Data Protection Academy » Data Protection Wiki » Data protection in marketing

A man from the marketing industry implements his data protection with Robin Data software

Data protection in marketing

The entry into force of the GDPR also affects the marketing sector. Marketing lives on data and is becoming more and more personalized, and personal data is also increasingly being processed. The trend towards online marketing is shifting more and more, just think of marketing measures such as email marketing, the evaluation of website data via Google Analytics, the use of the Facebook Pixel or retargeting. In addition, there are new court rulings that directly affect marketing activities, we give an overview of data protection measures for the most important marketing areas.

Most important information about data protection in marketing

  • With the entry into force of the GDPR in 2018 and court rulings on cookies, for example, it is important to observe and implement innovations in the area of online marketing.
  • The following also applies to marketing: the processing of personal data in e-mail communication, for example, must be designed in accordance with the GDPR and corresponding measures must be documented.
  • The description of these measures must be stored in the register of processing activities, we show you a possibility how you can implement this.

Email Marketing and Newsletter

Even in times of social media, email and newsletters are an important communication channel for companies. Customers and interested parties can be contacted regularly with product information via this channel, however, this requires individual-related data like the email address are collected, almost every newsletter addresses the recipient with a personalized address, i.e. first and last name. The GDPR requires that proof is documented that this personal data is collected and processed in accordance with data protection.

What does legally compliant consent to email marketing look like?

Every marketing manager is familiar with the double opt-in process. This is how companies ensure that people have agreed to register for the newsletter. Interested parties enter their email address in the registration form of the newsletter, for example, and then receive a confirmation link by email. By clicking on this confirmation link, the interested party gives the company legally compliant consent to the communication.

What components make email communication GDPR compliant?

The e-mail communication, such as the newsletter, must contain an imprint and offer the subscriber the possibility to unsubscribe from the communication. This cancellation of the receipt of the e-mail communication must be offered in the same way as for the registration. In most cases, this means online unsubscription.

What should be considered when using e-mail addresses of existing customers?

The GDPR allows e-mail addresses of existing customers to be used for self-promotion of products and services. However, only if the company has informed the customer about the offer or when concluding the contract, i.e. the customer had the opportunity to object to the e-mail communication and has not done so. The legal basis for this is the legitimate interest Art. 6 (1) f of the DSGVO. In this case, no separate consent needs to be obtained from the customer.

How must contacts be handled that were stored before the GDPR came into force?

Communication with new customers always requires a new consent via the double opt-in procedure. Insofar as you contact contacts via the opt-in procedure, you may only do so if you can prove the point in time of their consent prior to the entry into force of the GDPR. If this is not possible, you must obtain renewed consent and may only contact these contacts again afterwards.

What should be considered when using email service providers?

The majority of companies use external service providers or software providers for newsletter distribution. In this case, a contract for commissioned data processing must be concluded with the provider. This contract belongs in the data protection documentation.

What are the information requirements according to the GDPR?

The consent about the legitimate interest must be completed by the so-called information obligations of the GDPR. These are explained in Art. 13 and 14 of the GDPR and are intended to inform the visitor about the collection and processing of data. Address the following points in particular in the privacy policy on your website:

  • Purpose of personal data processing
  • Information about legitimate interest according to Art. 6 para. 1 of DSGVO
  • Storage period of the collected data
  • Possibility of revoking consent
  • Processing of personal data via a service provider

External Data Protection Officer

You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

Privacy policy for cookies in marketing

Operators of websites should deal with the use of cookies in accordance with data protection regulations. In the cookie files, information is stored in profiles for advertising purposes. This can be information on the hardware or software used, the IP address, the user's movements on the net, his preferences, interests and even his shoe size. If the cookies contain information that identifies a website visitor as a "unique user", the GDPR applies to them.

If data is used to identify someone as a target for advertising, but no identifying data is stored, this is pseudonymisation. Pseudonymous data may be personal, but pseudonymisation is a strong argument for allowing advertising. This is because the pseudonymous profile is less of a burden on the user's privacy.

What do you need to watch out for in marketing when using cookies?

If companies operate a website and use cookies on it, they must not only point out the use but also obtain consent for the use of cookies. For this purpose, there are numerous service providers that offer so-called "consent managers". When configuring a cookie or consent manager, cookies are divided into different categories. Consent does not necessarily have to be obtained for each category of cookies. Technically necessary cookies, which are, for example, essential for the operation of a website, can also be used without consent. Whereas cookies that are used for marketing or statistical purposes require the visitor's permission.

What must be observed when using technically necessary cookies?

Cookies are often necessary for basic website functions, for example to save the preferred language, page settings and the contents of a shopping cart in an online shop. Such technically necessary cookies, which do not allow a website visitor to be recognised, are not relevant for data protection. They do not require informed consent.

For the use of cookies that identify the user, the website operator must obtain the consent of the site visitors, be able to invoke the fulfilment of a contract or claim a permit in accordance with Article 6 GDPR. Many operators use large cookie banners that cover almost the entire content of the website and only offer the option of accepting cookies with an ok button. The European Court of Justice will probably declare banners in this form inadmissible. Often one reads sentences like "By using the website you agree to the use of cookies". Such formulations do not meet the requirements of data protection authorities. A link to the privacy policy or the cookie policy, which contains all mandatory information and details of the cookies used, is mandatory.

What needs to be considered when using cookies that require consent?

In a position paper, the Conference of the Federal and State Data Protection Authorities (DSK) writes that consent must be given for the use of tracking mechanisms and the creation of user profiles. This is confirmed by the ECJ ruling of May 2020. Before using analysis tools such as Google Analytics or other trackers, informed consent must be obtained from the visitor. For secure implementation, website managers obtain this consent via a consent text that is displayed when the website is first visited. The text must describe the data collected and its intended use as well as possible. The user must confirm the text with an active action and thereby give his consent.

What are the implications of the ECJ ruling of 28 May 2020 on cookie use ?

The handling of cookies is not clearly regulated in the GDPR and often caused confusion when it came to the concrete implementation on the website. In addition to the GDPR, the so-called "Cookie Directive" of the EU is regulated in Germany via Section 15 (3) of the German Telemedia Act (TMG). The Cookie Directive requires consent in order to be allowed to process cookies. With the ruling of the Federal Court of Justice (BGH), website operators can finally be guided by a binding statement on the use of cookies requiring consent.

The consent for the storage of cookies by the user is only fulfilled if no pre-ticked boxes are used. This means that the user must perform an active action, actively click on a button such as "Accept all cookies" or actively tick the boxes individually, so that cookies may be used by the website operator.

In addition, the site operator must inform the visitor sufficiently and point out the right to object. If cookies are used on a website, you as the site operator must inform about them in the privacy policy. The information must include the following:

  • The legal basis for the use of cookies
  • The purposes of processing
  • The retention period
  • The possibility to object
  • The consequences of an opposition

Privacy Review - The Podcast for Privacy Professionals #12: Privacy in Marketing

Data protection in marketing means dealing fairly and transparently with other people's data

That's what the podcast is about:

Website and tracking via cookies, data protection compliant communication with the customer, common data protection mistakes in video conferences, best practices on the topic of data protection, using new tools and processes right away on data protection compliant solutions.

Privacy in Marketing Checklist :

  • Use of the double opt-in procedure

    Indication of the imprint in the newsletter

    Possibility to unsubscribe from the newsletter

    Conclusion of the order processing contract with the e-mailing service provider

    Documentation of data protection measures and order processing contracts

  • Creation overview of the cookies used

    Classification into categories, such as technically necessary, functional, marketing, etc.

    Set up Consent Manager on the website

    Addition to the privacy policy

    Documentation of data protection measures

Ulrich Hottelet

This might interest you too:

The Supply Chain Act (LkSG)

The Supply Chain Act (LkSG) came into force on 01.01.2023. Learn about the current regulations and obligations for companies in the article.
IT security incident

What to do in the event of an IT security incident?

The most important facts about IT security incidents. Learn practical tips on recognising and dealing with IT emergencies in the article.

What is the TTDSG or TDDDG?

The TTDSG became the Telecommunications Digital Services Data Protection Act (TDDDG) on 13 May 2024 as a result of the harmonisation with the EU Directive.