What Are the Risks of Geo-Targeted or Behavioural Advertising?
The Personalised Marketing Tactic That Could Quietly Breach Privacy Laws
• 29 Sep 25
“If you’re tracking people to sell to them, you’re in the legal zone. And that zone has rules.” - Matthew Glynn
Introduction
Geo-targeted and behavioural advertising may be the holy grail of digital marketing - but if you’re not handling the data properly, you could be walking straight into a privacy law breach. If your startup is using location data, cookies, or user behaviour to personalise ads, you may already be subject to strict legal obligations.
This issue may not apply to every startup - but if it does, and you’ve missed it, the consequences can be significant. These forms of advertising rely on personal data, and that means privacy laws apply. The rules are evolving fast, vary by jurisdiction, and are increasingly enforced - especially in markets like Singapore and the UK.
In this blog, we’re going to flag up some key considerations to help you better prepare to tackle this issue - because prevention is always better than the cure.
Legal issues are important but easily overlooked, especially when founders are focused on the big launch or are otherwise caught up in the issue of the day - and in a startup, there’s always an “issue of the day”.
Optional Inclusion: What Is Geo-Targeted and Behavioural Advertising?
Geo-targeted advertising uses a user’s location data to deliver ads relevant to their physical location - such as city, neighbourhood, or even real-time proximity to a store.
Behavioural advertising uses data about a user’s online activity - such as browsing history, app usage, or purchase behaviour - to serve personalised ads.
Both rely on tracking technologies like cookies, device IDs, and GPS data. And both are considered personal data processing under most privacy laws.
Why This Topic Is Important
This can be an important issue for start-ups because:
◼️Legal Requirement: Most jurisdictions treat location and behavioural data as personal data - requiring consent and transparency.
◼️Privacy Sensitivity: Consumers are increasingly aware of - and resistant to - being tracked.
◼️Platform Enforcement: Ad platforms enforce strict policies on data use and targeting.
◼️Cross-Border Complexity: Rules vary across jurisdictions - e.g., Singapore’s PDPA vs. the UK’s GDPR.
◼️Automation Risk: Ad tech tools can scale non-compliance quickly and invisibly.
◼️Reputational Exposure: Misuse of tracking data can lead to public backlash.
◼️Investor Scrutiny: Data governance is a key due diligence area.
◼️Regulatory Action: Authorities are actively investigating unlawful tracking practices.
◼️Team Confusion: Marketing teams may not understand what data counts as “personal”.
◼️Consumer Trust: Transparent data use builds trust - opaque practices destroy it.
Q: Do startups need consent to use location data for advertising?
A: Yes - in most jurisdictions, location data is considered personal data and requires explicit, informed consent before use.
Consequences of Not Addressing This Issue
The consequences of not attending to this issue may include the following:
Legal Implications
◼️Privacy Law Breach: Using location or behavioural data without consent may violate laws like Singapore’s PDPA or the UK’s GDPR.
◼️Regulatory Fines: Non-compliance can result in substantial penalties - especially for repeat or large-scale violations.
◼️Enforcement Action: Authorities may order data deletion, suspend services, or issue public warnings.
Commercial Implications
◼️Loss of Customers: Consumers may abandon brands that track them without permission.
◼️Partner Fallout: Ad platforms or data providers may cut ties over compliance concerns.
◼️Marketing Restrictions: You may be banned from using key targeting features or platforms.
Operational Implications
◼️Campaign Disruption: Non-compliant ads may be pulled mid-flight.
◼️Resource Drain: Legal remediation and PR recovery can consume time and budget.
◼️Team Paralysis: Uncertainty around tracking rules can stall marketing innovation.
Biz Valuation Issues
◼️Due Diligence Failures: Investors may flag data misuse as a compliance risk.
◼️Exit Risk: Acquirers may walk away from deals involving privacy exposure.
◼️Brand Devaluation: Public backlash over tracking practices can permanently damage brand equity.
The above lists are indicative issues - the relevance of which will depend on your circumstances including the nature of business undertaken by your start-up.
What You Need to Be Doing
We have identified quite a number of potential issues that the start-up needs to consider and below are some examples of the types of steps you might want to consider taking to address these issues considered above.
1. Map Your Data Collection
Identify what location and behavioural data you collect, how it’s stored, and how it’s used.
Include cookies, GPS, device IDs, and third-party trackers.
2. Obtain Explicit Consent
Use clear opt-in mechanisms for tracking - especially for location and behavioural data.
Avoid pre-ticked boxes or bundled consent.
3. Review Your Privacy Policy
Ensure your privacy policy clearly explains what data is collected, why, and how it’s used for advertising.
Make it accessible, transparent, and regularly updated.
4. Implement Opt-Out Mechanisms
Allow users to opt out of tracking and personalised ads.
Ensure opt-outs are honoured across all platforms and devices.
5. Audit Your Ad Tech Stack
Review your use of ad platforms, analytics tools, and data providers.
Ensure they support compliance features like consent tracking and data minimisation.
6. Avoid Tracking Children
Do not use behavioural or location tracking for users under the age threshold (e.g., under 13 in Singapore, under 16 in the UK).
Use age gates and disable tracking features for minors.
7. Train Your Marketing Team
Educate your team on what counts as personal data and how to handle it legally.
Provide internal guidelines and approval workflows.
The above suggestions are just a few of the steps you can consider taking. There are many more things that need to be done to ensure the associated risks are effectively and pragmatically dealt with.
Q: Can startups use cookies for ad targeting without consent?
A: No - most jurisdictions require explicit consent before placing tracking cookies for advertising purposes.
How These Risks Can Play Out
Case Study 1: The Cookie Consent Failure
A startup in Singapore used behavioural tracking cookies without proper consent. The PDPA regulator investigated and issued a fine. The startup had to rebuild its entire consent framework - delaying its next product launch.
Case Study 2: The GDPR Geo-Targeting Breach
A UK-based startup used location data to serve ads without informing users. The ICO ruled the practice unlawful and ordered the deletion of all location data - disrupting their ad strategy and costing them thousands in lost revenue.
Case Study 3: The Platform Ban
A startup used aggressive behavioural targeting on Meta without proper disclosures. The platform flagged the account, suspended ad access, and the startup lost its primary acquisition channel for six weeks.
Frequently Asked Questions
Q: Is location data considered personal data?
A: Yes - in most jurisdictions, location data is treated as personal data and requires consent before use.
Q: Can I use behavioural data collected by third-party tools?
A: Only if the data was collected legally and you have the right to use it - always check the provider’s compliance status.
Q: Do I need a cookie banner for my website?
A: Yes - if you use cookies for tracking or advertising, a consent banner is required in most jurisdictions.
Q: Can I personalise ads without tracking users?
A: Yes - contextual advertising is an alternative that doesn’t rely on personal data.
Understanding the Legal Terminology
Geo-Targeting: Delivering ads based on a user’s physical location.
Behavioural Advertising: Personalising ads based on user activity and preferences.
Consent Mechanism: A process for obtaining user permission for data collection.
Cookie Banner: A website feature that informs users about tracking and requests consent.
PDPA (Singapore): Personal Data Protection Act - governs use of personal data.
GDPR (UK): General Data Protection Regulation - includes strict rules on tracking and profiling.
Ad Tech Stack: The collection of tools and platforms used to deliver and optimise digital ads.
How GLS Can Help You
By building your legal team capability on the GLS platform, you will be capable of:
◼️Rapidly assessing your geo-targeting and behavioural advertising compliance risks
◼️Accessing pre-built consent templates and privacy policy language
◼️Getting expert reviews of your ad tech stack and campaign strategy
◼️Training your team on privacy law and platform policies
◼️Avoiding costly legal missteps before they happen
Final Thoughts
Geo-targeted and behavioural advertising can supercharge your marketing - but only if it’s done legally. The rules are strict, the risks are real, and the consequences can be costly. With the right legal infrastructure in place, your startup can personalise confidently, compliantly, and effectively.
Observations and Tips
- Map Tracking Activities Early: Identify all location, cookie, device, and behavioural data being collected.
- Obtain Explicit Consent: Use clear opt-in mechanisms before enabling tracking or personalised advertising.
- Avoid Bundled Consent Models: Do not combine advertising consent with unrelated terms or services.
- Review Privacy Disclosures: Clearly explain how tracking data is collected, used, and shared.
- Implement Opt-Out Mechanisms: Allow users to disable tracking and personalised advertising easily.
- Audit Ad Tech Tools: Review analytics, cookies, and ad platforms for compliance capabilities.
- Limit Data Collection: Collect only data necessary for defined advertising and targeting purposes.
- Protect Children’s Data: Avoid behavioural or location tracking involving minors without required safeguards.
- Manage Cross-Border Transfers: Ensure international data transfers comply with applicable privacy laws.
- Train Marketing Teams: Educate teams on consent, profiling, and lawful data usage requirements.
- Monitor Platform Policies: Ad platforms may impose additional restrictions on targeting practices.
- Avoid Opaque Tracking Practices: Hidden or excessive profiling increases risks of complaints and enforcement.
- Prevent Reactive Privacy Fixes: Late-stage compliance corrections can disrupt campaigns and damage brand trust.
Startup Legal Support Centre
Build your own legal department with our online platform of startup-focused legal tools.
Startup Legal Guide Map
Explore the Guide Map to grow your business while staying on top of legal essentials.
Legal On Call™ (Free Trial)
Sign up for GLS Legal On Call™ and get expert answers to your startup legal needs.
Pro Bono Startup Legal Clinic
Get free expert legal advice at the GLS Pro Bono Clinic and power your business forward.
