Email Tracking and EU Privacy Laws

After three years of the General Data Protection Regulation (GDPR), it is only now becoming clear what the new EU privacy regime means for tracking activities. The following provides an overview for email service providers, advertisers, publishers, and technology vendors of the challenges and recent developments concerning email tracking and email advertising in Germany and Europe.

There are three main bodies of law that apply to marketing emails in the European regulatory landscape:

1. E-Commerce Directive 2000/31/EC

• Requires consent for email marketing
• Exemption: existing business relationship, marketing limited to same or similar goods as purchased before

2. General Data Protection Regulation (GDPR) 2016/679/EC

• Governs the processing of personal data: online IDs, IP addresses
• Requires a legal basis: consent, legitimate interests

3. ePrivacy Directive 2002/58/EC (as amended by Directive 2009/136/EC)

• Requires consent for accessing information on the end user device and reading information from the end user device (tracking) 
• Exemption: needed for the provision of the service 

The first one, the E-Commerce Directive, stipulates that sending marketing emails requires consent unless there is an existing business relationship. The consent must specify the senders, beneficiaries of the consent, and goods and services. Also, the partner must be named, and there is no group company privilege – so consent for the parent company does not mean that the subsidiary is also entitled to send marketing emails. Most importantly: Email marketing consent does not cover email tracking.

The GDPR applies where personal data is involved. This applies to cookie IDs, mobile advertising IDs, IP addresses, or device identifiers. The collection and processing of any such personal data requires a legal basis – such as consent, legitimate interests, or the necessity for the performance of a contract, to name the most relevant ones in this context. Transparency is also one of the very basic pillars of the GDPR, as well as accountability. Users must always know what you are doing with their data, and consent must be unambiguous, informed and freely given.

The ePrivacy Directive requires consent for accessing information on end-user devices and storing information on an end-user device: for example, cookies, MAIDs, pixels, device IDs, etc. This is also called the “cookie consent rule”. There is only one exemption to the consent requirement: If the placing of a cookie or similar tracker is strictly needed for the provision of a service requested by the end user, no consent is needed. This applies, for instance, to cookies supporting a shopping basket but not to cookies tracking the opening of a marketing email.

Therefore, in practice, we have three different consent requirements: consent to email marketing, consent to the processing of personal data, and consent to the placement of cookies/trackers. The room for legitimate interests as a legal basis for the processing of personal data has become smaller and smaller. Also, the European Court of Justice and the German Federal High Court of Justice (BGH) have both confirmed that the cookie consent does mean active consent. The checkbox cannot be pre-selected. Soft opt-ins or opt-outs are not allowed. Users must be informed about the identity of controllers, any further data recipients, and the categories of data.

Third-party leads

If an advertiser uses a third-party lead generator, it should be ensured that the lead generator is obliged to obtain all three types of consent. The email marketing consent is always required. Consent to cookies is required if cookies or similar trackers are used in emails, and consent to the processing of personal data is necessary if unique IDs or IP addresses are processed.

Customer relationship management systems 

It gets more complicated if the email tracking data is recorded in customer relationship management (CRM) systems and maybe even into real-time bidding (RTB) activities. A legal basis for the combination of data being stored is required when feeding email tracking data into CRM data. Most regulators require consent when feeding email tracking data into RTB (profile/audience building, segmentation). The recipients of the data must be identified, and the shorter the list is, the better. First-party IDs, some of which are based on email addresses, e.g. LiveRamp’s RampID, are also supposed to be covered by RTB consent.

Stephan Zimprich is a lawyer in the intellectual property and media team of Fieldfisher's Hamburg office, with six years of experience in advising clients, ranging from start-up size to multinational market leaders in the fields of copyright, media and broadcasting regulation, and data protection. The main focus of his work lies in the area of digital content distribution and data-driven business models such as targeted advertising and mobile advertising. He has a particular expertise in the online travel sector, where he advises international clients from Europe and the US in the fields of data protection, advertising, and travel regulation, as well as general commercial law, including cross-border co-operations.