The EDPB’s new Guidelines 3/2025 clarify how the DSA and GDPR work together, reshaping marketing practices around transparency, profiling, recommender systems, and protection of minors. For marketers, compliance is not only about risk avoidance — it’s a competitive advantage that builds trust, loyalty, and reputational strength through ethical data use.
In September 2025, the European Data Protection Board (EDPB) adopted Guidelines 3/2025 on the interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). These guidelines set out how marketers and platforms must coordinate obligations under both regimes.
In the digital marketing realm, these changes represent something more than just a regulatory update. It provides context and clarity in an environment where many existing practices in online advertising, profiling, content recommendation, and platform governance become murky due to the ambiguity of how GDPR and the DSA might work together. These guidelines aim to create a clearer way for marketers to move forward with confidence.
The new guidelines provide a handful of important clarifications that should make marketers’ jobs easier:
The DSA requires real-time transparency about advertisement parameters. Under GDPR, there must be disclosure before processing of personal data begins. The guidelines highlight that marketers need to coordinate these so that transparency required under the DSA doesn’t come after data collection in a way that violates GDPR obligations.
Article 26(3) DSA prohibits ad presentation based on profiling using “special categories” of personal data (e.g., sensitive data). That is, even if one believes GDPR allows derogations, under DSA there is a stricter ban in those cases.
If content presentation or recommendation is done algorithmically in ways that significantly affect users, GDPR’s rules on automated decision-making (e.g. Article 22) may apply. The guidelines also state that platforms offering several types of recommendations must present options in ways that do not nudge users unfairly toward profiling-based systems.
Marketing to minors is especially sensitive. Providers should not estimate, verify, or permanently store ages or age ranges unless strictly necessary; rather they should use minimal identifiers for access to services. Also, profiling‐based ads directed toward minors are heavily restricted.
The DSA’s notice and action mechanisms (e.g., when users flag content) often involve processing personal data, which triggers GDPR obligations. The guidelines emphasize limiting data collection only to what’s necessary, and applying care to storing notifier identity unless there’s a strong reason.
The guidelines stress that the DSA does not override GDPR; rather both must be applied in a complementary way. They emphasize cooperation between Digital Services Coordinators, Data Protection Authorities, and other bodies. Also, codes of conduct under the DSA (for advertising, etc.) should align with GDPR, involve relevant stakeholders, and have measurable indicators.
We’ve said it before, and we will say it again: Consent and compliance are not just checking boxes. There’s increasingly strong evidence that doing consent well is a business differentiator — especially in marketing. Here are several insights from recent academic and practitioner research on how compliance, transparency, and ethical marketing practices build customer trust and loyalty.
Consumers are more likely to trust, engage with and remain loyal to brands that are open about their data practices – what is collected, how it is used, and what rights they have with regard to the data. Similarly, consumer research on ethical marketing and transparency showed that brands that embrace transparency enjoy greater reputational strength, higher engagement and deeper customer relationships.
From a marketing strategy point of view, the UK’s DMA (Data & Marketing Association) has noted that compliance is fast becoming a differentiator: customers care about how their data is handled, so companies that lead in privacy and transparency tend to gain advantage.
So, when guidelines like EDPB’s 3/2025 force clarity and restrict certain profiling/ad practices, they also set a level playing field. Marketers who adapt early are likely to benefit not just by avoiding legal risk or penalties, but by winning consumer confidence.
Given the new EDPB guidelines and the rising value of transparency, here are some actionable things marketing teams should do:
Audit your data flows: Map out what personal data is used (especially special category data), how it’s used in profiling, recommendations, advertising, etc., and where your current practices might run afoul of either GDPR or DSA rules.
Revisit transparency and notices: Ensure that disclosures to users happen before the processing begins (per GDPR), and that ad parameters, profiling, or targeting explanations meet DSA transparency requirements.
Limit profiling and use of sensitive data: Especially avoid profiling special category personal data for advertising, even if GDPR has a supposed base. The DSA prohibits this in many relevant contexts.
Check recommender systems and opt-out options: If you use algorithmic curation, ensure that users have options, that there’s minimal profiling when it isn’t strictly needed, and that systems are designed to avoid nudging toward more intrusive personalization.
Prioritize age protection: If your audience includes minors, ensure minimal collection of age data, use only what’s strictly necessary, avoid targeting based on estimated age ranges unless justified.
Use or help shape Codes of Conduct: Monitor the development of DSA advertising codes of conduct. Participating, or at least aligning internal policies to emerging codes, can give legal clarity and reputational benefit.
Train staff & set accountability: Many compliance failures come from misunderstandings. Make sure marketing, product, data-science, legal teams are synchronized. Document decisions regarding transparency, profiling, and consumer notices.
Adopt a consent management platform: Implementing a CMP helps ensure that user consent is collected, stored, and managed in a compliant way across all marketing and advertising systems. It also provides transparency for users, giving them control over their choices, and creates an auditable record of compliance for regulators.
The new guidelines are about more than avoiding fines — they reshape expectations around advertising, profiling, and transparency. And that’s good news: consumers are increasingly distrustful of opaque data practices and are rewarding brands that treat data responsibly.
©2025 CookieHub ehf.
