PARIS—Advertising executives love to talk up how they use mountains of data to target consumers. But gathering that data is about to become more of a headache, at least in Europe.

New European Union legislation that goes into effect next May will restrict how companies can collect and use personal information about web users in Europe, requiring that they obtain “unambiguous” consent from those users.

The move contrasts with the U.S., where lawmakers recently voted to overturn privacy rules that would have required telecom companies to get consumers’ permission before sharing their web-browsing and app usage with third parties.

Privacy activists say the European rules are aimed at helping individuals take back control of their personal information. But they could hit the advertising sector hard, striking ad-tech companies, ad-buying arms of big agencies and web publishers, industry experts say.

Once the new rules are in effect, European users browsing the internet will have to provide their consent every time they enter a new website to allow that site’s publisher to share their personal information with other companies, which may have to be named as part of the consent form.

Lobbyists say this could lead to more intrusive pop-ups upon entering websites.

“Anything that creates a higher bar to entry will affect both publishers and marketers,” said Simon Morrissey, head of data and privacy at the law firm Lewis Silkin LLP in London. “If you can’t get the consent that you need then you can’t obtain the data that you want or you can’t use the data for the purposes intended.”

A group representing the EU’s national data-protection regulators is still clarifying its guidance on exactly where it thinks the bar should stand for user consent.

The Dos and Don’ts of the New Rules Consent must be ‘freely given, specific, informed and unambiguous’

Consent can’t be bundled with other written agreements

Consent must be active; can’t be gained through inactivity or pre-ticked boxes

Users can withdraw consent at any time and ask to have their data erased

Users can’t be asked for consent to gain access to a service, in most cases

In most cases, companies can no longer demand that users consent to the sharing of their personal information with third parties as a requirement for access to an online service, said Jan Philipp Albrecht, a member of European Parliament who participated in the drafting of the rules.

Mr. Albrecht also said that marketing practices like pre-ticked boxes and consent forms that can be long and complicated will run afoul of the rules.

The rules also say companies can’t collect data for one part of their business and use it for another. Finally, consent must be as easy to take away as it is to give. Citizens can also ask to have their data erased.

In Europe, companies that violate these rules could be fined as much as 4% of the firm’s annual world-wide revenue, or €20 million ($22.4 million), whichever is greater.

The new rules also apply to tech juggernauts like Alphabet Inc.’s Google and Facebook Inc., though they may be in a relatively stronger position because they have direct relationships with large numbers of consumers and the ability to mine their own data.

Most vulnerable are ad-tech firms that use data to target ads across the internet without any explicit consumer relationship, according to Townsend Feehan, chief executive of the European unit of the Interactive Advertising Bureau, an online advertising trade group. Data-warehouse firms that buy data that may have been collected for different purposes also would be affected.

CMO TODAY INSIGHTS Get your daily dose of media and advertising news with WSJ’s CMO Today newsletter. Sign up here.

“The ad-tech companies are in a particularly difficult position,” Ms. Feehan said. “They are going to be dependent on the publishers to get that consent for them.”

Lawyers and lobbyists say there could be court battles to determine how strictly the new rules should be interpreted by the regulator.

GroupM, the media-buying giant owned by WPP PLC, has formed a working group that includes lawyers, privacy experts, product leaders, information officers, data architects and compliance professionals to make sure that its agencies—and in particular its automated ad-buying businesses Xaxis and mPlatform— comply with the regulations.

Havas SA’s media agencies will include a data appendix in every contract in which they state who owns the data and how it was collected.

Ad-tech provider AppNexus is planning to invest in its European data-center infrastructure to ensure that data originating in Europe stays in Europe, said Julia Shullman, deputy general counsel of commercial and privacy at the company.

Acxiom, a marketing-services company that collects data like how many times consumers shopped online over the past year with a particular brand, their household income, and whether they are interested in golf or art, has increased its privacy budget by about 30% to comply with the new rules, according to its privacy officer in Europe, Sachiko Scheuing.

Ms. Scheuing has documented what data Acxiom holds on its customers, where it is held, whether it has permission to do so, whether it is stored safely, and how it can be extracted or deleted if requested.

“The key is really to show that you take accountability very seriously,” she said.

Write to Nick Kostov at Nick.Kostov@wsj.com