Regulation (EU) 2024/900, often referred to as GDPR 2024/900 or the political GDPR, came into force in October 2025. Together with the TTPA (Transparency and Targeting of Political Advertising), it reshapes how political and advocacy organizations across Europe collect, manage, store, and use data to influence public opinion.
This new framework introduces the strictest transparency and data-protection rules ever applied to political communication in Europe. It impacts political parties, campaigns, NGOs, unions, nonprofits, grassroots movements, and any organization capable of shaping public opinion.
While the regulation may feel like an intimidating change, it also opens the door to new opportunities for organizations - a more complete, less fragile database being one of them.
What Is the Regulation on Transparency and Targeting of Political Advertising (TTPA)?
The TTPA (Transparency and Targeting of Political Advertising Act) is an EU regulation that governs how political messages can be distributed online, especially through paid advertising.
The official text is available here:
Transparency and Targeting of Political Advertising – Regulation (EU) 2024/900
The TTPA aims to ensure that citizens always know:
- who is behind a political message
- how it is funded
- why they are seeing it
- what data was used for targeting
Combined with GDPR 2024/900, it creates the first truly comprehensive political data and transparency framework in the world.
What Is Regulation (EU) 2024/900 (GDPR 2024/900)?
Regulation (EU) 2024/900 on the transparency and targeting of political advertising extends GDPR principles specifically to political and advocacy-related activities. Many refer to it as GDPR 2024/900 or GDPR 900 because it functions like a political GDPR.
It applies to:
- political parties
- candidates and campaign teams
- NGOs and nonprofits
- advocacy groups
- unions
- grassroots movements
- associations
- influencers involved in political communication
In short: if you shape public opinion, you will be impacted by GDPR 2024/900.
- protect democratic integrity
- stop the misuse of personal data in politics
- bring transparency to digital influence
- limit opaque micro-targeting
- rebuild trust in political communication
This regulation represents a new era for political and civic organizations - one with more responsibility, but also more opportunity.
A Post-Advertising Landscape
One of the most visible consequences of Regulation (EU) 2024/900 and the TTPA is the end of micro-targeted political advertising.
Even in countries where political ads were already restricted during elections, the new rule goes further:
- No more targeted political ads
- No more algorithm-driven audience segmentation
- No more voter-profiling from purchased lists
This is quite a major shift. Campaigns and nonprofits can no longer rely on hyper-targeted ads to influence voters or supporters. This forces organizations to rethink how they reach people - and to rebuild trust through direct, transparent relationships rather than invisible targeting.
A Consent-First Strategy: Direct Data Only
Under GDPR 900, organizations can no longer buy, rent, or exchange data files.
You may now use only the data you collect yourself through traceable, explicit, and purpose-specific consent.
That means:
- No voter files imported from other sources
- No commercial brokers
- No more “grey-zone” contact lists from partners
Only direct consent counts.
Consent must also be specific and layered. When someone signs a petition or registers for an event, they must explicitly choose:
- “Do you want to receive updates about this campaign?”
- “Do you want to stay informed about the organization after the election?”
For organizations, this clarity is a turning point:
- it defines exactly what each contact wants
- it strengthens long-term engagement
- it reduces any legal risk
Rebuilding Your Database
Because external lists are no longer allowed, Regulation (EU) 2024/900 forces organizations to rebuild their entire database based on their own actions and relationships.
You now grow your database through:
- petitions
- volunteer recruitment
- events and training sessions
- mobilization actions
- community organizing
- digital interactions
This may feel limiting - but it is also one of the biggest opportunities created by GDPR 900.
With specific multi-layer consent, the data you collect today is no longer “campaign-limited.” You can maintain engagement long after an election cycle and build resilient, long-term communities rather than starting from zero every election.
This is the foundation of a healthier political data ecosystem.
Seven Years of Retention (with proof)
Another major change in GDPR 2024/900 is the new retention period.
- you can keep political data for seven years
- you must store proof of consent for seven years
It’s no longer enough to simply have someone in your database. You must be able to show:
- when they consented
- how they consented
- for what purpose they consented
This requires major updates to CRMs, mobilization tools, and in-house systems. Data retention is now a compliance + technology issue, not just a legal one.
Transparency as a Non-Negotiable Requirement
Under Regulation (EU) 2024/900 and the TTPA, every political communication must include a transparency note, even if it is not an advertisement.
You must disclose:
- who is behind the action
- how it is funded
- what data is collected
- why the message is being delivered
- how a user can exercise their rights
This applies to:
- websites
- petitions
- donation pages
- email campaigns
- mobilization forms
At Qomon, this is why we’re working on a standardized transparency page module - something easily activated on any form or website, ensuring compliance without having to rebuild completely.
From Clicks to Relationships: A Strategic Shift
Regulation (EU) 2024/900 and the TTPA shift the digital strategy of campaigns and nonprofits away from paid influence and toward direct, community-based mobilization.
Your strategy must now focus on:
- organic touchpoints
- volunteer-driven outreach
- supporter-generated content
- community-led growth
- repeated, meaningful engagement
- relational organizing
This encourages a healthier and more democratic model of mobilization.
A Technical Challenge for Political Parties & Nonprofits
GDPR 2024/900 introduces significant technology and system requirements.
Your tech stack must support:
- multi-layer consent
- consent export and proof
- seven-year retention
- transparency banners across all channels
- reactivation flows
- audit logs
- compliance reporting
If your system is:
- built in-house → expect major development requirements
- from outside the EU→ expect compliance gaps
- a generic CRM → likely not flexible enough
This is why many organizations are switching to tools that automatically support Regulation (EU) 2024/900 compliance, such as Qomon.
How GDPR 2024/900 Works With the TTPA
Together, GDPR 2024/900 and the TTPA create a complete political data framework:
GDPR 2024/900
- governs data collection
- defines consent rules
- sets retention obligations
- mandates proof and traceability
TTPA (Transparency and Targeting of Political Advertising)
- governs political advertising
- mandates transparency notices
- restricts targeting
- prevents hidden influence
_________
Frequently Asked Questions
Is there a political GDPR in Europe?
Yes. GDPR 2024/900 (Regulation (EU) 2024/900) effectively introduces a political GDPR applying to political parties, campaigns, elected officials, NGOs, unions, nonprofits, advocacy groups, and any organization that can influence public opinion.
What is Regulation (EU) 2024/900 on transparency and targeting of political advertising?
It is a European regulation governing transparency, data collection, and targeting of political communications. It bans micro-targeting, mandates transparency notes, and requires explicit consent for all political data.
How can organizations comply with Regulation (EU) 2024/900?
To comply, organizations must:
- use only direct, explicit, traceable consent
- store consent proof for seven years
- add transparency notes to all political communications
- rely on their own database
- avoid imported or purchased data
- ensure their CRM supports layered consent and audit logs
Does the TTPA ban political advertising?
The TTPA does not ban all ads, but it restricts political advertising heavily and requires high transparency. Combined with GDPR 900, targeted political advertising is no longer allowed.
Why was Regulation (EU) 2024/900 Created?
- to protect democratic integrity
- to stop abusive data practices
- to bring transparency to political influence
- to define clear consent rules
- to limit secretive targeting
- to rebuild public trust
Used correctly, this regulation helps organizations build stronger, less fragile databases and healthier long-term engagement strategies.
_______________
Next Steps
Watch our GDPR 2024/900 Deep Dive
Book a demo to learn how Qomon helps political and advocacy organizations stay compliant.
