented data processing agreements (DPAs) for GDPR compliance
Pair any platform with a CMP like Biscotti CMP to ensure consent signals are passed correctly before any platform tag activates.
Common Retargeting Mistakes That Hurt Privacy and Performance
The most damaging retargeting mistakes combine legal risk with poor campaign performance, they are not separate problems.
- Firing pixels before consent: The single most common GDPR and CCPA violation. Pixels transmit behavioral data to third-party platforms the moment they fire [2][7].
- No frequency cap: Showing the same ad 20+ times to one user is both legally questionable (unnecessary data processing) and commercially counterproductive.
- Retargeting converted users: Continuing to serve acquisition ads to customers who already purchased wastes budget and frustrates users.
- Ignoring cross-device gaps: With the average U.S. consumer using 3.6 devices, campaigns that only track one device miss up to 38% of potential conversions [9].
- Vague privacy disclosures: Disclosures must specifically name the categories of data collected and the third parties receiving it, generic "we use cookies" language does not satisfy GDPR or CCPA requirements.
How to Get User Consent for Retargeting Ads
User consent for retargeting ads must be collected before any tracking script fires, must be specific to advertising purposes, and must be as easy to withdraw as it was to give. Under GDPR, bundling advertising consent with functional cookie consent is not permitted.
Practical consent collection steps:
- Deploy a CMP (such as Biscotti CMP) that presents a layered consent notice on first visit.
- Categorize cookies clearly: distinguish "Analytics," "Advertising," and "Functional" in plain language.
- Default all non-essential categories to "off", users must actively opt in.
- Log consent records with timestamps and version identifiers for audit purposes.
- Provide an accessible mechanism (footer link, account settings) for users to modify or withdraw consent at any time.
- Propagate consent signals to all downstream ad platforms via Consent Mode integrations.
Retargeting Without Cookies After Third-Party Cookie Deprecation
Retargeting without third-party cookies is viable, but it requires shifting from browser-based tracking to identity-based and server-side approaches. The deprecation of third-party cookies does not eliminate retargeting, it eliminates the laziest version of it.
Cookie-free retargeting methods:
- Server-side tracking and Conversion APIs: Brands using server-side tracking report up to 28% more accurate conversion attribution [5]. Data is sent directly from your server to the ad platform, bypassing browser restrictions entirely.
- Hashed email matching: When users log in or submit a form, their hashed email address can be matched against platform customer lists (e.g., customer match features) without any cookie involvement.
- Privacy Sandbox APIs: Google's Topics API and Protected Audience API provide interest-based and remarketing signals without exposing individual user identities.
- Contextual retargeting: Target users based on the content they are currently viewing rather than their historical behavior.
Who Should Use Retargeting and When Is It Not Appropriate
Retargeting is most effective for brands with meaningful website traffic (generally 1,000+ monthly visitors), a clear conversion funnel, and products or services with a longer consideration cycle. E-commerce, SaaS, travel, financial services, and B2B lead generation are natural fits.
Retargeting is not appropriate when:
- Your audience includes minors or vulnerable populations (heightened legal and ethical restrictions apply).
- You lack the consent infrastructure to collect and document user permissions.
- Your traffic volume is too low to build statistically meaningful audience segments.
- The product or service involves sensitive categories (health conditions, financial distress, political affiliation) where behavioral targeting carries disproportionate privacy risk.
How Much Does Retargeting Cost
Retargeting costs vary by platform, industry, and audience size. On most programmatic platforms, retargeting CPMs (cost per thousand impressions) range from $2 to $10 for standard display, with higher rates for video and premium placements. Search-based retargeting (RLSA on Google) operates on a cost-per-click model and typically commands a bid premium of 20-50% over standard search campaigns.
The more relevant cost consideration in 2026 is the investment in compliance infrastructure: a properly configured CMP, server-side tracking setup, and consent audit processes. These are not optional overhead, they are the foundation that makes any retargeting spend legally defensible.
Troubleshooting: Why Retargeting Is Not Working
When retargeting campaigns underperform, the cause is usually one of five issues:
- Audience too small: Most platforms require a minimum audience size (often 100-1,000 matched users) before serving ads. Low traffic sites will not reach this threshold.
- Pixel not firing correctly: Verify pixel firing in real time using browser developer tools or a tag auditing tool. Check that consent is being granted before the pixel fires.
- Audience segment too broad: "All website visitors" is rarely the right segment. Segment by page visited, time on site, or funnel stage.
- Ad creative fatigue: If CTR is declining week-over-week with the same audience, rotate creative. The 0.9%,1.2% benchmark CTR [4] assumes fresh, relevant creative.
- Attribution window mismatch: Ensure the conversion window in your ad platform matches your actual sales cycle length.
Alternatives to Retargeting That Respect Privacy
When retargeting is not feasible or appropriate, several privacy-respecting alternatives deliver comparable re-engagement outcomes.
- Email nurture sequences: For users who have subscribed, a well-structured email series is fully consent-based and often outperforms display retargeting for considered purchases.
- Contextual advertising: Targeting based on page content rather than user identity requires no personal data and performs well in brand-safe environments.
- Lookalike audiences from first-party data: Upload a hashed customer list to build a lookalike model, the platform finds similar users without tracking individuals across the web.
- On-site personalization: Use behavioral data collected on your own domain (with consent) to personalize content and offers for returning visitors, without involving any third-party ad network.
- Organic search and content: Users who find your brand through search are self-selected and high-intent. Investing in content that ranks for consideration-stage queries can replace a significant portion of retargeting volume.
Conclusion
Retargeting done right is not a compromise between performance and privacy, it is the recognition that sustainable performance requires privacy as its foundation. The brands that will win in 2026 and beyond are those that have built consent-first data infrastructure, shifted to server-side tracking, and treated user trust as a competitive asset rather than a compliance checkbox.
Actionable next steps:
- Audit every tracking pixel on your site. Confirm none fires before user consent is obtained.
- Deploy a consent management platform, Biscotti CMP provides the consent layer needed to gate advertising pixels properly under GDPR, CCPA, and 2026 U.S. state laws.
- Migrate at least one retargeting campaign to a server-side tracking architecture and measure the attribution improvement.
- Build a first-party data strategy: identify which touchpoints can collect consented behavioral data directly.
- Review audience segments for sensitive categories and apply appropriate exclusions.
- Set frequency caps on all active retargeting campaigns and schedule creative rotation every 2-3 weeks.
Privacy-compliant retargeting is not a narrower version of the old approach. It is a more disciplined, more durable, and ultimately more effective one.
FAQ
What is the difference between a retargeting pixel and a tracking cookie? A retargeting pixel is a small piece of code (usually a 1x1 image or JavaScript snippet) that fires when a user loads a page and sends data to an ad platform. A tracking cookie is the identifier stored in the user's browser that allows that platform to recognize the same user later. Both require consent under GDPR and most modern privacy laws.
Can I do retargeting without any cookies at all? Yes. Server-side tracking, hashed email matching, and Privacy Sandbox APIs all enable retargeting without relying on browser-stored cookies. These methods are more technically complex but are increasingly the standard approach.
Does GDPR apply to my retargeting campaigns if my business is outside the EU? GDPR applies to any organization that processes the personal data of EU residents, regardless of where the organization is based. If EU users visit your website, GDPR applies to how you track and retarget them.
What is a consent management platform and do I need one? A CMP is a tool that presents users with a consent notice, records their choices, and controls which scripts fire based on those choices. Any website running retargeting pixels under GDPR or CCPA needs one. Biscotti CMP (www.biscotti-cmp.com) is purpose-built for this requirement.
How long can I keep a user in a retargeting audience? Data retention limits vary by regulation, but GDPR requires that personal data not be kept longer than necessary for its stated purpose. Most retargeting audiences should expire within 30-90 days, depending on the sales cycle. Longer windows require documented justification.
Is retargeting the same as behavioral advertising? Retargeting is a subset of behavioral advertising. Behavioral advertising broadly covers any ad targeting based on observed user behavior; retargeting specifically focuses on users who have already interacted with your brand.
What happens if a user opts out of retargeting after being added to an audience? You are legally required to honor the opt-out promptly. This means suppressing the user from all active audience lists and ensuring no further retargeting ads are served to them. Platforms with suppression list functionality make this operationally feasible.
How do I know if my retargeting is GDPR compliant? A compliant setup requires: (1) no pixel fires before consent, (2) consent is specific to advertising purposes, (3) users can withdraw consent easily, (4) consent records are logged and auditable, and (5) a Data Processing Agreement exists with every ad platform receiving user data.
Interactive Privacy-Compliant Retargeting Readiness Checker
References
[1] Retargeting Done Right Complying With 2026 Privacy Rules - https://www.theadfirm.net/retargeting-done-right-complying-with-2026-privacy-rules/?utm_source=openai
[2] Retargeting Pixels Consent Gdpr - https://www.flyn.to/blog/retargeting-pixels-consent-gdpr?utm_source=openai
[3] Papers (Privacy Sandbox Ad Click Recovery Study) - https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4972368&utm_source=openai
[4] Retargeting Statistics - https://www.shno.co/marketing-statistics/retargeting-statistics?utm_source=openai
[5] Privacy Safe Retargeting What Works In 2025 - https://leadenforce.com/blog/privacy-safe-retargeting-what-works-in-2025?utm_source=openai
[6] ARF Research Initiatives: 5th Annual (2022) Privacy Study - https://www.warc.com/en/article/arf-research-initiatives%3A-5th-annual-%282022%29-privacy-study-292d5a31a6bb4ad998dc45d7e2f6b96d?utm_source=openai
[7] Identity Resolution CCPA CPRA Compliance 2026 - https://directmail.io/blog/identity-resolution-ccpa-cpra-compliance-2026?utm_source=openai
[8] Privacy AVG Statistieken Nederland 2026 - https://searchlab.nl/statistieken/privacy-avg-statistieken-nederland-2026?utm_source=openai
[9] Retargeting Statistics 2026 - https://searchlab.nl/en/statistics/retargeting-statistics-2026?utm_source=openai
[10] Data Privacy Statistics - https://app.stationx.net/articles/data-privacy-statistics?utm_source=openai