A major shift is underway in the political and civic landscape across Europe. The new GDPR 2024/900 regulation, which has just come into effect October 2025, quietly reshapes the rules that govern how organizations collect, manage, and use data to influence public opinion.
GDPR 900 isn’t just for political parties or candidates. It applies to campaigns, advocacy groups, NGOs, unions, grassroots movements, and even influencers - anyone capable of shaping civic or political behaviour. The goal behind the regulation is simple: make the public debate space more transparent, less manipulable, and more resistant to the unclear tactics that have marked the last decade of digital politics.
While the regulation may feel like an intimidating change, it also opens the door to new opportunities for organizations - a more complete, less fragile database being one of them.
A Post-Advertising Landscape
The most visible change brought by GDPR 900 is the end of political advertising as we’ve known it.
In some countries, advertising was already restricted during election periods. The new rule goes much further: targeted political ads won’t be allowed anymore - at any time.
This will likely be the first major change for political and advocacy organizations. No more micro-targeted ads across social platforms and no more relying on algorithms to push messages into highly segmented groups.
Beyond this, a bigger transformation lies in how organizations can collect and maintain data.
A Consent-First Strategy
Under GDPR 900, you can no longer buy, rent, or exchange data files.
Organizations must now rely entirely on direct, explicit, and traceable consent.
That means:
- No more importing third-party databases
- No more relying on commercial brokers
- No more “grey-zone” contact lists from partners
Only data you’ve collected yourself, with clear and compliant consent, can be used.
Consent itself is also becoming more detailed. Instead of a single checkbox covering everything, organizations must now ask for specific, layered consents aligned with each purpose. When someone signs a petition, joins an event, or supports a campaign, they must be given clear options:
- “Do you want to receive updates about this campaign?”
- “Do you want to stay informed about the organization after the election?”
This clarity benefits both sides: citizens gain more control over their engagement, and organizations gain a reliable map of who wants what, and why.
Rebuilding Your Database
Because external data sources are no longer allowed, GDPR 900 forces organizations to rebuild their databases around their own practices, their own actions, and their own communities.
Your contact base will now come from:
- your petitions
- your volunteer sign-ups
- your events and trainings attendees
- your mobilization actions
- your digital engagement
The silver lining?
With explicit multi-layer consent, the data you collect today is no longer restricted to the campaign it came from. If collected properly, you can keep contacts engaged long after the election cycle, creating long-term engagement and relationship building.
Seven Years of Retention (with proof)
One of the most concrete changes is the new retention period. Political data can now be kept for seven years, compared to the previous two or three.
Organizations just must keep proof of consent for seven years.
It’s no longer enough to simply have someone in your database. You must be able to show:
- when they consented
- how they consented
- for what purpose they consented
This means most systems need to evolve. CRMs, mobilization platforms, and in-house tools must store a complete history of consent, and be able to export that history in case of audit.
Transparency as a Non-Negotiable
Transparency sits at the heart of RGPD900. Every action - not only ads - now requires a transparency disclosure. That includes:
- websites
- petitions
- donation pages
- email campaigns
- mobilization forms
Organizations will need to state clearly who is organizing the action, how it is funded, and what data is collected.
At Qomon, this is why we’re working on a standardized transparency page module - something easily activated on any form or website, ensuring compliance without having to rebuild completely.
A Chance to Focus Strategy on Relationships
RGPD900 encourages building direct, long-term relationships with supporters.
Organizations will need to:
- increase and rely on their organic touchpoints
- create more actions where people opt in
- encourage relational organizing
- empower supporters to use their network to recruit other supporters
Supporter-generated content, personal outreach, community-led mobilization are vital.
A Technical Challenge for Organizations
For many parties, campaigns and organizations, GDPR 900 creates major technical issues.
Your technology stack must now be able to handle:
- layered consent structures
- consent proof exports
- seven-year retention
- transparency notes across all channels
- reactivation flows
- compliance reporting
If your system is:
- built in-house → expect significant development work
- built abroad → expect compliance gaps
- generic → likely not flexible enough for political rules
This is a chance to opt for tools that automatically follow GDPR 900, such as Qomon - saving yourself time and stress.
Where TTPA Fits In
GDPR 900 works alongside the TTPA (Transparency and Targeting of Political Advertising Act).
While GDPR 900 governs data collection and retention, TTPA governs how political messages are distributed online.
Together, they form a complete framework to protect democratic communication:
- GDPR 900 → consent, retention, proof
- TTPA → advertising transparency, targeting limits
The Bigger Picture: Why GDPR 900 Was Created
At its core, GDPR 900 exists to:
- protect democratic integrity
- stop abusive use of personal data in politics
- clarify previous grey zones around consent
- limit secretive influence strategies
- rebuild trust in digital communication
If used well, this regulation can strengthen communities, help build less fragile databases, and push organizations toward healthier data strategies.
_______________
Want to learn more?
Watch our GDPR 2024/900 Deep Dive
Book a demowith our experts to learn how to keep your organization compliant with GDPR 2024/900!
