There’s a pattern emerging in conversations about AI and marketing automation. Teams are either racing ahead without thinking about the legal framework at all, or they’re letting the legal framework become a reason to slow everything down. We don’t think either approach is sensible.
The risks are real. But they’re also manageable – particularly if you start treating compliance as part of how you build, rather than a checklist you run afterwards. We recently spoke to Steve Kuncewicz, Solicitor, Partner & Head of Creative at Glaisyers and Nick Banbury, Director of Data and Insights at Plan.Net Group, for their thoughts on this complex topic. We tried to keep it short.
Most legal exposure in AI-driven marketing doesn’t come from the AI itself. It comes from the data flowing into it. UK GDPR, the Data Protection Act 2018, and PECR have been in place for years, but the advent of large language models and automation pipelines has brought those obligations into sharper focus and sharper scrutiny.
Steve Kuncewicz, Partner and Head of Creative, Digital & Marketing at Glaisyers ETL, spoke to us about this:
“Doing the right thing with personal data is a legal and regulatory obligation that’s been in place for years. But lawyers — and marketers — may not always appreciate the data protection and privacy concerns around proactive marketing campaigns: how to mine databases, how to use automation, without falling foul of the law or breaching client and stakeholder trust.”
That applies to any business using customer data to power automated campaigns. Choosing the right lawful basis for processing matters. So does honouring opt-outs, keeping consent logs centralised, and making sure your cookie and tracking setup reflects your actual practice, not what your banner claimed three years ago.
One of the most common gaps we see is personalisation built on data that was collected for a different purpose, or that includes more personal information than the model actually needs. The principle of data minimisation isn’t just a compliance nicety. It also reduces your attack surface if something goes wrong.
When you’re running AI-driven marketing, whether that’s automated campaign reporting, AI-generated content, or intelligent audience segmentation, you’re almost certainly relying on third-party platforms and models. That creates its own obligations.
Nick Banbury, Director of Data and Insights at Plan.Net Group, works at the intersection of marketing technology and enterprise compliance.
For them, two regulatory frameworks are non-negotiable: GDPR, and TISAX, a stringent information security standard across the automotive supply chain. “Everything we do must be compliant with both,” he says. The point being: sector-specific obligations can sit on top of general data protection law, and your vendor contracts need to reflect that.
At a minimum, you should have data processing agreements in place with any AI platform touching personal data, understand where that data is being processed (and whether international transfer mechanisms apply), and know whether your provider is using your data to train their models – and how to opt out if so.
Steve Kuncewicz’s advice here is direct: “We need to risk-assess and crawl over the terms of every platform we use. We have an AI Policy that identifies which platforms we’ve agreed can be used, along with what we can do with them. We strongly advise any client that wants to harness the potential of AI safely to do the same.”
Beyond data protection, marketing automation introduces questions under ASA/CAP rules and CMA guidance: substantiation of claims, native advertising disclosure, dark patterns in pricing, and — increasingly — the question of whether AI-generated content needs to be labelled as such.
Kuncewicz acknowledges that conventions around AI content disclosure are still forming, but his view is that transparency is both legally and commercially sensible: “Our ethical obligations around upholding public trust are a pretty good north star. More transparency is never going to be a bad thing – and it will ensure you’re on the right side of the CAP Code. The price of freedom to use AI for marketing is going to be eternal vigilance of changing regulation.”
There is also the IP question. AI-generated content creates real uncertainty around ownership and originality – both in terms of what you feed into a model and what comes out of it. If you’re producing marketing content for clients using generative AI, the expectation that content is original may create legal and reputational risk if that’s not clearly defined upfront. Kuncewicz said: “Using Gen AI causes real risks in that regard, and may see disputes between marketing teams and their clients where cost efficiency is outweighed by hard legal and reputational risk.”
None of this requires you to pause your AI programme. What it requires is that you stop treating compliance as something that follows deployment rather than shaping it.
A few things worth doing now, before they become urgent. Get an AI policy in place – as Kuncewicz puts it: “Get an AI policy. Now.”
It doesn’t need to be 40 pages. It needs to clarify which platforms are approved, what data can go into them, and who’s accountable. Audit what’s going into your prompts: PII finding its way into model calls is one of the most common and avoidable risks, so tokenise or redact before data reaches a model. Centralise your consent and suppression data so opt-outs flow consistently across channels; email, paid, CRM, because fragmentation here is both a compliance gap and a waste of media spend. Check your vendor contracts, and if you don’t have a DPA with your AI platform provider, or you’re unclear on sub-processor arrangements, get that fixed.
Finally, update your cookie and tracking setup: many businesses are running consent banners that no longer reflect how tags are actually firing, and it’s a straightforward audit with meaningful compliance and trust implications.
UK and EU approaches to AI governance are diverging, and the regulatory landscape will continue to evolve. Platform policies around ad targeting and AI-generated content are tightening. The businesses that will adapt most easily are the ones building governance in now, when the cost of doing so is low.
The goal is a compliance programme that makes AI-driven marketing sustainable… fast enough to be competitive and structured enough that it doesn’t create liability down the line.
The technology is moving quickly. The legal framework is catching up. Are you prepared?
With thanks to:
Steve Kuncewicz, Partner & Head of Creative, Digital & Marketing at Glaisyers ETL
Nick Banbury, Director of Data and Insights at Plan.Net Group
Our latest articles, features and ramblings.
We explore performance marketing, AI, communications and optimisation.
“Doing the right thing with personal data is a legal and regulatory obligation that’s been in place for years. But lawyers — and marketers — may not always appreciate the data protection and privacy concerns around proactive marketing campaigns: how to mine databases, how to use automation, without falling foul of the law or breaching client and stakeholder trust.”
“Our company has build an Agent Directory, effectively a “team” of 10 AI Agents, which helps the marketing teams we work with be more efficient and focus on strategy instead of crunching data. These cover all aspects of campaign planning.”