Ethics and Law - Lesson 1

Ethics and Law - Lesson 1 of 6

Privacy and Personal Data

Every time you go online you leave a trail. Companies collect it, analyse it, and make decisions about you from it. This lesson covers what that data is, how it is gathered, and what the law says about who can use it and why.

45 - 60 min Digital footprints, cookies, GDPR, Cambridge Analytica

Opening scenario

You search online for a new pair of trainers. You don't buy them. Over the next two weeks, the same trainers appear in adverts on Instagram, YouTube, a news website and a weather app. You never signed up to any of those services. How do they all know?

Think about it: You didn't give those advertising platforms your details. So where did the information come from? And who decided it was acceptable to use it this way?

The answer involves tracking technologies, data brokers, third-party cookies and the legal framework that governs it all. Understanding this topic is not just useful for the exam - it explains something that affects you every day.

Why this matters in the exam

Privacy and data questions often use scenario contexts. You need to identify what type of data is involved, how it was collected (active vs passive footprint), and which GDPR principle may have been violated. These are the three layers examiners test most frequently.

Section 1

Digital footprints

A digital footprint is the trail of data you leave whenever you use digital technology. Every search, every click, every post and every purchase adds to it. There are two types:

Active footprint

Deliberately shared by you

Created when you intentionally share information online: posting on social media, filling in a registration form, writing a review, sending an email, uploading a photo. You chose to put this information out there.

Exam tip: The key word is "deliberate" or "intentional." If a question describes a user typing information in, that is an active footprint.

Passive footprint

Collected without you realising

Created when data is collected without your active participation: your IP address is logged, your location is recorded by an app, cookies track which pages you visit, a website notes what device you're using. You didn't do anything - it just happened.

Exam tip: The key phrase is "without the user's knowledge" or "automatically." Location data collected by apps is a classic passive footprint example.

Personal data

Any information that can identify a living person, directly or indirectly. Includes name, email, IP address, health records and biometric data.

Data broker

A company that collects personal data from many sources and sells it to other organisations, often without individuals knowing.

Profiling

Using personal data to make inferences about a person's preferences, behaviour or likely future actions.

Section 2

Cookies and tracking technologies

A cookie is a small text file stored on your device by a website. Cookies were invented to solve a genuine problem: HTTP is stateless, meaning each page request has no memory of previous ones. Cookies give websites a way to "remember" you.

But cookies can also be used for tracking, and this is where ethical concerns arise.

Session cookie

Deleted when you close the browser

Exists only for the duration of a single browsing session. Used for shopping baskets, login sessions, form progress. When you close the browser tab, the cookie is deleted and the data is gone.

Exam tip: Session cookies are considered lower privacy risk because they don't persist. If a question asks about keeping a shopping basket working, session cookies are the answer.

Persistent cookie

Stored until expiry date

Stored on your device until a set expiry date, which can be years away. Used to remember login preferences, language settings, and to track you across multiple visits to the same site.

Exam tip: Persistent cookies can track behaviour over long periods. They create a richer profile of user activity than session cookies.

Third-party cookie

Placed by a different domain

Placed by a domain other than the site you are visiting. An advertising network can place a cookie on a news website, then read that same cookie on a shopping site, a weather app and a social media platform - tracking you across the entire web without you ever directly visiting the advertiser's site.

Exam tip: Third-party cookies are the mechanism behind cross-site advertising and the "trainers following you around the web" effect. These are the most privacy-invasive type.

Section 3

GDPR - key principles and rights

The General Data Protection Regulation (GDPR), implemented into UK law by the Data Protection Act 2018, sets out how organisations must handle personal data. There are six core principles:

1. Lawful, fair and transparent

Must have a legal basis for processing

Data must be processed lawfully. There must be a valid legal basis: consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests. The data subject must be informed about what is happening to their data.

2. Purpose limitation

Only used for stated purpose

Data collected for one purpose cannot be reused for a different purpose without informing the individual and getting fresh consent. If a company collects your email for order confirmations, they cannot then use it to sell your address to advertisers.

3. Data minimisation

Collect only what you need

Only data that is adequate, relevant and limited to what is necessary should be collected. A recipe website asking for your date of birth, salary and home address would violate data minimisation.

4. Accuracy

Data must be kept up to date

Personal data must be accurate and kept up to date. Inaccurate data must be erased or corrected without delay. Individuals have the right to correct inaccurate records held about them.

5. Storage limitation

Don't keep data longer than needed

Data should not be kept for longer than necessary. Once the purpose for which data was collected has been fulfilled, it should be deleted. This is linked to the "right to erasure" (the right to be forgotten).

6. Integrity and confidentiality

Keep data secure

Data must be processed securely: protected against unauthorised access, accidental loss or destruction. Organisations must implement appropriate technical measures (encryption, access controls, secure storage).

Under GDPR, individuals have the right to: access their data (Subject Access Request), the right to erasure ("right to be forgotten"), the right to portability, and the right to object to processing.

Case studies - real and fictional

Real case Cambridge Analytica (2018) - 87 million Facebook profiles

Cambridge Analytica harvested the personal data of approximately 87 million Facebook users without their explicit consent. A researcher created a personality quiz app that was permitted to collect data about users who installed it. Crucially, it also collected data about all of those users' friends - people who had never used the app and had not given consent.

This data was then used to build detailed psychological profiles of voters, which were sold to political campaigns. Cambridge Analytica reportedly used these profiles to target voters with personalised political advertising in the 2016 US Presidential election and the Brexit referendum.

Facebook was fined $5 billion by the US Federal Trade Commission. Cambridge Analytica itself went into administration in 2018. The case triggered widespread debate about data ownership, consent and the power of social media companies.

Exam link: This case demonstrates violations of purpose limitation (data collected for a quiz was used for political targeting), lawful basis (friends did not consent), and data minimisation (far more data was collected than needed). In a 6-mark "evaluate" question, you could use this as a real example to support analysis of privacy risks from data collection.

Real case Target's Pregnancy Prediction Algorithm

In 2012, the US retailer Target used purchasing data to build a predictive model that could identify whether a customer was pregnant - and predict their due date - from their shopping habits alone. The model looked for patterns like buying unscented lotion, vitamin supplements, cotton wool and certain foods in unusual combinations.

Target then sent personalised maternity advertising to customers the algorithm identified as pregnant. In one widely reported case, a father received baby product coupons addressed to his teenage daughter and complained to the store - only to later discover she was indeed pregnant. Target had known before he did.

No personal data was shared externally, and no law was broken. But the case raised profound questions about the ethical limits of data analytics, informed consent and whether companies should be able to make sensitive inferences from seemingly innocuous data.

Exam link: This illustrates how passive data (purchase history) can be combined to reveal highly sensitive information that was never explicitly provided. It is a strong example for questions about privacy expectations and the ethics of data analytics beyond legal requirements.

Real case Meta's record GDPR fine - €1.2 billion (2023)

In May 2023, Ireland's Data Protection Commission fined Meta (the parent company of Facebook, Instagram and WhatsApp) €1.2 billion - the largest GDPR fine ever issued. The case centred on Meta's practice of transferring the personal data of European Union users to servers in the United States, where EU data protection standards do not apply by default.

The European Court of Justice had previously struck down the Privacy Shield agreement, which had allowed transatlantic data transfers. Meta continued transferring data using an alternative mechanism called Standard Contractual Clauses, but the DPC found this was insufficient to protect EU users' rights given the extent of US government surveillance powers. Meta was ordered to stop these transfers within five months and to delete or return the data it had already sent.

Meta appealed against parts of the ruling and argued that a new data transfer agreement - the EU-US Data Privacy Framework - rendered the order unnecessary. The case highlighted the ongoing tension between global platform architectures and regional data protection regimes, and raised fundamental questions about whether a single company's infrastructure can simultaneously comply with the laws of every country it operates in.

Exam link: This case is ideal for demonstrating GDPR's extraterritorial reach and the principle of data transfers. Key exam points: (1) GDPR applies to any organisation processing EU citizens' data, regardless of where the company is based; (2) transfers outside the EU require equivalent protections; (3) the scale of the fine (€1.2bn) demonstrates that GDPR enforcement has teeth. For a "describe one limitation of data protection legislation" question, a strong answer would reference the difficulty of enforcing EU law against US-based corporations.

Scenario ShopEasy Loyalty Cards - fictional exam scenario

ShopEasy is a fictional UK supermarket chain that offers loyalty cards to customers. When customers sign up, they provide their name, age, email address and home postcode. Every purchase is linked to their card and stored in ShopEasy's database.

ShopEasy sells anonymised purchasing data to a health insurance company, which uses it to identify customers who buy large amounts of alcohol, cigarettes and processed food. The insurance company uses this data when calculating premiums. ShopEasy's terms and conditions stated that data "may be shared with trusted partners for commercial purposes" - but customers did not realise this included insurance companies.

Exam link: Identify the GDPR violations: purpose limitation (data collected for loyalty scheme, used for insurance risk assessment), transparency (vague language in terms and conditions does not constitute genuinely informed consent). In a 4-mark question, name two principles and explain why each is violated. In a 6-mark evaluate, weigh the commercial benefits against the harm to individuals.

Interactive tool

Cookie type classifier

Drag each item to the correct cookie category.

Cookie Classifier

Sort each scenario into the correct cookie type

Drag each item below into the correct category, then click Check.

Think deeper

GDPR requires "freely given, specific, informed and unambiguous" consent. Most cookie consent banners are designed to make accepting all cookies the easiest option. Does this constitute genuine consent under GDPR?

Arguably not. Research (including from the UK Information Commissioner's Office) suggests that "dark patterns" - making the "accept all" button prominent and the "reject" option hidden behind multiple clicks - do not meet the standard of freely given consent. The Article 29 Working Party guidelines state that consent must be "as easy to withdraw as to give," which many banner designs fail to satisfy. In 2022, the French data regulator (CNIL) fined Google 150 million euros and Facebook 60 million euros specifically because their cookie interfaces made declining cookies unnecessarily difficult.

Lesson 1 Quick Quiz

5 questions - click an option to answer

Question 1

A user searches for flights, and later sees flight adverts on a news website and a social media platform. Which type of cookie most likely caused this?

Question 2

A customer fills in a registration form on a shopping website. This creates which type of digital footprint?

Question 3

Under GDPR, a company collects customers' email addresses to process orders. They then sell these addresses to a marketing firm. Which GDPR principle is most clearly violated?

Question 4

Which of the following best describes a passive digital footprint?

Question 5

Under GDPR, an individual has the right to request that an organisation deletes all personal data held about them. What is this right called?

Lesson 1 complete - head to Lesson 2 to continue

Series overview Lesson 2: Legislation

Lesson 1 Worksheets

Three differentiated worksheets - recall, application and exam technique.

Recall

Digital Footprints and Cookies

Define key terms, distinguish active from passive footprints, and label cookie types. Fill-in and short answer format.

Download PDF

Application

GDPR Principles in Context

Read four data-handling scenarios and identify which GDPR principle each one violates and why.

Download PDF

Exam technique

Cambridge Analytica Case Study

Structured questions building from 1 mark to 6 marks using the Cambridge Analytica scenario. Mark scheme included.

Download PDF

Flashcard deck

Privacy and data key terms from all 6 lessons

Open flashcards

Lesson 1 - Ethics and Law

Privacy and Personal Data

Starter activity

Show students their browser's cookie list (Settings > Privacy > Cookies). Ask: how many cookies are there? Which sites do you recognise? Discuss: did they consent to all of these?

Lesson objectives

Distinguish between active and passive digital footprints with examples.

Explain what cookies are and identify the three main types.

State and apply the six GDPR principles to real scenarios.

Analyse the Cambridge Analytica case using correct GDPR terminology.

Key vocabulary

Digital footprint

Data trail left by online activity. Active = deliberate; passive = automatic.

Third-party cookie

Cookie placed by a domain other than the visited site; enables cross-site tracking.

GDPR

UK/EU data protection law: 6 principles, 8 rights, lawful basis for processing.

Purpose limitation

Data collected for one reason cannot be repurposed without fresh consent.

Discussion questions

Should social media companies be allowed to sell user data to political campaigns? What safeguards should exist?

Is it possible to give truly "informed" consent to cookie banners? Why or why not?

Target could predict pregnancy from shopping data without anyone telling them. Is knowing something unethical even if it is technically legal?

Exit tickets

Name one GDPR principle and describe a scenario in which it would be violated. [2 marks]

Explain the difference between a session cookie and a third-party cookie. [2 marks]

"Companies should be allowed to use customer data in any way they wish, as long as it is mentioned in the terms and conditions." Evaluate this statement. [6 marks]

Homework suggestion

Ask students to submit a Subject Access Request to one company (Google, Amazon, Spotify all have easy portals). In the next lesson, compare what data was held: how many items, what categories, how far back it goes.

Resources

Worksheet 1 - Recall & Definitions Worksheet 2 - Application Questions Worksheet 3 - Exam Practice Unit Exam Paper (all 6 lessons) Ethics Series Overview