2. Permission
What does the term “permission” actually mean in connection with the lawful sending of commercial emails?
The term “permission” means that there is a legally defined state of permission according to which the sending of commercial emails is legal. Only if such permission exists does the sender of commercial emails act in a legally correct manner. There are different types of permissions, which are explained below.
2.1 Overview
In principle, the legislator assumes the existence of consent by the addressee of the email as an element of permission. Consent is a declaration of intent that must have been given by the addressee prior to the sending of advertising. As an exception, no consent is required in the context of existing customer relationships, but certain conditions must also be met for this. The conditions for permission are derived from the EU’s General Data Protection Regulation (GDPR) and the ePrivacy Directive 2002/58/EC of the European Parliament and of the Council from 12 July 2002, along with their national transpositions.
2.2 Legal grounds in Germany
The law on email marketing is based on a uniform European foundation: The Privacy & Electronic Communications Directive (also known as the ePrivacy Directive) stipulates in Article 13 that the consent of the addressee is generally required for the sending of email advertising. This can be deviated from under certain conditions, but only in the case of existing customer relationships. This core principle applies equally to all EU Member States. However, EU directives do not apply directly, but are transposed into national law in each individual EU Member State. This transposition into national law may result in minor legal differences if an EU Member State goes beyond the requirements of the EU Directive. The case law of national courts and the practice of the supervisory authorities responsible for data protection must also be taken into account and complied with.
The European Union’s requirements for email advertising have so far been transposed into national law in Germany by the German Act Against Unfair Competition (UWG),[1] the German Telemedia Act (TMG) and the General Data Protection Regulation (GDPR).
With regard to the processing of personal data in the context of email communication, the GDPR, which has been applicable throughout Europe since 25 May 2018, contains specific regulations. In contrast to the ePrivacy Directive, its provisions apply directly in each individual EU Member State. In accordance with the GDPR, the processing of personal data is restricted. According to Article 6 of the GDPR, this must either be based on consent or another exceptional circumstance specified in the article.
Since the GDPR is a “general regulation”, national legislators were authorised to concretise specifically defined matters through national laws.
In Germany, this has brought about by the new German Federal Data Protection Act (BDSG). Here, among other factors, regulations have been made on the structure of the national supervisory authorities and their representation at the European level. Furthermore, specific regulations were adopted on the processing of particularly sensitive data, the processing of employee data, and the appointment of a data protection officer.
In addition, the German Telecommunications Telemedia Data Protection Act (TTDSG) came into effect on 01.12.2021. In the TTDSG, elements of the legislator’s activities included the revision of the data protection provisions of the German Telemedia Act (TMG), which had not been adapted previously to affiliate with the General Data Protection Regulation, and the amalgamation of these into a new law. The aim was to adapt these provisions to align with the GDPR and the ePrivacy Directive and, in particular, to transpose the 2009 requirements of Art. 5 (3) ePrivacy Directive into national law in a legally secure manner. The previous TMG thus continues to exist in an abridged version, but no longer contains any data protection provisions. With regard to the previously applicable laws (ePrivacy Directive, GDPR, UWG as well as TMG), their regulations continue to apply with regard to the permission to send advertising emails; the new regulations of the TTDSG, on the other hand, are taken into account in connection with the consent conditions for tracking and will also be discussed in detail in this chapter.
[1] In this text, the German abbreviations of German laws have been used in combination with the English translations of the commonplace name of the law in order to make it easier for readers to find the German original texts and their official English translations, where available, e.g. here.
2.3 The advertising concept in email marketing
Every party responsible for a company that sends emails to customers must be clear about whether these are advertising or so-called transactional emails.
To what extent is the distinction between advertising emails and transactional emails important?
The answer to this question has a particular impact on which legal requirements must be complied with for sending emails. This is because the strict legal requirements for email marketing (see Art. 7 GDPR, Art. 13 Directive 2002/58/EC (ePrivacy Directive), Section 7 UWG) do not apply to purely transactional emails.
2.3.1 Definition
Legislation and case law define this term very broadly. According to this definition, any statement that directly or indirectly serves to sell products and services is to be classified as “advertising”. Almost everything that a company produces and communicates externally ultimately serves to sell products and services. Accordingly, the classic newsletter also falls under the “advertising” concept.
The following examples, which case law in Germany has qualified as advertising, make it clear how broadly the term is defined:
- Birthday or Christmas greetings from a company
- Emails for a market research study that is not neutral but carried out in the interest of a company
- Demand advertising or pure image advertising (advertising of a brand without reference to a specific product)
- Service messages with references to other products, as these are also intended to promote sales indirectly
- Election advertising by political parties and donation advertising by non-profit organisations fall under the advertising” concept
2.3.2 Differentiation from transactional emails
Transactional emails, also called system emails, are characterised by the fact that they are usually sent automatically and are triggered by certain actions of users or by certain business transactions about which the user must be informed in online shops, online portals, booking systems, communities, social networks and comparable systems. An email is sent per “transaction” or user action.
Typical examples of transactional emails are:
- Registration and application confirmations
- Order and sending notices
- Invoices
- Acknowledgements of receipt of returns
- Password reminders, requests and changes
- Status messages
- Double opt-in emails
- Changes to the General Terms and Conditions
2.3.3 Borderline cases from practice
Sending job or housing advertisements
The legal assessment of such emails is a matter of the individual case at hand. If a special exposé or a specific job advertisement is requested on a portal and then sent automatically, the mailing can regularly be classified as a transactional email. On the other hand, if several advertisements are sent – for example, after registering on a portal, consecutively or over a longer period of time – these mailings will have to be qualified as newsletters.
Mailings from contact exchanges
The situation here is very similar to that in the previous example: Let’s imagine that a user registers to a portal and makes contact with another person. If the other person then responds, for example, a notification email about this process could be seen as a transactional email. To a certain extent, it then represents an automated (re)action on a trigger. The situation would be different if, for example, the same user received regular updates on the fact that new members have registered with the portal. Such mailings would then be characterised by the fact that they are not sent once on the basis of a registration or a trigger, but are sent to the contact exchange users at more or less regular intervals. As such, these mailings do not constitute a transactional email.
New functionalities of a portal/service email
With such mailings, the focus is usually on customer loyalty or the sale of further products. Moreover, the mailings are not sent once, but are sent at more or less regular intervals. Consequently, they are not transactional emails but promotional emails or newsletters.
2.3.4 Summary
The sending of commercial mailings always requires permission, usually consent. This results from European law as well as from the national transposition regulations. Transactional emails should also always be free of advertising. Advertising in transactional emails is not prohibited per se. But as soon as transactional emails contain advertising, the strict legal requirements of email marketing also apply to transactional emails. This means that permission – i.e., the consent of the recipient – is required for sending the email. The “advertising” concept is to be understood broadly and includes any pronouncement that serves to directly or indirectly promote sales.
2.4 Consent
2.4.1 Introduction
As explained in the previous chapter, email advertising always requires the consent of the recipient.
Despite a widespread/common misconception, this applies to both the B2C sector and the B2B sector. The consent of the addressee is also required for an advertising email in the B2B sector. What does not suffice is presumed consent, as in the case of telephone advertising in the B2B sector, with this spelt out in Section 7(2)(2) of the German Act Against Unfair Competition (UWG).
In addition to the consent for the sending of advertising emails, the sender further requires different declarations of consent from different areas of law.
For the mere sending of an advertising email and the associated data processing, three different types of consent must be obtained:
- Data protection law: Consent in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) to process the email address for sending the advertising email
- Competition law: Consent under the UWG to send the advertising email
- Right of personality (or right to conduct a business): Justifiable consent for the intervention with the general right of personality (or with the right to conduct a business)
In addition, there are then potentially further consents for email/newsletter tracking:
- Consent under the German Data Protection and Privacy in Telecommunications and Telemedia Act (TTDSG) for the tracking itself; and
- Consent in accordance with GDPR/BDSG for subsequent data processing in profiling
Last but not least, under certain circumstances, it may even be necessary to obtain consent for the transfer of data to an unsafe third country pursuant to Art. 49(1)(a) GDPR if the data for sending the promotional email is processed in the USA, for example (although the validity of such consent is highly controversial due to the exceptional nature of Art. 49 GDPR).
The formal and content-related requirements for all consents are derived from Art. 4(11), Art. 7 GDPR, Section 51 BDSG and are further specified in Recital 32 of the GDPR.
With regard to the requirements for consent, the ePrivacy Directive refers to the GDPR (Art. 13(1)(f), Art. 2(f) Directive 2002/58/EC in conjunction with Art. 94(2) GDPR), meaning that the GDPR centrally defines the minimum requirements for consent, which are then further refined by the ePrivacy Directive (2002/58/EC) or its national transpositions – for example, for promotional emails.
In summary, the following formal and content-related requirements exist for the declaration of consent:
- transparent and informed
- explicit
- freely granted
- verifiably documented
2.4.2 Transparent and informed consent
First of all, it is crucial that consenting parties are informed in a transparent and comprehensible way about the content of their declarations of consent.
Consent has several components, all of which must be transparently stated in the declaration of consent:
- Personal component: Who is advertising?
Who is the recipient of the consent or to whom is the consent given, and which company can rely on the consent? - Content-related component: What is being advertised?
Which products and services are being advertised? - Media component: How is the advertisement being sent?
How often is the consenting party contacted via which advertising channels?
2.4.2.1 Personal component: Who is advertising?
The company that obtains the consent and that wishes to rely on the consent in the future must be explicitly named. The consent then only ever applies to the explicitly named company, which thus also acts as an explicitly named controller within the meaning of the GDPR.
There is no “blank consent” that could entitle a specifically named company and, for example, its unspecified “partner companies” to email advertising.
Consent in the group company
A group-wide use of consent by affiliated companies is only possible if the consent is also expressly given to explicitly named further group companies. A blanket notice to use by an explicitly named company and its affiliated companies is non-transparent. As such, corresponding consent vis-à-vis the affiliated companies is invalid – whereby this invalidity of consent vis-à-vis the affiliated companies will usually not feed into the consent vis-à-vis the explicitly named company.
An intra-group transfer of addressee data can take place on the basis of processing if a group company as a service provider carries out online marketing centrally for several group companies (see Chapter D on the prerequisites for processing). However, even in this case, it must be ensured that the data of the individual group companies are strictly separated and processed only for the purposes of the respective group company.
Consent vis-à-vis several companies (“co-sponsoring”)
Consent to the sending of email advertising can, in principle, be declared to several companies at the same time. This is also generally recognised by case law.
The German Federal Court of Justice (BGH) states:
“Valid consent to receive electronic mail for advertising purposes requires, inter alia, that the addressee knows that their statement constitutes consent and that it is clear which products or services of which companies it specifically covers.”
(BGH, judgement of 14.03.2017, file no. VI ZR 721/15)
The Higher Regional Court (OLG) of Frankfurt/Main is more specific:
“If participation in a prize draw has been made dependent on consent to receive future email advertising, there are no objections to the validity of this consent in any case if the consumer has consented to [receiving] advertising from no more than eight specifically designated companies (…)”.
(OLG Frankfurt/Main, judgement of 27.06.2019, file no. 6 U 6/19)
Consent must be given in a transparent and informed manner – i.e., for the consenting party, it must be clear which companies the consent was given to. This is no longer the case with a complex large number of companies. There are inevitably no definitive limits here, but existing rulings can be used as a guide.
The OLG Frankfurt/Main judgement cited above still views consent to eight companies to be transparent and valid. This does not necessarily mean that a list of eight companies is the absolute maximum. In 2015, the OLG Frankfurt/Main (judgement of 17.12.2015, ref. 6 U 30/15) had already decided that 59 sponsors are too many. Within the consent process, if the user can easily and unambiguously take note of the list of companies (including the industries or the products and services to be advertised – see below), the transparency requirement is met, and the consent is valid. However, in the case of a list of significantly more than eight companies, which can no longer be noted “at a glance”, it is only in very rare cases that an equivalent easy and unambiguous acknowledgement would be possible.
Complicated selection of co-sponsors leads to the invalidity of consent
An overly complicated selection of “co-sponsors” also stands in the way of the validity of consent. This is shown by a judgement of the German Federal Court of Justice (BGH) (judgement of 28.05.2020, ref.: I ZR 7/16), in which the court had to assess the validity of a consent in which the consenting party was to select the co-sponsors themselves in the participation in a prize draw. Here they were presented with a list of 57 companies which they had to deselect individually if they did not want to give consent to the individual company. A certain number of companies had to be deselected. If the consenting party did not deselect any or not enough companies, the organiser was left to choose the sponsors or the consent recipients. According to the court, due to the complicated and elaborate design of the selection option, the consenting party should have been allowed to refrain from exercising their selection option, and should leave the selection to the organiser. The BGH ruled that valid consent cannot be obtained with such a complicated procedure.
Lead generation
The use of email addresses where a third party generates consents for the purchaser is associated with increased verification obligations. According to case law, the purchaser of the email addresses must make sure that the owner of the respective email address has expressly consented to the sending of email advertising by the purchaser.
In any case, it is not sufficient to rely on the assurance of the third party that the consents are available. The purchaser must have the corresponding documented evidence presented to them and must, at least, carry out a random check.
2.4.2.2 Content component: What is being advertised?
The declaration of consent should also address the content of future advertising emails as transparently as possible. For the consent to be transparent and informative, it is necessary that the consenting party is informed in detail and precisely about the products and services for which it will receive future advertising by email.
The German Federal Court of Justice (BGH) states clearly on this point:
“Valid consent to receive electronic mail for advertising purposes requires, inter alia, that the addressee knows that their statement constitutes consent and that it is clear which products or services of which companies it specifically covers.”
(BGH, judgement of 14.03.2017, file no. VI ZR 721/15)
In principle, it is also not sufficient that the consenting party can assume which advertising content will be involved – for example, on the basis of the company name.
If, for example, a company sells different product lines under different brands, the declaration of consent must state whether the addressee will, in future, only receive advertising for the product line under a specific brand or whether all the company’s brands are to be advertised.
Under certain circumstances, it may be sufficient to name the industry of the advertising company. The Higher Regional Court (OLG) of Frankfurt/Main states:
“…there are no objections to the validity of this consent in any case if (…) the business sector of the advertising company has been described with sufficient clarity (in the case in dispute: ‘Electricity & Gas’)”.
(OLG Frankfurt/Main, judgement of 27.06.2019, file no. 6 U 6/19)
If the details clearly show which products and services are to be advertised in the future, the requirement for an explicit specification of the products and services or the industry is a simply superfluous formulation which does not provide the consumer with any additional transparency.
When specifying the products and services to be advertised in the future, the company must provide specifications that are as precise and transparent as possible, but without unnecessarily restricting itself regarding the subject matter.
Mixed assortment retailer
In the case of a mixed assortment retailer – for example, an online shop with an extensive assortment from a wide range of areas – consent to the sending of the “Special Offers of the Week” or the “Best Deals for Black Friday” may also be permissible if no explicit specification is provided on which categories of goods the offers concern.
It is always crucial that consenting parties know what they are consenting to and what kind of advertising they can expect based on their consent. Under certain circumstances, this transparency can also be given in the case of consent that does not specify exactly which products and services will be advertised in the future. However, a “blank consent” whose wording is intended to enable the advertiser to arbitrarily send advertising for “anything” without any restriction is very likely to be invalid due to its lack of transparency.
Also no group privilege in terms of content
There is also no “group privilege” in terms of content – i.e., consent vis-à-vis a group company does not entitle it to also send advertising on behalf of other group companies or for products and services from other group companies (if the consent did not include such advertising).
2.4.2.3 Media component: How is the advertisement being sent?
When consent is given, the media that will be used for future advertising must also be clearly communicated. The declaration of consent must clearly define whether the consenting party will be contacted in the future by, for example, email, telephone or WhatsApp.
If the advertising media or channels are clearly indicated, uniform consent can be obtained for several channels. The German Federal Court of Justice (BGH) (judgement of 01.02.2018, file no. III ZR 196/17) has ruled in a pleasingly clear manner that separate consent for individual advertising channels (in the case at hand, this involved email, telephone and SMS/MMS) is not necessary, but that consent to advertising on all channels can be obtained uniformly and jointly. In its ruling, the BGH states that, in the case of a uniform declaration of consent, the protective purpose of protecting personal data and privacy from new risks posed by public communication networks is sufficiently taken into account. If a separate declaration of consent had to be given for each advertising channel, this would not strengthen consumer protection.
Conversion
Even if it is legally possible to obtain consent for email and telephone advertising, for example, such a combination is regularly not advisable from the point of view of conversion. The willingness to give consent is likely to be significantly lower if the consumer must expect to be contacted on several channels at the same time. In particular, the combination including consent to telephone advertising is likely to have a negative impact on conversion in the case of consent to email advertising.
Frequency
In order to enable consenting parties to get a full picture of what they can expect when they consent or what exactly they should consent to, it is also advisable to specify the planned frequency of advertising use.
With regard to the potential harassment effect, a considerable difference can ensue if a newsletter is sent out daily or monthly.
If a statement on frequency is possible, this information should accordingly be communicated in any case within the scope of the consent query – not only for legal reasons but also in order to “manage” the expectations of the addressee accordingly and to avoid immediate “unsubscribes”, aggravation and complaints.
2.4.2.4 Suggested wording for consent
Non-binding suggested wording for a declaration of consent to email advertising by a company:
I would like to receive the weekly email newsletter of ABC Company with information about the products and services of ABC GmbH in the field of photovoltaics. Even before receiving the first email, consent can be revoked at any time with future effect, e.g., using the unsubscribe link contained in each newsletter or by email to unsubscribe@abc.company. Detailed information can be found in our privacy policy [LINK].
Non-binding suggested wording for a declaration of consent to email advertising by several partner companies (separate list of co-sponsors):
I would like to receive the email newsletters of ABC Company and its partner companies [LINK: List of partner companies and industry or products/services] with information on their respective products and services. I consent to my data being passed on to the named partner companies. The respective consent can be revoked vis-à-vis the respective company at any time with effect for the future, e.g., using the unsubscribe link contained in each newsletter or by email to the address provided. Detailed information can be found in our privacy policy [LINK].
2.4.3 Explicit consent
Consent must be explicitly – namely, consciously and actively – declared by the consenting party.
According to Art. 4(11) GDPR, there must be an “unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
In other words, consent must be given with knowledge and intention and must not be “assumed”.
Such an unambiguous indication with knowledge and intention can be made in writing by a signature of the person giving consent, or electronically – for example, by clicking on a checkbox or a specific button.
If only consent is to be obtained and no further explanations are to be requested, a confirming button in the telemedia area – for example, with the caption “Subscribe to newsletter” – is completely sufficient. In this context, there is no need to provide a supplementary checkbox that must be additionally activated.
If consent is given in writing, it may be combined with other declarations or facts, but must then be clearly distinguished from the other facts and be clearly distinguishable as a declaration of consent.
Verbal consent or consent by telephone are also possible in principle (although problems with verifiability may arise in this case – see below).
On the other hand, valid explicit consent cannot be obtained by merely offering an opt-out right to the consenting party. Thus, for example, consent based on a checkbox that must be activated if no email advertising is desired is invalid. A pre-clicked checkbox with consent to email advertising that must be deactivated if no email advertising is desired is also not an explicit declaration.
The disclosure of the email address in public directories, on the website, on a letterhead or on a business card also does not constitute consent to the sending of email advertising. A presumed or implied consent, where an interest of the addressee is merely assumed, is not sufficient.
It must also be clear from the wording of the declaration of consent that explicit consent is being given. A rather informative sounding formulation such as “I am aware that I will receive email advertising in the future…” is not sufficient, as the user is not necessarily aware here that they are to give an explicit freely granted declaration of consent.
2.4.4 Freely granted nature of consent and coupling
Consent must be given voluntarily – i.e., consenting parties must be free to choose whether or not to give consent. Consent is only valid if it can be given without pressure or coercion and without being significantly influenced by extraneous motives.
The freely granted nature of consent to email advertising becomes relevant above all in connection with the coupling of consent to other circumstances, such as participation in a competition or the download of an e-book.
If consent to email advertising is coupled to another circumstance in such a way that the person giving consent has virtually no choice but to give consent, this consent is not given voluntarily and is therefore invalid.
Prohibition of coupling consent?
The so-called “prohibition of coupling” in Art. 7(4) GDPR states that, when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. In other words: If one can only conclude a contract if consent is given at the same time, this coupling must be taken into account when assessing if consent is freely given.
The prohibition of coupling is thus not absolute, at least according to the wording of the law; coupled consent does not necessarily have to be invalid.
In contrast, recital 43 of the GDPR states that consent is not voluntary if the performance of a contract “depends on consent, even though such consent is not necessary for performance”. Here, the legislator seems to intend to strictly prohibit any coupling.
On the question of coupling, the Higher Regional Court (OLG) of Frankfurt/Main (judgement of 27.06.2019, case no. 6 U 6/19) succinctly stated that the voluntary nature of consent is not precluded “by the fact that the declaration of consent is coupled to participation in a prize draw. The consumer can and must decide for themselves whether participation is ‘worth’ the disclosure of their data.” The court supplemented this finding by stating that the luring effect of participation in a prize draw does not exclude consent being freely given.
It remains to be said that the legal situation regarding the interpretation of the prohibition of coupling is not clear. Since the German Federal Court of Justice (BGH) has not yet ruled on this question in the last instance, a sender runs the risk that a coupled declaration of consent is invalid.
Contract as a chance to allow newsletter subscription
The State Commissioner for Data Protection and Freedom of Information (LDI) of the German state of North Rhine-Westphalia came to the same conclusion on a completely different path in its Activity Report 2020.
In the view of the State Commissioner, the coupling of consent to email advertising and participation in the prize draw is unlawful. But the sending of email advertising in connection with participation in the prize draw can be based on a contractual basis instead of consent.
In this case, the contract includes both the opportunity to participate in the competition and the willingness to receive email advertising.
If these mutual services are presented in a transparent manner, a contract can be the basis for email advertising in the opinion of the State Commissioner. The subscription to the newsletter must be able to be cancelled at any time – just as consent can be revoked at any time.
In terms of data protection law, the legal basis for data processing in connection with the sending of advertising emails would then not constitute consent pursuant to Art. 6 (1)(a) GDPR, but the fulfilment of a contract pursuant to Art. 6(1)(b) GDPR.
The transparent design is decisive
The coupling of consent to advertising to another circumstance – for example, participation in a competition or the download of an e-book – can be permissible in principle. As a result, it is almost irrelevant whether consent or a contract is used as the legal basis – the decisive factor is, as so often, the transparent design of the construct.
For example, if the coupling of consent is only disclosed after the user has already filled out an extensive form, there is a high probability that users will only consent because they have already invested a lot of time in filling out the form – and not because they have made a free and conscious decision regarding consent. The validity of consent obtained in this way is highly questionable.
The more the design of the consent is intended to influence users to give their consent quickly and in an unconsidered manner, the greater the risk that a court will classify the consent as involuntary and thus invalid.
This can also be the case with an influencing graphic and colour design (e.g., with a large green “consent” button and a small red “decline” button, as is often seen with cookie banners) or if the failure to give consent is complicated – for example, by long click paths through extensive submenus.
2.4.5 Proof and documentation of consent: DOI
In the event of a legal dispute about the permissibility of sending an advertising email, the sender bears the burden of proof that consent has been given, that the consent also relates to the specific disputed sending, and that the consent was given by the owner of the email address being written to.
Merely showing that consent was given to send advertising emails to a specific email address is not sufficient if the sender cannot prove that the consent actually came from the owner of the email address used.
The sender of the advertising email must accordingly document the declarations of consent extensively in order to be able to prove them in detail in the event of a complaint.
2.4.5.1 DOI confirmation email
The DOI confirmation email must reproduce and confirm the entire consent form in order to serve as proof for valid consent.
The DOI confirmation email serves solely to verify consent. If a user misuses another person’s email address when registering for a newsletter, the owner of this email address receives a DOI confirmation email. They thereby get this confirmation email without knowledge of the declaration of consent given by the third person; they have never given any this consent anywhere. If the person now clicks on the confirmation link, this click alone must constitute sufficient consent to send them the newsletter to their own email address in the future.
The DOI confirmation email must therefore contain the complete declaration of consent and full consent must be given by clicking on the confirmation link. With the wording of the DOI confirmation email alone, the sender must be able to prove in court that the addressee consented to the sending of email advertising. It is, therefore, not sufficient if the DOI confirmation email briefly and concisely asks for confirmation of the consent given on the website during registration without repeating it.
Is a DOI confirmation email spam?
Some courts have classified the sending of the DOI confirmation email as spam – for example, most recently, the Berlin State Court (LG) (judgement of 19.09.2019, file no. 15 O 348/19).
However, in its landmark ruling (judgement of 10.02.2011, file no. I ZR 164/09) with the programmatic title “Double Opt-In”, the German Federal Court of Justice (BGH) established the admissibility of the DOI procedure. Fortunately, the BGH also clarified at the same time that the DOI procedure can be used to prove the authenticity of consent, since with the DOI procedure “after receipt of the requested confirmation […] it [can] be assumed that the request actually originates from the specified email address”.
DOI confirmation email must be free of advertising
Care must be taken to ensure that the DOI confirmation email itself does not contain any advertising. Jurisprudence is extremely strict on this point – for example, the Berlin Higher Regional Court (KG) (judgement of 25.09.2021, ref.: 5 U 35/20) ruled that an email that is permissible in itself already becomes an impermissible advertising email if it only contains a short two-line text with advertising content in the footer.
A controversial question is whether it is necessary to go so far at this point to ensure that the DOI confirmation email does not even contain a company logo. On the one hand, the inclusion of a logo makes it easier to attribute the email and to create a reminder of the consent given for the company. On the other hand, the courts are extremely restrictive on this point, as already mentioned. It is therefore advisable to refrain from any graphic design and best to send the DOI confirmation email as plain text in order to avoid any risk.
Suggested wording for a DOI confirmation email
The following is a non-binding wording proposal for a DOI confirmation email for email advertising by several partner companies (separate list with co-sponsors):
Thank you for your registration! Please confirm that you would like to receive the email newsletters of XYZ Company and its partner companies [recommendation: these should then be listed in a tabular form, for example, in a way that is easy and simple to grasp] with information on their products and services and that you agree to your data being passed on to the aforementioned partner companies. Your consent can be revoked with effect for the future, e.g., by using the unsubscribe link included in every newsletter or by sending an email to unsubscribe@xyz.company. Detailed information can be found in our privacy policy [LINK].
[BUTTON: CONFIRMATION OF CONSENT].
2.4.5.2 Deletion of data for non-responders
If consent is not confirmed by means of clicks in the DOI confirmation email, the data must be promptly deleted. Following the principle of storage limitation, data may only be processed as long as it is necessary for the specific purpose.
The question here is how long the confirmation by the addressee can realistically be expected to take. Experience shows that the confirmation of a newsletter order by means of clicks in the DOI confirmation email usually takes place within a few minutes. If the addressee is on holiday, for example, and cannot be reached by email, it may well take one or two weeks until the addressee confirms their consent. Accordingly, a period of two weeks is still considered permissible under data protection law. If no confirmation is received within this period, the data must be deleted. Reminders of the confirmation are prohibited and are not covered by data protection law.
2.4.5.3 Documentation of consent
The declaration of consent must be comprehensively documented permanently for the complete period of use of the email address.
In the event of a dispute, the sender of an advertising email must be able to substantiate at least the following details in the case of consent obtained electronically:
- Content of the declaration of consent
- Website where consent was obtained
- Details of obtaining the declaration of consent, in particular its explicit nature
- Time of the declaration of consent (time stamp)
- IP address of the person(s) giving consent at the time of giving consent
- Sending time of the DOI confirmation email
- Contents of the DOI confirmation email
- Time of confirmation of consent via a click in the DOI confirmation email
- IP address of the consenting parties at the time of giving consent
- Process to ensure that only email addresses with confirmed consent are included in the mailing database.
2.4.5.4 Oral consent
Consent given orally or by telephone can be verified under certain circumstances with a witness declaration by the recipient. In the case of such declarations of consent, it is advisable to document the consent process comprehensively; in the instance of consent obtained in the call centre, for example, minutes should be kept that show how the consent was obtained. What should also be documented in the CRM system is when the consent was given to which call centre employee.
However, it is questionable as to whether a call centre agent’s testimony to a consent given far in the past is considered credible, especially if a call centre agent obtains countless consents every day.
Moreover, even in the case of verbal consent to email advertising, there is no guarantee that the consenting party is actually the owner of the email address given or that it has been correctly understood or transmitted.
In this respect, the implementation of a downstream double opt-in procedure is also recommended for consent given orally or by telephone.
2.4.5.5 Retention of consent after revocation
After the revocation of consent, the sender can still be held liable by (former) consenting parties with regard to the sending of advertising emails. In order to be able to defend against potential subsequent warnings and lawsuits, the sender therefore still needs documentation of the (former) consents, even after the revocation of consent.
Accordingly, the documentation of consent should be kept as long as legal action against the sender is possible for the (former) consenting party. The regular limitation period under German law is three calendar years (Section 195 of the German Civil Code (BGB)). For this period, beginning with the last sending based on the revoked consent, the documentation of the consent must be kept in order to be able to defend oneself in potential legal proceedings.
The obligation to account for and provide evidence takes precedence over the obligation to delete data for this period (Article 17(3)(e) of the GDPR). The legal basis for such retention for legal defence is accordingly found in the impressive chain of paragraphs Art. 6(1)(c) in conjunction with Art. 5(1)(a)(2), Art. 7(1) and Art. 6(1)(f) GDPR.
When they are giving consent, consenting parties should already be informed about this subsequent retention after revocation in the privacy policy pursuant to Art. 13 GDPR. Retention must also be documented in the processing directory. A corresponding deletion concept must also be implemented to ensure that the documentation of consent is effectively deleted after the subsequent retention period has expired.
2.4.6 Data minimisation
When collecting consent, no more data may be requested from consenting parties than is actually required for the purpose of “sending advertising emails”. For the sending of advertising emails, only the email address is primarily required. The mandatory request of the first name and/or surname for the personalisation of the emails is largely considered permissible by the data protection supervisory authorities.
All other data requested on a voluntary basis is subject to purpose limitation; that is, only data that is actually required – for example, to carry out personalisation – may be requested. An unprovoked request for further data “in advance” is not permitted.
2.4.7 Consent of minors
The consent of minors regarding the sending of advertising emails is only valid if they have reached the age of 16 (Art. 8(1)(1) GDPR). The opening clause in Art. 8 (1)(1) of the GDPR, which allows Member States to provide for a lower age limit (but not below the age of 13), has not been used in German law.
In the case of minors under the age of 16, the holder(s) of parental responsibility must declare or confirm consent (Art. 8 (2) GDPR).
In doing so, the sender must make reasonable efforts “taking into consideration available technology” to verify that consent has actually been given or authorised by the holder(s) of parental responsibility.
The highly practical question of what such “reasonable efforts” should look like has not yet been conclusively answered by the courts and the data protection supervisory authorities.
Two-stage review
A two-step verification procedure has become established in practice. In the case of an email newsletter that is aimed at an underage target group, the provider asks for the age of the user in a first step. This can be done by a simple query of the age or the date of birth. In the interest of data minimisation, a binary query (“Are you at least 16 years old?”) would also be possible.
According to general opinion, the implementation of an age verification system within the meaning of the law on the protection of minors in the media is not required for a newsletter subscription.
For users under the age of 16, the provider must then make “reasonable efforts” to obtain the consent of the holder(s) of parental responsibility or have the consent of the minor(s) confirmed.
Here, a modified double opt-in procedure is regularly implemented, in which the email address of the holder(s) of parental responsibility is also requested. An email is then sent to the email address of the holder(s) of parental responsibility, asking them to declare or confirm the consent of the young person. Only after the declaration of consent or confirmation of consent by the holder(s) of parental responsibility is consent allowed to be given and the email address of the minor(s) is included in the distribution list. This declaration or confirmation of consent by the holder(s) of parental responsibility must also be permanently documented.
The problem with this procedure is that it is all too easy for the minor to circumvent or abuse it by having an alternative email address specified to which the minor has access instead of the holder(s) of parental responsibility. However, at least according to the current state of the art and taking into account the requirement of data economy, this procedure seems appropriate. The Art. 29 Data Protection Working Party has also outlined such a procedure in its guidelines on consent (WP 259) and considers it acceptable.
It is crucial that the provider of a newsletter targeting minors can show that it has implemented a process to first inquire about the age of the consenting parties and then, if necessary, obtain the consent or confirmation of the holder(s) of parental responsibility.
The question of the adequacy of efforts will have to be answered by case law and data protection supervisory authorities.
2.4.8 Period of validity of the consent
It is repeatedly claimed that consent to the sending of email advertising becomes invalid or “expires” after a certain period of time.
However, the GDPR does not contain any regulation regarding a limited period of validity of consent.
Accordingly, the BGH also states
“Neither Directive 2002/58/EC nor Section 7 UWG provides for a time limit on consent once it has been given. It follows from this that this consent – just like consent pursuant to Section 183 of the German Civil Code (BGB) – does not, in principle, expire merely through the passage of time”.
(BGH, judgement of 01.02.2018, file no. III ZR 196/17)
However, care should be taken to ensure that consent is used relatively promptly after it has been given.
For example, according to the Munich State Court I (judgement of 08.04.2010, file no. 17 HK O 138/10), consent to the sending of email advertising that is only used more than 1.5 years after the consent was given is no longer valid, as the consenting party will no longer expect to receive email advertising after such a long period of time.
From a legal point of view, this can possibly be justified in the sense that consenting parties who no longer expect to receive emails after such a long period of inactivity may then feel “unreasonably harassed” (German Act Against Unfair Competition (UWG)) or that after such a long period of non-use, a continuation of purpose occurs under data protection law.
Ultimately, however, this will be a question of the individual case, as is so often the norm. For example, the assessment of the expiry of consent that has remained unused for a long period of time will have to be different for a newsletter advertising the current weekly offers of a supermarket, rather than for the newsletter of a cultural festival which only takes place every ten years.
Overall, there is no reason to assume that consent will expire at some point if it is regularly used to send an email newsletter.
2.4.9 Revocation of consent
The consent can be revoked at any time, and this right to revoke at any time must also be clearly indicated when the consent is collected (Art. 7(3) GDPR).
The revocation of consent must not be more complicated than the granting of consent. A revocation option must be regularly provided in every advertising email by means of an unsubscribe link.
Under no circumstances should processes be used that make it difficult for the user to unsubscribe, such as the so-called double opt-out procedure, in which the user receives an email after unsubscribing that asks them to confirm the “unsubscribe” again by clicking on a link.
An obligatory query of the reason for revocation is also inadmissible.
Professional management of revocations/unsubscribes in email marketing is enormously important. Numerous complaints, warnings and court cases are based on the sending of advertising emails after revocation.
Interpretation of the declaration of revocation
The interpretation of the declaration of revocation can sometimes be demanding. Does a revocation refer to one list or to all lists? Does the statement “No more advertising, please!”, which is sent back as a reply to an advertising email, only refer to email advertising or should this statement also be seen as an objection to the sending of postal advertising, for example?
In order to avoid aggravation and complaints, it is important to interpret the revocation as precisely as possible and to implement it according to the expressed intention. In case of doubt, one should always assume here a “greater degree” of revocation rather than a “lesser degree”, as the addressee’s aggravation about an advertising email sent after an (assumed) revocation will always be considerable.
When formulating the labelling of opt-out links, it must accordingly be ensured that it is clear whether the revocation declared by clicking only refers to the list level or to all advertising emails of the sender.
A complete deletion request along the lines of “I request that you delete all personal data that you have processed about me” will be considered as a revocation of all consent given (although the consent data should not be deleted in the process – see above under point 4.5.6 on retention of consent after revocation).
A mere termination of a contract, on the other hand – even the termination of a free account – will not necessarily be understood as a revocation of any consent given in parallel to the sending of advertising emails. It is quite conceivable that a user may wish to discontinue a contract but continue to receive information from the provider by email.
It is also not permissible to commit the consenting parties to a specific channel for the revocation. Even if an unsubscribe link is included in every email, revocations made by email or post must also be implemented immediately. For professional revocation management, the sending of no-reply email addresses should therefore be avoided.
Confirmation of the revocation
It is not necessary to confirm the “unsubscribe” of users by email. It is rather the case that this further email can be understood by users as unreasonable harassment, since they have just withdrawn their consent to the sending of further emails to the advertising company. Legally, such a confirmation email – as long as it is designed neutrally and free of advertising – cannot be regarded as advertising, but as a transactional message for which consent is not required. However, as explained, the courts are very generous in classifying emails as advertising and apply a very broad concept of advertising. The CSA regulations allow the sending of a confirmation email for unsubscribing (Para. 2.17 of the CSA Criteria).
2.4.10 Information obligations under data protection law
Consenting parties must be informed about the processing of data in accordance with Art. 13 of the GDPR. This information must already be provided when the data is collected. Consenting parties must be able to take note of the information before they declare their consent.
However, the data protection information does not have to be repeated every time consent is availed of – i.e., in every email sent. However, it is advisable to provide a link to the current privacy policy on the website in every promotional email in order to always ensure complete and up-to-date information on data processing.
A mostly overlooked point in the data protection information on consent to advertising emails is the retention of the documentation of consent after revocation. This information should also be provided at the time of consent.
Non-binding wording proposal for the privacy information in the context of email marketing (with co-sponsoring and without email/newsletter tracking):
“1. Email newsletter
1.1 Registration for our email newsletter
On our website, you can register to receive a newsletter by email. During registration, the data from the entry form, the IP address of the calling computer and the date and time of registration are transmitted to us. For the processing of the data, your consent is obtained during registration and reference is made to this data protection information.
In order to verify that a registration for the sending of a newsletter is made by the actual owner of an email address, we use the so-called “double opt-in” procedure. After registration of an email address, a confirmation email is sent to the registered email address. Registration for the newsletter is only completed when a confirmation link contained in the confirmation email is activated. The IP address of the calling computer and the date and time of activation of the confirmation link are also transmitted to us.
The registration for the newsletter can be terminated at any time by using the unsubscribe link contained in each newsletter or by contacting us at the above contact details.
The legal basis for the processing of data after registration for the newsletter is your expressed consent in accordance with Art. 6 (1)(a) GDPR.
We would like to point out that in the event of revocation of consent, we will retain the data relating to consent until the expiry of the statutory limitation period (pursuant to Section 195 of the German Civil Code, three calendar years after the last email newsletter was sent) in order to be able to defend ourselves legally if necessary. The duty of accountability and proof takes precedence over the duty of deletion for this period (Art. 17(3)(e) GDPR). The legal basis for this retention of consent data is Art. 6(1)(c) in conjunction with Art. 5 (1)(a)(2), Art. 7 (1) and Art. 6 (1)(f) GDPR.
1.2 Registration for email newsletters from partner companies
If you register at the same time to receive email newsletters from our partner companies, we will pass on the data you provided during registration to the aforementioned partner companies. During the transfer, we will act as a processor for our partner companies on the basis of an order processing agreement. Our partner companies will then process your data to send their respective email newsletters, acting as independent data controllers. The legal basis for the transfer of your data to the partner companies is your expressed consent in accordance with Art. 6 (1)(a) GDPR.
You can declare revocations of your consents accordingly to each of the named partner companies, whereby the objection relates accordingly only to the individual consent to the individual partner company.
1.3 Newsletter service provider
We use an external service provider as a processor for sending our newsletter on the basis of a processing agreement pursuant to Art. 28 GDPR.”
2.4.11 Summary
Consenting parties must know that they are giving consent and what they are consenting to.
Comprehensive transparency and expectation management are essential for legal compliance as well as for the success and performance of email marketing.
Consent to email advertising is only valid if the addressee has a concrete idea of what kind of advertising emails are to be sent in the future.
Email marketing will also only meet with a positive response from an addressee if it meets the respective expectations in terms of content and design.
Obtaining valuable consent is time-consuming, but revoking it is quick and effortless with a simple click.
The sender must therefore communicate openly with its addressees, not create false expectations, and immediately implement any complaints and revocations in a professional manner.
2.5 Exceptional basis: Existing customer relationship
In the area of advertising to existing customers, there is an important exceptional basis to the ironclad principle that email advertising always requires the consent of the addressee: According to Section 7 of the German Act against Unfair Competition (UWG), email advertising to existing customers may be permitted in certain circumstances as an exceptional basis, even without the express consent of the addressee. The provision on email advertising in the context of an existing customer relationship has strict formal conditions that limit its scope of application. These conditions are as follows:
- Email address received in connection with a sale
The sender must have received the email address of the addressee “in connection with the sale of goods or services” - Advertising for own similar goods or services
The email address may only be used for advertising for the sender’s “own similar goods or services” - Notice on the right to object
The addressee must be informed of his or her right to object when the email address is collected and subsequently in every advertising email - No objection
The addressee must not have objected to the sending of advertising
2.5.1 Email address received in connection with a sale
The sender must have received the email address of the addressee “in connection with the sale of goods or services”. Accordingly, the addressee must have provided the sender with his or her email address himself or herself; it is not sufficient if the sender obtained the email address from a third party – for example, within the framework of a joint CRM system of several affiliated companies in a group, from an address trader, or by researching generally accessible data on the Internet, such as in social media.
Concluded sales transaction
A disputed question concerns whether the sales transaction must actually have been concluded in order to be allowed to use the email address for email advertising. This question becomes relevant, for example, in the case of enquiries from interested parties and in the case of so-called “drop-out shoppers” in the online shop, who place goods in the shopping cart during the ordering process and enter their email address, but then drop out of the ordering process.
In such cases, has the legal requirement “in connection with the sale” already been met or must a contract actually be concluded?
On the one hand, an addressee who has given his or her email address as part of an ordering process and has been informed that he or she will receive email advertising in the future if he or she does not object has no more need of protection than an addressee who has then finally concluded the sales process. In both instances, a certain interest was shown in the respective sales item, while the intention of future advertising use and the right to object were transparently pointed out. This is also the opinion adopted in many European countries.
In Germany, on the other hand, the prevailing opinion, with reference to the exceptional nature of the norm and the resulting narrow interpretation, stipulates the need for a concluded sales transaction. The Higher Regional Court of Düsseldorf (OLG Düsseldorf), for example, clearly rules:
“According to its wording, the provision only applies if the trader has received the address in connection with the sale of goods or services. In this context, the sale is to be understood as the actual conclusion of the contract. It is not sufficient that the ‘customer’ has obtained information about the advertiser’s offer, but then has not opted for the offer […]”.
(OLG Düsseldorf, judgement of 5.4.2018, file no. I-20 U 155/16)
Accordingly, at least under German law, it must be assumed that a concluded sale transaction is necessary in order to be able to guarantee the greatest possible legal certainty.
Return for payment of the sale
Another disputed question is whether the “sale” of the goods or services must be in return for payment or whether a contract without monetary consideration can also satisfy the requirements of Section 7 (3) of the German Act against Unfair Competition (UWG).
The Higher Regional Court of Munich (OLG München) dealt with this question in detail (judgement of 15 February 2018, file no. 29 U 2799/17). The specific case concerned a free registration for a basic membership on a dating platform. The free-of-charge registration offered the member the advantage of being able to see photos of other members. Following the free-of-charge registration, email advertisements for a paid premium membership were sent without the member’s expressed consent and with reference to the existing exceptional basis for customers.
The decisive question here was whether the free registration could be seen as a “sale of goods or services” within the meaning of Section 7 (3) of the German Unfair Competition Act (UWG). The Higher Regional Court of Munich (OLG München) answered in the affirmative and stated that a “sale” within the meaning of Section 7 (3) UWG was not only to be understood as the classic contract of a sale in return for payment, but that any form of exchange contract should meet the requirements of the norm. In the case under discussion, the member’s performance as part of the exchange relationship was seen to involve the member providing the platform operator with his or her data and enabling the platform operator to count him or her as a member and to thereby increase the number of members, which was highly relevant for marketing purposes. The platform operator’s service in return was to provide the registered member with additional functionalities (display of photos).
The Higher Regional Court of Munich (OLG München) therefore ruled that a “sale” within the meaning of Section 7 (3) UWG did not necessarily have to be of a paid nature, but that a “non-monetary” exchange in the sense of “payment with data” could also be permissible. What was decisive was that there was an exchange of services of some kind.
In contrast, the CSA explicitly requires a “contract in return for payment” in its regulations for invoking the exceptional basis for customers (see Section 2.3 of the CSA Criteria). As is the case with other courts and legal publications, the CSA does not deem the ruling of OLG München to be an exchange contract for consideration. Exchange contracts are intended for the exchange of mutual performance. Each contracting party agrees to perform in return for the other party’s performance, and the performance is in return for payment for that of the other party. The free-of-charge registered user who registers with a dating site does not pursue the goals of making his or her data available to the operator, increasing the number of members of the portal and/or receiving advertising messages by registering, but is interested in the photos of other members and the establishment of contact by one of the users registered for a fee – usually, the search for a partner will be the only reason for registering with a dating site.
Similar goods or services
In the context of advertising, the sender may only send commercial emails in which goods or services are advertised that are “similar” to those already purchased in an existing customer relationship.
The required similarity between the purchased goods or services and the goods or services that may subsequently be advertised is determined from the customer’s perspective. Based on the previous purchase, the advertiser must pose the question of what other similar goods or services the customer might be likely to have an interest in.
Case law is very strict and restrictive in assessing which goods or services are to be considered as “similar”. According to the case law, the decisive factor for similarity is whether the advertised goods or services serve the similar typical purpose or need of the customer as the goods or services already purchased. If both goods and services serve the same typical purpose, similarity is deemed to exist.
To cite just one example: If a customer orders French red wine, he or she will probably also be interested in wines from Austria or other countries – advertising for such wines would accordingly be considered advertising for “similar” goods.
Information on accessories to the originally purchased goods is also regularly considered compatible with the exceptional basis – in the case of the purchase of French red wine, for example, advertising for corkscrews will accordingly be considered to be permissible.
In the above-mentioned judgement of the Higher Regional Court of Munich (OLG München) (file no. 15.02.2018, ref. 29 U 2799/17) on advertising for premium accounts, the court also found that advertising for a paid premium account after registration for a free basic account constitutes advertising for a “similar” service within the meaning of Section 7 (3) UWG.
On the other hand, following on from a purchase, if a voucher is sent which can be used for the entire range of products of an online shop with a wide range of products, this is not an advertisement for “similar” goods, according to the Regional Court of Frankfurt (LG Frankfurt/Main) (judgement of 22.03.2018, file no. 2-03 O 372/17).
In the case of email advertising within the context of an existing customer relationship, it is therefore necessary to pay close attention to which goods and services are being advertised. A blanket inclusion of all existing customer data in the general newsletter distribution list is not possible on the basis of the exception regulation – unless the provider is a very specialised online shop with a very narrowly defined range of “similar” goods.
Own goods or services
The advertising to existing customers must also be advertising for the sender’s “own” goods or services.
The sender may not advertise goods or services of third parties by invoking the exceptional basis for customers.
For example, this requirement makes it difficult for trading platforms that also sell goods from third-party suppliers to have recourse to Section 7 (3) UWG.
Advertising for products of affiliated group companies is also not possible on the existing exceptional basis for customers. Care must be taken to ensure that only the legal entity that is also the addressee’s contractual partner may use the email address for advertising purposes.
Disclosure of the email address to third parties for their email advertising is also ruled out under the conditions of Section 7 (3) UWG.
2.5.2 Notice on the right to object
When collecting the email address in connection with the sale of a good or service and each time it is used – i.e., in each advertising email – the sender must in both instances inform the customer that he or she may object to the further sending of email advertisements at any time.
The notice on the right to object must be made “clearly and unambiguously”, meaning that it cannot be “hidden” within the data protection information, for example, but must be made directly in the context of the collection of the email address – i.e., the notice must be clearly visible in the immediate vicinity of the input field for the email address.
The notice on the right to object must also be made directly at the time when the email address is collected, meaning at the moment when the customer provides the advertiser with his or her email address. A subsequent notice on the right to object does not suffice. This requirement also generally prevents the subsequent use of the existing exceptional basis for existing customers’ databases for which no objection notice was given when the data was collected.
There is a disputed formal notice in this context:
The wording of the UWG law sets out that the customer “is advised that he or she can object to such use at any time without costs arising by virtue thereof, other than the transmission costs in accordance with the basic rates”.
In this context, the question is under debate as to whether it is actually necessary, due to the wording of the law, to indicate with every notice on the right to object that the objection can be made “without costs arising by virtue thereof, other than the transmission costs in accordance with the basic rates”.
In the previously referred to judgement of the Higher Regional Court of Munich (OLG München) (judgement of 15.02.2018, file no. 29 U 2799/17), the court allows the following simple notice to suffice: “To no longer receive this mail, click here”. An explicit notice on the “transmission costs in accordance with the basic rates” is thus not necessary, at least according to OLG München.
It is also generally asserted in legal publications that the wording is to be understood in such a manner that no higher costs than those costs in accordance with the basic rates may actually arise for the transmission of the objection. Thus, for example, no expensive “0900 profit-making call number” may be provided for the objection. However, an explicit notice with the wording contained in the law on the “transmission costs in accordance with the basic rates” is not necessary (for example, according to Köhler/Bornkamm/Feddersen/Köhler, 40th ed. 2022, UWG Section 7 para. 207).
In contrast, it is argued that the wording of the law is unambiguous and that the reference to the “transmission costs in accordance with the basic rates” is mandatory.
The CSA also considers the notice of the “transmission costs in accordance with the basic rates” to be mandatory.
2.5.3 No objection
When sending email advertising on the basis of the existing exceptional basis for customers, the addressee must not have objected to the mailing.
What sounds like a matter of course often causes problems in practice. As with the revocation of consent, the objection declaration must also be interpreted on a case-by-case basis and implemented according to the expressed will of the objecting party.
Cancellation and returns
A simple cancellation of a contract, even the cancellation of a free account, will not necessarily be seen as an objection to further promotional use of the email.
Even the revocation of a purchase by means of a return will not necessarily lead to the data no longer being able to be used on the basis of the existing exceptional basis for customers. As was the case in the discussion about whether the sales transaction must actually be completed, it can also be argued here that the revoking purchaser has shown interest in the respective sales item and has been transparently informed of the future advertising use and the right to object. A special need for protection does not exist here, even after the revocation of a sales contract.
Request for deletion
On the other hand, a complete deletion request in terms of “I request that you delete all of my personal data that you have processed” will also be considered as an objection to further promotional use of the data, even if the data does not have to be deleted or may not be deleted immediately due to legal retention periods.
Revocation and objection
When revoking consent, the question often arises whether the revocation also includes an objection to the use of the email address for email advertising in the context of an existing customer relationship. It must be determined here whether the user is only concerned about revoking his or her consent for the general newsletter, but still wants to receive specific interest-based advertising for “own similar goods or services”, or whether he or she generally does not want to receive any more advertising from the company at all.
If only one consent is explicitly revoked, it may at least be legally justifiable to continue to send email advertising on the basis of the existing customer exception. If, on the other hand, it is expressly stated that no further advertising is desired, it must be assumed that any consent given is revoked and that the further use of email advertising is objected to on the basis of the existing exceptional basis for customers.
In case of doubt, one should always assume an “increase” in objection rather than a “decrease”, as the addressee’s annoyance at an advertising email sent after a (presumed) objection will always be considerably high.
2.5.4 Data protection law
Legal basis
In the case of email advertising within the scope of an existing customer relationship, the consent of the addressee is not required. The legal basis for sending promotional emails in the context of an existing customer relationship results directly from the so-called ePrivacy Directive (Data Protection Directive for Electronic Communications 2002/58/EC), which has priority over the GDPR and its national transpositions. Art. 13 (2) of the ePrivacy Directive regulates email advertising in the context of an existing customer relationship and has been transposed into German law by Section 7 of the German Act against Unfair Competition (UWG).
In addition, Recital 47 of the GDPR states that data processing for the purpose of direct marketing may be carried out as a legitimate interest of the advertiser.
The decisive point is that the legal requirements of Section 7 (3) UWG must also be met from the perspective of data protection law. The sending of an advertising email that breaches competition law cannot be justified under data protection law on the basis of the sender’s legitimate interest.
Email tracking
The exception-based regulation for email advertising within the scope of an existing customer relationship refers exclusively to the sending of advertising emails. Email tracking (opening or click tracking) is not covered by this and regularly requires the consent of the addressee.
It may therefore make sense to set up a separate mailing list with existing customers on an opt-out basis without tracking pixels.
Data protection information obligations
Pursuant to Art. 13 GDPR, the consenting party must be informed about the processing of his or her data. This also applies to the processing of data in the context of email advertising within an existing customer relationship.
2.5.5 Summary
The legislator allows email advertising to be sent to existing customers without the need for consent; however, as explained above, the legislator has set strict conditions for the existing exceptional basis for customers.
The sender of advertising emails must carefully check the fulfilment of these conditions in order to ensure that, especially in the absence of consent, the email marketing can be carried out in a legally secure manner on the basis of this exception.
2.6 Sample wording for the opt-out notice
In practice, traders have to observe various requirements within the framework of advertising and sales measures. Especially in the online sphere, there are a number of requirements that traders must keep in mind, even for existing customers. Am I allowed to send my customers an advertising email without consent, and what do I have to pay attention to in the wording? Below you will find both negative and positive examples; these spell out how opt-out notices should not be formulated, followed by how they can be instead formulated in a compliant manner.
It is important that the notice on the right to object is
- clearly and concisely formulated in terms of content and
- is accompanied by an explanation of how the objection can be stated
In addition, the notice must be
- positioned before the declaration of consent
- clearly visible
so that customers do not have to search through the text with a magnifying glass. If these basic conditions are not met, the privilege will be lost, and advertising will be prohibited.
Worst practice/Negative examples
“If you do not wish to receive further information from us on similar products/services, then simply call our hotline on 0180 00000 (€0.30/min.) and let us know your concerns.”
Customers must not incur any costs for exercising their right to object, as otherwise there is a possibility that they will refrain from unsubscribing because they would rather accept the advertising than pay money to unsubscribe. Moreover, it must always be possible to unsubscribe in a way that is as simple as subscribing – for example, without specifying login data such as a user name and password.
“You can send us an email if you do not want to receive any further information on similar product/service offerings.”
In such an instance, customers would have to find the email address themselves in order for the declaration of revocation to be delivered. If customers do not want to invest this amount of time, they may decide not to exercise their right to object, even though they do not actually want any further information.
“You may revoke consent at any time by clicking on the unsubscribe link included in each email.”
As formulated in this example, offering customers the right to unsubscribe by clicking on a link in the related emails is fundamentally good and correct. However, it is not warranted that the customer can unsubscribe at any time, especially before they have received the first email. Therefore, another option should be made available at all times – for example, by specifying an email address to which customers can send their concerns.
Best practice/Positive example
“Dear customer,
We are pleased that we have already been able to satisfy you with the product/service. To ensure that you do not miss out on anything in the future for products/services from the sample area, we will keep you regularly informed via the email address you have provided.
Please note! If you are not interested in receiving further information or if you lose interest in the future, you can notify us in this regard at any time via email to object@abc or by calling 12345678 free of charge. Alternatively, you can also click on the link below:
‘I do not want any further information’, which you will also find at the end of every email from us. We will then immediately comply with your wish not to receive any further information.”
Based on this approach, customers have various options under which they can declare their revocation without having to spend additional time or money.
Summary
A notice on withdrawal of consent is legally compliant if customers are clearly informed of their right to revoke before consenting to advertising and can easily stop the receipt of advertising without any extra effort.