Privacy In Digital Marketing Tools in UK

1. Privacy Risks in Digital Marketing Tools

Digital marketing systems typically involve:

(A) Behavioural Tracking

  • Cookies and tracking pixels
  • Cross-device tracking (mobile + desktop)
  • Web browsing history profiling

(B) Automated Profiling

  • AI-based customer segmentation
  • Predictive advertising (likelihood to buy, churn prediction)

(C) Third-Party Data Sharing

  • Data brokers and ad exchanges
  • Real-time bidding ecosystems

(D) Location and Device Tracking

  • Mobile advertising identifiers
  • Geolocation-based targeting

(E) Social Media Data Harvesting

  • Scraping or API-based collection
  • Engagement-based profiling

These practices raise concerns about consent validity, transparency, excessive profiling, and unlawful behavioural manipulation.

2. Legal Framework in the UK

Digital marketing tools must comply with:

  • UK GDPR Article 5: fairness, transparency, purpose limitation, data minimisation
  • Article 6: lawful basis (consent or legitimate interest)
  • Article 21: right to object to direct marketing
  • Article 22: restrictions on automated decision-making
  • PECR: strict rules on cookies and electronic marketing
  • Data Protection Act 2018

3. Key Case Law Relevant to Digital Marketing Privacy

Although UK courts have not ruled specifically on every modern ad-tech tool, several landmark cases define the legal boundaries.

1. Google LLC v Vidal-Hall (2015 EWCA Civ 311)

Principle:
Misuse of private information is a standalone tort, and compensation for distress is available even without financial loss.

Relevance to digital marketing:

  • Tracking users without proper consent (cookies, behavioural ads) can constitute misuse of private information.
  • Emotional harm from covert profiling is legally actionable.
  • Forms the foundation for UK privacy claims against online advertising systems.

2. Vidal-Hall v Google Inc (CJEU influence background)

Principle:
Data protection breaches can lead to non-material damages such as anxiety or distress.

Relevance:

  • Digital marketing profiling (e.g., sensitive ads based on health or financial status) can cause psychological harm.
  • Reinforces strict interpretation of consent and fairness in ad targeting.

3. Lloyd v Google LLC (2021 UKSC 50)

Principle:
Representative claims require proof of individual harm or loss, not just theoretical misuse.

Relevance to marketing tools:

  • Large-scale cookie tracking or ad-tech violations do not automatically result in compensation.
  • Individuals must show actual harm from profiling or tracking.
  • Limits class actions against advertising technology companies.

4. WM Morrison Supermarkets plc v Various Claimants (2020 UKSC 12)

Principle:
Employers are not automatically liable for rogue employee actions unless closely connected to their duties.

Relevance:

  • Marketing databases handled by employees or contractors may be compromised internally.
  • Liability depends on whether misuse occurred within authorised roles.
  • Important for CRM systems and internal marketing platforms.

5. R (Bridges) v South Wales Police (2020 EWCA Civ 1058)

Principle:
Automated facial recognition must be lawful, necessary, and proportionate.

Relevance to marketing:

  • Digital marketing increasingly uses facial analytics in retail advertising.
  • Biometric targeting in advertising environments (e.g., in-store cameras) must meet strict proportionality tests.
  • Sets limits on intrusive ad-tech surveillance.

6. S and Marper v United Kingdom (2008 ECHR)

Principle:
Retention of sensitive biometric data without justification violates Article 8 privacy rights.

Relevance:

  • Marketing tools that collect facial recognition or biometric engagement data must have strict justification.
  • Indefinite storage of biometric advertising data is unlawful.

7. Durant v Financial Services Authority (2003 EWCA Civ 1746)

Principle:
Not all information qualifies as personal data; it must have biographical significance.

Relevance to marketing:

  • Aggregated marketing analytics may not always be “personal data.”
  • Helps distinguish between anonymised advertising metrics and identifiable profiling data.

8. NT1 & NT2 v Google LLC (2018 EWHC 799)

Principle:
Balancing privacy rights with public interest; supports right to erasure in appropriate cases.

Relevance:

  • Users can request deletion of outdated marketing profiles.
  • Supports the “right to be forgotten” in advertising databases and CRM systems.
  • Limits long-term behavioural profiling.

4. Key Privacy Issues in Digital Marketing (from Case Law Principles)

(A) Consent Must Be Meaningful

From Vidal-Hall

  • Hidden tracking or pre-ticked consent boxes are not valid.
  • Users must actively agree to behavioural tracking.

(B) Behavioural Profiling Can Cause Legal Harm

From Vidal-Hall

  • Profiling users for sensitive categories (health, politics, finances) can cause distress and legal liability.

(C) Mass Data Misuse Requires Proof of Harm

From Lloyd v Google

  • Even widespread cookie misuse requires individual impact for compensation.

(D) Employer or Platform Liability is Limited

From WM Morrison

  • Internal misuse of marketing databases is not automatically the company’s fault unless closely connected to duties.

(E) Biometric Advertising Must Be Proportionate

From Bridges and S and Marper

  • Facial or emotion recognition in advertising must be necessary and proportionate.
  • Excessive surveillance in retail marketing environments is unlawful.

(F) Data Must Be Relevant and Not Excessively Stored

From Durant

  • Marketing tools must avoid retaining irrelevant or excessive personal data.
  • Long-term profiling without purpose violates data minimisation principles.

5. Practical Implications for UK Digital Marketing Tools

To comply with UK law, organisations using digital marketing technologies must ensure:

1. Strong Consent Mechanisms

  • Clear opt-in for cookies and tracking
  • No pre-ticked boxes or hidden consent

2. Transparency in Profiling

  • Explain how AI-based targeting works
  • Inform users about data sources and purposes

3. Data Minimisation

  • Collect only necessary behavioural data
  • Avoid excessive tracking across platforms

4. Strict Cookie Compliance (PECR)

  • Separate consent for non-essential cookies
  • Easy opt-out mechanisms

5. Limits on Automated Decision-Making

  • Provide human oversight for high-impact profiling
  • Allow users to challenge automated targeting

6. Secure Data Handling in Ad-Tech Ecosystems

  • Protect data shared with third-party advertisers
  • Monitor real-time bidding systems for leaks

Conclusion

Privacy in digital marketing tools in the UK is shaped by a strict combination of statutory regulation and case law that prioritises user consent, transparency, and control over behavioural data. Cases such as Google v Vidal-Hall, Lloyd v Google, and Bridges demonstrate that digital profiling, even when commercially valuable, must remain proportionate and legally justified.

UK courts consistently reinforce that users are not passive data sources—they are rights-holders whose behavioural and personal data cannot be exploited without clear legal justification, meaningful consent, and strong safeguards against misuse.

RELATED Blog

Cyber Law and Fake News during COVID-19

Using Cyberspace To Vent Out Anger By Travestying ...

Internet Censorship

Reasonable security practices and procedures and s...

Cyber Fraud in Banking industry

Supreme Court Upholds Right to Internet as a Funda...

Supreme Court Issues Landmark Guidelines on Live S...

European Union Introduces Tougher Data Privacy Law...

United States Supreme Court to Decide on Whether A...

Cyber Law at Afghanistan

LEAVE A COMMENT

comments

Load more comments

Copyright © 2024 Law Gratis. Design by Digiinterface