CerulithConsent LDN Operation Pulse Back · Nov 2026 Defensibility0/9
Capstone Chain · M5Module 5 of 6

The Consent Trap

Growth has a plan. Legal has a job.

Wednesday 4 November 2026, 16:42. Slack DM from James Okafor lands: "Operation Pulse Back launching Monday. Legal said LIA is fine — just reminding existing customers. Can you sign the form?"

Attached: a one-paragraph "LIA" document (seven lines). A screenshot of the redesigned cookie banner with a prominent blue "Accept All" button and a small grey underlined "Manage preferences" link. A Braze campaign plan targeting 310,000 lapsed users.

Also in the thread: a slide deck titled "Voxly Partnership — Data-Append Boost" promising an 18% lift in re-engagement via enrichment from a health-lifestyle broker.

James has four months' tenure at Cerulith. He is great at his job. He does not know Recital 47 is a GDPR statement, not a PECR one. He thinks DUAA 2025 exempts "analytics cookies" broadly — it does not. Fran is on the CC. £2.1M of Q4 revenue depends on this campaign. Launch is Monday.

Learning Objectives
By the end of this module:
Incident 1Wed 4 Nov 2026 · 16:42Aisha's desk — Slack

The Slack DM

Slack DM arrival · afternoon
James Okafor
James → Aisha · Slack DM
Hey — Operation Pulse Back launching Monday 09:00. Brief attached. Legal cleared last quarter's campaign on Recital 47 LI — reading same as this one. LIA is signed. Can you approve by EOD? Fran on CC.

The attached LIA is seven lines long. It says: Legitimate interest: re-engagement of lapsed existing customers. Necessity: alternative methods not available. Balancing: minimal intrusion, users can unsubscribe.

You know what's missing. Recital 47 lives under GDPR. PECR Regulation 22 lives alongside GDPR for electronic-channel consent. Both need answering before Monday.

LIA Three-Part TestWed 4 Nov · 17:30

Operation Pulse Back — LIA

Four rows. Pick the correct answer per row. The output shapes what the LIA can and cannot defend on Monday.

0 of 4 answered.
Decision 1 of 3Wed 4 Nov · 18:14

The Lawful Basis Question

You've called James. He's cheerful. You've explained the two-layer issue — GDPR basis + PECR consent — twice. He's still not quite seeing it.

Question: What lawful basis do you apply for the re-engagement email and SMS?

Consequence · +3 Defensibility

The Segmentation

Dr Aisha Khan
Aisha · to James
Of the 310k, 94k match soft-opt-in — in-retention, prior opt-out on every message, new message is similar product. The other 216k need consent before electronic channels.
James Okafor
James
That's… a meaningful haircut.
Dr Aisha Khan
Aisha
It's Monday's launch. Group 1 goes. Group 2 gets a consent journey — slower but runs through Q1 at higher conversion when it lands.

PECR Regulation 22 permits "soft opt-in" for email and SMS marketing where: (a) recipient's details obtained in the course of a sale or negotiations for a sale, (b) the marketing is for similar products, and (c) an opt-out was offered at collection and in each subsequent message.

Art 6(1)(f) legitimate interests plus Recital 47 gives the GDPR basis; PECR is the separate electronic-channel consent layer.

Under DUAA 2025, the PECR cap is now £17.5M / 4% turnover — aligned with GDPR. Non-compliance is materially more expensive than in 2024.

Legal Insight
Why This Was Defensible
  • Two layers matter: GDPR basis + PECR consent. Only the paired analysis is defensible.
  • TikTok £12.7M includes direct-marketing adjacent patterns.
  • Google CNIL €50M explicitly criticises opaque lawful-basis reasoning.
Consequence · +1 Defensibility

The Slow Version

Defensible — the LIA work adds evidence, but the same soft-opt-in segmentation is still required. Cost: 3-day analysis slip. Launch moves to Wednesday.

Legal Insight
Why This Is Mixed
  • Not wrong. Just slower than needed.
  • Same commercial outcome as choice-a with 3 days lost.
Consequence · −2 Defensibility

The Send

Recital 47 is a GDPR recital; it does NOT override PECR Regulation 22. PECR is the implementation of the ePrivacy Directive in UK law and sits alongside GDPR, not under it.

Sending to 310k where 216k are not within PECR soft-opt-in is a direct PECR breach, subject to DUAA's new £17.5M ceiling.

Legal Insight
Why This Was Indefensible
  • Recital-47-only reasoning is the textbook growth-marketing mistake.
  • ICO has prosecuted this pattern through PECR for over a decade.
BreatherThu 5 Nov · 11:00Marketing stand-up

The Banner

A/B dashboard · banner conversion

You walk into the marketing stand-up. Lena has pulled the A/B test dashboard for the banner redesign.

Variant B (current proposal): Prominent blue "Accept All" primary button. Grey underlined "Manage preferences" secondary link. No Reject-All at layer 1. Pre-ticked sub-toggles behind the "Manage" drawer.

Conversion: Variant B up 34% on accept rate.

Lena Roy
Lena · Marketing Ops
Show me what legal has to be, I'll draft the A/B for the compliant version.
Dark-Pattern AuditThu 5 Nov · 12:40

Variant B — Mark Each Element

Seven elements. For each, mark "dark pattern" or "legitimate." ICO and EDPB references unlock as you go.

0 of 7 flagged.
Decision 2 of 3Thu 5 Nov · 14:00

The Banner Brief

Lena has pulled up her design system. James is standing next to her. Fran is watching remotely. You have three options.

Question: What banner brief do you give Lena?

Consequence · +3 Defensibility

The Rebuild

Banner Variant A · publish hover
Dr Aisha Khan
Aisha · to Lena
Accept-All and Reject-All identical styling — same font, same colour, same weight, same layer. Manage as third equal option. No pre-ticked sub-toggles. Banner retires after a single rejection for 6 months. That's the brief.
Lena Roy
Lena
Got it. A/B against current state — I'll bring the 6-week data to the December review.
James Okafor
James
Conversion's going to drop.
Dr Aisha Khan
Aisha
Conversion measured against the wrong baseline is a number we don't need.

ICO 2019 cookie guidance — updated in the 2023 "reject all" campaign — requires equal prominence at layer 1 and no pre-ticked non-essential boxes.

EDPB 03/2022 taxonomises deceptive patterns that invalidate consent. CJEU Planet49 — pre-ticked boxes are not valid consent. Settled law since 2019.

Legal Insight
Why This Was Defensible
  • Art 7 — freely given consent requires genuine choice. Friction asymmetry invalidates.
  • DUAA 2025 low-risk analytics exemption is narrow and does NOT cover behavioural-ad cookies.
Consequence · +1 Defensibility

The Compromise

Better than Variant B. Not compliant. ICO guidance uses the word "equivalent" — visual hierarchy suggesting Accept is primary fails equivalence.

Likely to pass a cursory ICO inspection but fail a complaint-triggered review.

Legal Insight
Why This Is Mixed
  • Half-fix. Invites a targeted complaint.
  • ICO's "reject all" campaign specifically pushed on sites that offered "reject non-essential" as a secondary action.
Consequence · −2 Defensibility

The DUAA Read

DUAA 2025's low-risk analytics exemption covers limited audience-measurement cookies (first-party, statistical). It does NOT cover Pulse's actual cookie stack: behavioural-ad pixels (Meta, Google), third-party marketing tags, cross-site tracking.

Banner ships. First complaint arrives within 14 days. ICO information notice within 45 days.

Legal Insight
Why This Was Indefensible
  • Misreading a specific-named exemption as a broad licence.
  • The dark-pattern taxonomy in EDPB 03/2022 is the ICO's reference document.
BreatherFri 6 Nov · 10:00Voxly Zoom

The Voxly Pitch

Zoom tiles · Voxly pitch
Matt Corrigan
Matt Corrigan · Voxly AE
Our dataset is consented — we've got an SDK in 400+ fitness-tracker apps and their T&Cs cover partner enrichment.

Matt pitches: Voxly has self-declared fitness data on 42M UK consumers, collected via an SDK in 400+ fitness-tracker apps.

You ask where the consent sits. Matt says: "The app T&Cs authorise partner enrichment for health and wellness purposes. Standard across the industry."

You ask for a sample consent flow from one of the apps. Matt sends a pre-tick cookie-banner-tier consent page. The word "Voxly" does not appear. The word "partner enrichment" does, in paragraph 14.

You have seen this pattern before. It's the TikTok and Amazon fact pattern in a different skin.

Decision 3 of 3Fri 6 Nov · 15:20

The Enrichment Decision

£2.1M campaign revenue. 18% lift promised by Voxly. $180k contract. Cerulith's first use of a third-party data broker.

Three options. One closes the door cleanly. One tries to hold Voxly's hand while using the data. One pretends the problem isn't there.

Question: How do you handle the Voxly append?

Consequence · +3 Defensibility

The Refusal

Growth debrief · scrubbed whiteboard
Dr Aisha Khan
Aisha · to James
Voxly's consent page doesn't mention Voxly. Enrichment without informed consent breaches Art 14. Amazon was €746M on this fact pattern.
James Okafor
James
Okay. Okay. What's the first-party play?
Dr Aisha Khan
Aisha
Segment your existing base by engagement recency. Build a re-activation stream with value-add content — three-article series, lifestyle tips — before the commercial ask. 14-week cycle. Lower lift, compounding base.

Art 14 applies when data is obtained from a source other than the data subject. Relying on the third-party's consent is not a substitute for Cerulith's own transparency duties.

Amazon €746M is the controlling precedent for enrichment-based personalisation without clear lawful basis.

Legal Insight
Why This Was Defensible
  • Art 14 source-notification duties cannot be outsourced.
  • Refusing the append short-term protects a decade-long first-party data advantage.
Consequence · +1 Defensibility

The Notification Path

Legally tenable — Art 14 notification within the month is the correct path if the append proceeds.

Commercial cost: the required notice (specifying Voxly as the source, data categories, purposes, rights, retention) is substantial. Opt-out uptake is expected 15–25% in health-adjacent contexts. Campaign lift from enrichment likely halves.

Legal Insight
Why This Is Mixed
  • Compliant. Costly. Often not commercially worth it — the correct answer is frequently choice-a.
  • The notification itself generates regulatory goodwill.
Consequence · −2 Defensibility

The Silent Append

Art 14 is non-delegable. Voxly's consent warranty does not discharge Cerulith's duty.

Amazon €746M fact pattern. TikTok £12.7M transparency-breach pattern.

Legal Insight
Why This Was Indefensible
  • Non-delegable duties cannot be outsourced.
  • This decision becomes the third major transfer-and-transparency exhibit in Module 6.
Computing

Computing Defensibility…

Summing the three decision impacts.

The Q4 That Shipped

The Q4 That Shipped

Soft opt-in segmentation. Compliant banner. Voxly declined.

Affected · Data subjects
94k users receive an on-brand re-engagement email on Monday 9 November. 216k users see no untargeted contact; they receive a value-first content journey over November–December. The cookie banner redesigns Dec 1; early data shows 22% reject rate, 61% accept, 17% customise.
Company · Cerulith
Q4 revenue hits 82% of the original target (£1.72M). James writes a post-mortem arguing the first-party-only approach will outperform the enrichment-based baseline within 14 weeks. Voxly contract declined cleanly.
Career · Aisha
Aisha's PECR + dark-pattern primer (two pages, written after this week) becomes the growth team's onboarding doc. James asks her to lead a workshop for the new hires in Q1.
Next 50 incidents
The soft-opt-in / consent segmentation becomes the standard pre-launch gate for every campaign. Growth learns to ask "what basis" before "what segment."
System · Industry
Cerulith's banner passes the ICO's "reject all" 2027 sweep without remediation.
The Q4 That Landed

The Q4 That Landed

Partial mitigations. Desk-review flag. Banner rebuilt Feb 2027.

Affected · Data subjects
Campaign runs with partial mitigations. 188 user complaints about aggressive re-engagement emails in first fortnight. Banner compromise fails one ICO desk-review spot-check in Feb 2027 but is remediated before escalation.
Company · Cerulith
Revenue hits 88% of target. One user group files a collective complaint; ICO response: informal guidance letter, no MPN.
Career · Aisha
Aisha's positioning is sound but the compromise is her regret.
Next 50 incidents
Banner rebuilt Feb 2027. Campaign playbook tightens.
System · Industry
Mixed posture becomes an internal lesson.
The Q4 That Became An Exhibit

The Q4 That Became An Exhibit

PECR MPN. Voxly unwind. Three M6 exhibits.

Affected · Data subjects
Campaign runs to 310k with no PECR segmentation. ICO complaints: 2,400 in 28 days. Banner non-compliance and Voxly silent-append triggers a formal PECR investigation separate from the main Cerulith DP inquiry. Three users complain that their enriched "fitness data" was medically sensitive and Cerulith was unknown to them.
Company · Cerulith
PECR MPN proposed at £1.8M (DUAA ceiling applies). Voxly contract unwound at a £92k loss. Campaign ROI negative overall.
Career · Aisha
Aisha's memo opposing the ship-as-is is part of the Cerulith defence in M6.
Next 50 incidents
Growth team's entire 2027 campaign calendar is re-papered under external advice.
System · Industry
This decision feeds three separate exhibits in M6: (1) Art 5/7 consent integrity, (2) Art 14 source transparency, (3) PECR non-compliance.
Debrief

What M5 Teaches

Key Points
Five things to keep

Next module: Two months from now, on the morning of 19 January 2027, Helena Brandt will step out of a black cab at Cerulith's Bishopsgate entrance with a bound evidence binder. Everything you've done this year will be in that binder.

Knowledge Check

5 Questions

Five questions on Art 6/7/14, Recital 47, PECR Reg 22/Reg 6, EDPB dark patterns, DUAA PECR reforms.

Module Complete

Module 5 Complete

Defensibility score: / 9

Quiz:

Outcome:

Your result has been recorded. Module 6 unlocked: The Room.

Return to Course Continue to Module 6 →