EU and UK Data Protection and Privacy Rulings in October 2019

WM Circle Logo

By: Wise Marketer Staff |

Posted on October 10, 2019

Editor’s Note: The topics of consumer data protection and privacy were headline news in the US during 2018. During the 2019 calendar year, concerns have been suppressed, at least in terms of how and when to invest in conducting Data and Privacy health checks to ensure compliance with GDPR, if not future regulations that could be put into law.

In this article Richard Dutton, CLMP, FIDM reports on three important court rulings that reinforce the need for the marketing community to plan forward to better manage and protect the precious customer data collected.

For the entire community of professionals interested in Customer and Loyalty Marketing, this is “must have” information. Richard is one of the leading authorities on this topic in the UK and we encourage you to contact him for more information.

Data Protection and Privacy Rulings in EU and UK

By Richard Dutton, CLMP, FIDM

The first week in October 2019 witnessed three significant data protection and privacy related rulings by the courts in Europe and the UK.

On 1 October the European Court of Justice (ECJ) ruling upheld the Advocate General’s (AG) opinion in March of 2019 in relation to a case involving “Planet 49”. [The transcript of the court judgement can be found here:]

The ruling involves three distinct areas impacting management of consumer data by marketers and others:

  1. Cookie Consent and Bundling of Consent.
  2. Interplay of the ePrivacy Directive and the GDPR.
  3. Definition of the information required to be provided to a user for a “consent to cookies” to be valid.

While all three issues carry weight, the verdict on item #2 is especially poignant and merits attention from the business community. The Attorney General formed the opinion that it is irrelevant to the referred questions whether cookies constitute personal data. This is because the relevant provision of the ePrivacy Directive, Article 5(3), regulates the storage and access of “information”, not just personal data. The impact here is that the scope of the GDPR legislation in place does not limit the scope of the ePrivacy Directive.

This is significant because it puts organisations that rely on cookies on notice that they should keep in mind their responsibility for complying with the ePrivacy Directive in addition to the GDPR.

This has massive implications for loyalty marketers and the entire marketing services industry. The websites commonly deployed by marketers today will, with very few exceptions, be impacted by this court ruling.

The second momentous ruling of the week occurred in the UK Court of Appeal on 2 October. In a verdict which sent shudders around the world of Adtech, the court overturned the ruling of Mr Justice Warby in Google v Lloyd, effectively giving the green light for up to 4 million iPhone users to be represented in a class action for Google’s unlawful and clandestine tracking of their activity through the use of third party cookies.

The third ruling was in the UK High Court on 4 October when the 500,000 British Airways (BA) customers affected by the 2018 data breach were granted a group litigation order for a mass legal action. This is in addition to the £183 million ($225 million) fine imposed by the UK regulator in July 2018 for the data breach.

With these rulings as evidence, the second half of 2019 is shaping up as proof the courts and regulators are prepared to use the draconian sanctions available to them under the GDPR and national data protection regulation. In reality, these regulatory sanctions will be dwarfed by the class actions settlements; and based on these rulings, it seems eminently clear the loyalty marketing industry will need a data and privacy health check if it is to avoid getting caught in the cross hairs of the regulators and an increasingly privacy savvy consumer.

Richard Dutton, CLMP, FIDM is a member of the Board of Regents at the Loyalty Academy. Richard is our resident expert on all things related to GDPR, compliance, and privacy. He is the founder of UK-based Citizen Heart.