The Regulation (EU) 2024/900 (March 13th, 2024) on the transparency and targeting of political advertising (TTPA).
What’s the point?
- Ensure transparency: enable citizens to know when they are seeing political content - who paid for it, why they are seeing it, and how their personal data is used. Source: European Commission+1
- Strictly regulate political targeting: curb the use of personal data for political ads. Source: techlaw.ie+1
- Prevent foreign interference and information manipulation: only EU-eligible voters or EU-based entities may sponsor political ads in the three months leading up to an election or referendum. Source: Osborne Clarke+2Consilium+2
The TTPA went into effect in April 2024, but it truly started to take effect in October 2025. Source: Doctrine - 2European Commission+2
Key Definitions
Political advertising under TTPA refers to any message prepared, placed, promoted or disseminated in exchange for remuneration or benefit, on behalf - or for - a political actor, and designed to influence the outcome of an election, referendum, vote or a legislative/regulatory process. Source: Eur-Lex+2techlaw.ie+2
Not every political statement is “political advertising”: for instance, an individual expressing a political opinion on their own (without remuneration) does not fall under TTPA. Source: techlaw.ie+1
What changes for campaigns, parties, and candidates?
More transparency & documentation
- Any paid political advertisement (online or offline) must be clearly labelled as such. The label and a “transparency notice” must disclose who funded it, the sponsor, the targeted election or referendum, and, if targeting or ad-delivery techniques were used, the criteria or audience targeted. Source: European Commission+2techlaw.ie+2
- Ad-service providers (agencies, platforms, pubs) must keep detailed records of advertisements and services: who ordered the ad, what services were provided, payments or benefits exchanged, origin of funding, etc. This must be retained for seven years. Source: techlaw.ie+1
Tighter rules for targeting and micro-targeting
- Targeting or ad-delivery based on sensitive personal data (e.g. political opinions, religion, health, ethnicity) is prohibited. Source: Eur-Lex+2Wikipedia+2
- Targeting is only allowed when personal data was collected directly from the person and with explicit, separate consent for political advertising. Source: Eur-Lex+1
- Ads cannot be targeted to minors or individuals within one year of eligibility to vote under national rules. Source: Eur-Lex+1
Restrictions to fight foreign interference
- In the three months preceding an election or referendum, political ad services may only be provided to sponsors who are EU citizens, third-country nationals permanently residing in the EU and eligible to vote, or legal persons established in the EU, not controlled by non-EU entities. Source: Osborne Clarke+2Consilium+2
What remains outside TTPA?
- Spontaneous political expressions by individuals without remuneration (e.g. an influencer commenting politically on their own feed) are not considered political ads under TTPA. Source: techlaw.ie+1
- Editorial content (news, opinion pieces) remains under media regulation. Only paid/promotion-based content is regulated.
Still recommended (even if not mandatory):
Even if the law doesn’t always force “transparency labels” for purely organic communications, it’s good practice for political actors to add something like:
“Funded by Movement X - Not supported by any party or candidate.”
This helps maintain trust and clarity.
Implications & What to Watch Out For
- The bar for compliance is high: strict consent requirements, data-collection rules, heavy documentation. Campaigns must carefully track all data sources and fundings.
- Micro-targeting - as we knew it (ads based on inferred political beliefs, fine-tuned segments) - is essentially out. You’ll need to rely on broader segmentation (age, region, general interests) and explicit consent for your members.
- Agencies and ad-tech providers as well as sponsors share responsibility - it’s no longer possible to outsource vaguely without oversight.
- National “data protection authorities” (the “local authorities” in your country) will enforce compliance.
________________
Watch the replay of our full GDPR 900 breakdown on Youtube Live
