5. Tracking and profiling

5.1 Overview

In email marketing, the user behaviour of recipients is measured and analysed to measure the success of email campaigns. This measurement and analysis serves to optimise the marketing and sales strategy of the email campaigns and to better address the email recipients. The analyses are carried out both by determining the individual opening and clicking behaviour and by evaluating the cumulative recipient behaviour of the entire target group for the cross-recipient and anonymised analysis of opens and clicks on a campaign basis. In addition, the end devices of the users are also used for analyses.

The evaluation of all of this data requires compliance with certain legal conditions.

The legal situation in this context has changed considerably in recent years. Alongside the introduction of the General Data Protection Regulation (GDPR) in 2018, Germany adopted a law named as the Telecommunications Telemedia Data Protection Act (TTDSG), which transposed requirements from the ePrivacy Directive and took into account several supreme court rulings.

In the following paragraphs, we will start by highlighting the specific measures email marketers undertake in the context of tracking and profiling and what information they receive in the process, with this detail set out in point 2. In point 3, we then explain the currently applicable legal situation and, in point 4, we describe how these requirements are to be implemented in practice.

Finally, the sanctions that companies may face if they do not comply with these requirements are described in point 5.

5.2 How does tracking and profiling in newsletters look in concrete terms?

5.2.1 Tracking

Newsletters can be tracked for various purposes: On the one hand, it is interesting for companies to measure the open and click-through rates.

The open rate shows how many addressees have actually opened the newsletter. The click rate allows senders to track which links in the newsletter the recipients have clicked on and how often these have occurred. Here, the data is evaluated both on the basis of anonymised user data and on the basis of individual data.

5.2.2 Profiling

“Profiling” is used to collect all possible information about users and to store individual profiles. In some cases, external services such as Google Analytics are integrated for this purpose. In extreme cases, the services even track scrolling and mouse movements with so-called “heat maps”. With all of these individualised methods, companies can recognise, for example, which products recipients are interested in and which they are not. This makes it possible, for instance, to target users with products that are of interest to them.

These rates are measured with various technologies – for example, with so-called web beacons or counting pixels, which are integrated into the newsletter. When the user then opens the email, a file is reloaded from the server, which enables the individual measurement. The clickable links can also be personalised.

5.2.3 Classification

While the analysis of the cumulated recipient behaviour is carried out on the basis of anonymised data, the analysis of the personal opening and clicking behaviour as well as the creation of individual user profiles requires the processing of personal data, in most cases involving at least the email address or IP address of the user.

In addition to the collection and usage of personal data, information is also stored or read on the end devices of the newsletter recipients. Information is written and accessed whenever information is permanently or temporarily written or read in the device memory.

5.3 Current legal basis

On what legal basis can companies carry out such tracking or profiling measures? Depending on the design of the analyses, two laws come into consideration in Germany:

5.3.1 Telecommunications Telemedia Data Protection Act (TTDSG) and ePrivacy Directive

The German Telecommunications Telemedia Data Protection Act (TTDSG) transposed the ePrivacy Directive of the EU and replaced the former German Telemedia Act (TMG) in this respect on 01.12.2021. The Directive and the Act based on it generally serve to protect end devices such as PCs and smartphones from access by third parties. The protective purpose of this Act can be illustrated by this analogy: Just as a house is legally protected against unauthorised access, the “digital house” – i.e., the smartphone or PC – is protected against unauthorised access. Art. 5(3) of the Directive regulates the case at hand; namely, the information is stored on the terminal devices or that information is accessed on the terminal devices, in this respect in line with the scope of application according to Section 1(1)(7) TTDSG.

After a long back and forth between German and European institutions and courts,[1] Art. 5(3) of the ePrivacy Directive is now transposed in Section 25 of the TTDSG. When applied to newsletter tracking by means of web beacons or trackable links, this means that the storage or reading of information on or from the end devices of newsletter recipients is only permissible if the users have given their consent on the grounds of clear and comprehensive information. The declaration of consent must comply with the requirements of the GDPR and with Section 25(1)(2) TTDSG. According to the Act, consent would only not be required if the tracking was “absolutely necessary” in order for the provider to deliver a service expressly requested by the user. Since the latter is not likely to be the case with newsletter tracking, the consent of the user for any tracking measures is already required on these grounds.

[1] ECJ judgement of 01.10.2019, C-673/17 – PLANET49; BGH judgement of 28.05.2020, file no. I ZR 7/16 – Cookie consent II

5.3.2 General Data Protection Regulation (GDPR)

All aspects that take place after information has been stored or retrieved on the end devices must be dealt with in line with the GDPR – at least insofar as the information collected is personal data. According to Art. 4(1) of the GDPR, “personal data” means any information relating to an identified or identifiable natural person. As such, the IP address as well as the email address constitute personal data. This applies all the more to individualised user profiles. Anyone who processes personal data must have a legal basis for doing so. In view of the marketing purposes of tracking, the only legal basis for email tracking by the sender that can considered as a legally secure option here is consent pursuant to Art. 6(1)(1)(a) GDPR. The prerequisite then is that each individual user is informed explicitly before processing about which data will be processed for what purposes and in what form, and that the user expressly consents to such processing.

5.4 Obtaining legally valid consent

5.4.1 Legally valid consent for new subscribers

Anyone who wants to attract new interested parties to the newsletter and, in doing so, wants to access the end devices of the users as well as to process personal data must therefore ensure that a declaration of consent meets the requirements of Section 25 TTDSG and other national implementations in accordance with the requirements of Art. 5(3) ePrivacy Directive and Art. 6 (1)(1)(a)(7) GDPR.

According to the GDPR, the following conditions must be observed (those who comply with these conditions also act in accordance with the TTDSG):

• The consent must refer to the specific tracking measures in the newsletter and their specific type of processing purposes. Newsletter recipients must therefore be sufficiently informed about the scope of the consent.
• Consent must be freely granted. The person granting consent must have a genuine and free choice and be able to reject or withdraw consent without suffering any disadvantages. Due to the so-called “prohibition of coupling”, Art. 7(4) of the GDPR sets out that the performance of a contract may no longer be made dependent on consent to data processing for marketing purposes.
• The consent text must be clearly formulated.
• The text must be easily accessible.
• Users must be clearly informed of the right to revoke consent.
• The sending company must be able to prove consent afterwards. Therefore, the double opt-in procedure must also be observed.

According to a ruling by the ECJ[2] on the ePrivacy Directive, it is also clear that the user must take individual action and, for example, click a checkbox to confirm receipt of the newsletter, including all tracking measures. Pre-selected boxes, on the other hand, are not permitted.

The registration form must briefly state which data will be used for which purposes with which tracking and profiling measures. A notice on the right to revoke consent at any time must also be made here. If a third-party provider is involved, this is also part of the important information on the registration form. Companies can only link to their privacy policy for the details. Accordingly, it is important to include precise information about tracking and profiling in newsletters in the privacy policy.

[2] ECJ judgement of 01.10.2019, C-673/17 – PLANET49; BGH judgement of 28.05.2020, file no. I ZR 7/16 – Cookie consent II

5.4.2 Procedure for existing customers

Customers do not, however, always actively order a newsletter. Competition law[3] also allows emails to be sent for advertising purposes to existing customers without their explicit consent – see also Chapter 2.5.

However, this legal basis does not justify tracking measures. This still requires separate consent under data protection law. Companies, therefore, have the following options:

• Obtain this consent directly during the ordering process. In this case, however, the receipt of the newsletter must actually be voluntary. The users must, therefore, actively click on a box and, alternatively, be able to order the goods without the newsletter. However, there is a risk that existing customers will not receive the newsletter.
• Subsequently send an email to existing customers asking for their consent to receive newsletters on similar goods and services. However, there is a risk that customers will unsubscribe from the newsletter.
• Waive the separate consent in favour of a fuller list of recipients for your newsletter. However, companies must then also dispense with any tracking of the newsletters sent to existing senders. These persons must be transferred to a separate list of recipients for whom all tracking measures are deactivated.

[3] This is in line with the requirements of Art. 13(2) of the ePrivacy Directive 2002/58/EC of the European Parliament and of the Council of 12.07.2002 and the national transpositions, which in Germany entails Section 7(3) German Act against Unfair Competition (UWG).

5.5 Consequences of disregarding the consent obligation

Companies that track newsletters should adhere to these guidelines. Because in the event of a breach, several consequences may apply in parallel:

• GDPR fines by data protection authorities:
  You can be fined up to 4% of the previous year’s turnover or 20 million Euro (whichever is higher) under Art. 83(5) of the GDPR.
• Warning letters under competition law:
  Competitors or consumer or competition associations could also issue warnings against unlawful newsletter practices.
• Injunctive relief and compensation damages from newsletter recipients:
  Newsletter recipients can demand injunctive relief and the associated reimbursement of the lawyer’s warning fees. They may also be entitled to non-material damage compensation pursuant to Art. 82(1) of the GDPR.

5.6 Summary

Consent is almost always required for tracking and profiling, at least if the data is either personal data or if the user’s end device is accessed. Strict compliance with the legal conditions should be ensured; otherwise, there will be a risk of serious legal consequences.