Designing newsletter tracking in compliance with data protection laws and avoiding warnings

The open rate provides information on whether a newsletter e-mail was opened. For this purpose, a “web beacon” is integrated into the e-mail, which contains an individual recipient ID. If the e-mail is opened, the sender’s server receives an automatic message. The click-through rate, on the other hand, provides information about which links the recipient clicks on. After clicking on a link, the user is first redirected unnoticed to the provider’s server and from there to the actual link destination. This is made possible by interposed tracking links. The data obtained by measuring open and click-through rates can then be used to create individual profiles, which the advertiser can use to obtain information about the effectiveness of his e-mail marketing and align his offer accordingly. 

However, the above-mentioned procedure usually requires the consent of the recipients. On a legal level, the TTDSG, through which users are to be protected from access to their devices, is applicable for tracking measures, and the GDPR, which regulates the processing of personal data, is applicable for profiling. 

For tracking measures (opening and click-through rates), the consent requirement is derived from Section 25(1) TTDSG. This provision standardizes a consent requirement for the storage and readout of information on the user’s end device. The broad wording of the legal norm also includes the aforementioned tracking measures, since web beacons and tracking links are information that is stored on the end device along with the e-mail. In addition, the communication of recipient identifiers or the information that an e-mail has been opened represents a reading of this information.  

The partially discussed applicability of the exception to the consent requirement pursuant to Section 25(2)(2) TTDSG in these cases should certainly be viewed critically. According to this, consent is not required if the addressee has expressly requested the e-mails received and, in addition, the measurement of the opening and click rates is absolutely necessary for this. An explicit wish can be assumed if the measurement is to be regarded as a component of other services and therefore had to be expected. However, since users often do not even know that tracking measures are being carried out, this seems just as questionable as the absolute necessity.

If profiles are formed from the data obtained, consent is usually required for this in accordance with art. 6(1)(1)(a) GDPR. E-mail addresses regularly enable identification of the data subject either directly via name components or indirectly via the provider or employer and thus constitute personal data. In (rare) exceptional cases, especially in the area of personalized newsletters, profiling could be based on art. 6(1)(1)(b) GDPR (necessary for purposes of contract performance) or art. 6(1)(1)(f) GDPR (legitimate interest of the sender), whereby in the latter case the interest of the addressee in the protection of his data must not prevail. As a consequence, consent would not be required here. Since information about profiling must nevertheless be explicitly provided in advance, there is no real relief here compared to consent, at least with regard to the information requirements.  

Accordingly, if you would like to obtain effective consent for the tracking measures used in your newsletter, please feel free to contact us.