The starting point:

The sender of an email or newsletter wants to evaluate the behaviour of email recipients using tracking.

Which data is actually evaluated when measuring and analysing user behaviour?

In email marketing, in order to conduct success measurement for email campaigns, the user behaviour of the recipients is measured and analysed. The measurement and analysis serve to optimise the marketing and sales strategy of email campaigns and to better address email recipients. The measurement of openings and clicks is pixel-based, using a tracking pixel in the source text of the HTML message or individualised tags within the call-up web links. For the exact identification of the opening and its allocation to the campaign, the time and the recipients are assigned unique IDs, which can be decrypted by the sender when executing the redirect.

The success measurement can be conducted in two different ways:

1. User-based recipient behaviour and, with that, analysis of the personal opening and clicking behaviour
2. Cumulative recipient behaviour of the entire target group for the cross-recipient and anonymised analysis of openings and clicks per campaign

While the analysis of the cumulative recipient behaviour, as described under 2., occurs on the basis of anonymised data, the analysis of the personal opening and clicking behaviour (see 1.) requires the processing of personal data, in most cases involving at least the user’s email address or IP address.

Consequently, the analysis of cumulative user behaviour is not subject to the provisions of the GDPR, whereas the rules of the GDPR must be observed when analysing personal opening and clicking behaviour.

Consent or legitimate interest? What obligations follow from the applicability of the GDPR in the analysis of personal opening and clicking behaviour (personal tracking)?

Art. 6 of the GDPR is decisive for the lawful processing and use of this data. This states that processing is allowed in various constellations, i.e. under varying legal conditions.

In principle, consent under Article 6(1) a.) of the GDPR represents the most legally secure option if a sender wishes to carry out email tracking or to clean up its recipient lists.

The prerequisite here is that, before the processing, each individual user is informed in a precise manner about which data will be used and in which form they will be processed. General information in the sender’s general terms and conditions does not suffice in these circumstances.

Many senders consider it impractical to obtain consent for advertising emails and therefore refrain from this form of authentication of tracking.

In fact, it is not that complicated to obtain consent for data analysis. Within the scope of the consent for the sending of advertising emails, the sender must insert a further passage in which they provide detailed information about which user data they wish to use and in what form. Combined with an explanation which is comprehensible to the user of the purposes associated with the data processing, this can also appear advantageous to the user, leading them to give their consent. In order to avoid a blanket rejection, it is advisable to give the user the opportunity to differentiate the consent for the different types of data use, similar to the case law of the European Court of Justice and the German Federal Court of Justice, which now also require this for the use of cookies.

Many senders still choose not to seek consent, as they assume they have a legitimate interest which allows them to process the data. However, Art. 6 (1) f.) GDPR requires the balancing of the legitimate interest with the rights of the email recipient.

The automated distribution of online advertising material to selected target groups and the cleaning up of lists does serve the efficient distribution of advertising material and thus the promotion of sales. Direct advertising and list-cleansing is therefore also a legitimate interest in the eyes of the legislator in accordance with Recital 47 of the GDPR. However, this does not mean that Recital 47 of the GDPR applies across-the-board to the processing of personal user data. The interests of the recipient must also be taken into account.

Here, fundamental rights and freedoms, in particular the right to protection of personal data, must be taken into account. Other freedoms and interests of the recipients are also relevant here, such as the interest not to suffer economic disadvantages (e.g. in the case of personalised pricing). The balancing of interests is complex and always has to be done on a case-by-case basis. Blanket statements that data processing is allowed under Art. 6 (1) f.) GDPR therefore do not fulfil the legal requirements. If senders nevertheless pursue this route, the competent data protection authorities or the courts will make a ruling in the event of a dispute. As a result, the sender may face fines, claims for damages, and an associated loss of reputation.

Conclusion and recommendation:

In the case of personal tracking, obtaining the consent of the data subject in the manner described is the only legally secure route to follow. Bearing in mind the risks described, the existence of a legitimate interest cannot and should not be assumed in a generalised manner.

If a purely statistical analysis is carried out, this does not require consent or a balancing of interests under the GDPR. This analysis can therefore be carried out without any restrictions and at any time.