Monitoring newsletters through open and click rate metrics, along with the development of recipient profiles, is now a common practice among advertisers. With the implementation of GDPR and TTDSG, there are now regulations governing newsletter tracking. However, numerous practices still run afoul of legal requirements. Explore the technical underpinnings of newsletter tracking, discover potential legal pitfalls to steer clear of, and find recommended best practices in our informative article.

In today’s digital landscape, understanding the intricacies of newsletter tracking is paramount for marketers seeking effective communication with their audience. As we delve into the technical aspects, we also shed light on the legal nuances, guiding you through compliant practices to ensure your email marketing aligns seamlessly with privacy regulations. Navigating the ever-evolving landscape of newsletter tracking can be complex, but with our comprehensive insights, you’ll gain the knowledge needed to optimize your strategies and build trust with your audience while staying on the right side of the law.

E-Mail marketing remains an incredibly effective tool to reach a diverse range of customers. The measurement of open and click rates, along with the compilation of evaluation results into recipient profiles, provides valuable analytical data for advertisers. Leveraging these insights enhances the effectiveness of marketing campaigns and enables businesses to tailor their strategies for optimal engagement. In an era where data-driven decisions are crucial, understanding and utilizing the metrics derived from email marketing efforts is essential for advertisers to stay competitive and deliver targeted, impactful messaging to their audience.

Technical Foundations of Newsletter Tracking

If you’re looking to implement tracking and profiling measures, there’s a plethora of options available, ranging from click tracking to monitoring scroll behavior.

Of particular relevance under GDPR, several commonly employed tracking and profiling methods include:

Open Rates in Newsletters Open rates gauge whether an email has been opened and identify the recipient. To enable this, ‘web beacons,’ also known as tracking or counting pixels (small 1×1 pixel graphics loaded from the email sender’s server), containing recipient identifiers are embedded in the HTML code of an email.

When a recipient opens the email, the graphic is loaded from the sender’s server, allowing them to track when, if, and by whom the email was opened. This practice adheres to GDPR guidelines and provides valuable insights into recipient engagement.

Click Rates in Newsletters

The term click rates reveal the specific links clicked by email recipients.

For this measurement, the links in emails, seemingly directing to specified websites, are customized. These personalized links, inclusive of unique recipient identifiers, initially direct to the server of the newsletter sender, recording corresponding clicks.

Following this, the server automatically guides the clicking email reader to the intended website (referred to as ‘click tracking’). Importantly, the email recipient remains unaware of being redirected to the target page through a seamless redirection function, ensuring a smooth user experience.

Profile Building

Numerous email marketing platforms provide the functionality to generate and store recipient profiles, leveraging the outcomes of the aforementioned measures (open and click rates).

This profile-building feature empowers email senders to customize upcoming newsletter content according to recipient interests, effectively enhancing open and click rates on an individual basis. Conversely, if there is a lack of interest, senders can opt not to send any emails or reduce their frequency, ensuring a more targeted and engaging communication strategy.

 

Consent Requirement for Tracking and Profiling Measures

To conduct tracking and profiling measures, obtaining consent from the respective email recipient is essential.

However, it is crucial to distinguish between the legal bases for obtaining consent, which vary depending on the specific measure.

These legal foundations are found within the GDPR, governing the processing of personal data, and in the legislation addressing data protection and privacy in telecommunications and telemedia, known as TTDSG. The latter is based on the directives of the ePrivacy Directive, also known as the Cookie Directive. This directive seeks to safeguard users’ devices from unauthorized access by third parties, providing a comprehensive legal framework for data protection in electronic communications.

From the ePrivacy Directive (also known as the Cookie Directive) to the ECJ, the BGH, and the TTDSG

In 2019, the ECJ affirmed the necessity of consent for all technically unnecessary cookies, a stance endorsed by the BGH on May 28, 2020.

However, a challenge arose as existing German regulations lacked a clear mandate for cookie consent. The BGH resorted to the tactic of “interpretation in conformity with Union law” (based on the ePrivacy Directive) of § 15(3) TMG.

This interpretation aligned with Union law until December 1, 2021, when the Telecommunications and Telemedia Data Protection Act (TTDSG) took effect. Marking a historic development, this act introduces a consent requirement for technically unnecessary cookies in Germany, solidified in § 25 TTDSG. The legal obligation for cookie consent now seamlessly corresponds with the guidelines of the underlying ePrivacy Directive or Cookie Directive.

The statutory provision in the newly created § 25(1) TTDSG stipulates:

(1) The storage of information on the end device of the end-user or access to information already stored on the end device is only permissible if the end-user has consented based on clear and comprehensive information. The information to the end-user and the consent must be in accordance with Regulation (EU) 2016/679 [GDPR].

 

Newsletter tracking falls under § 25(1) TTDSG.

This German provision doesn’t explicitly mention cookies but broadly addresses storing and retrieving data on users’ devices.

Given this expansive language, emails may fall within the regulation. Web beacons and tracking links in emails constitute information (“transmission of knowledge”) stored on recipients’ devices when the newsletter is saved on a laptop or smartphone. Even if initially stored on an external server and opened in a browser, the conditions of § 25(1) TTDSG are met as tracking initiates from there.

Information is also accessed when recipient identifiers or email open status is communicated to the sender’s server via web beacons. There’s debate about measuring link clicks, akin to a “digital fingerprint,” but it’s irrelevant as link storage, including recipient identification, occurs.

Consideration arises for the exception from consent under § 25(2) No. 2 TTDSG for tracking. Consent may not be necessary if recipients explicitly desire received emails, and open and click rate measurements are essential.

An explicit desire may be assumed when promotional emails are part of other services or processes, and recipients expect them. However, the tracking measure must be absolutely necessary.

This scenario is conceivable if recipients previously consented to individualized newsletters with clear information about tracking. This provision shouldn’t be a means to bypass consent; thus, consent for individualized newsletters must detail tracking measures, similar to tracking consent requirements.

Generally, recipients are interested in emails, not measurements. Crucially, the necessity of measurements must be evident from recipients’ perspectives.

Under current legal circumstances, courts may unlikely affirm recipients’ knowledge, as they often remain unaware of conducted tracking measures.

 

Consent Requirement for Profiling Measures

Device-independent profiling measures fall outside the scope of the TTDSG. Profiling, extending beyond storing and accessing information on devices, is subject to evaluation, particularly regarding the processing of personal data, as per the General Data Protection Regulation (GDPR).

Processing personal data is a prerequisite for the GDPR to apply. Email addresses often enable identification, either directly through name components or indirectly through providers or employers, rendering recipient identifiers and generated profiles ultimately classified as personal.

Profiling measures require explicit consent under the GDPR, aligning with the stipulations of Art. 6(1) sentence 1 lit. a GDPR.

While alternative legal bases (beyond consent) could be contemplated, their applicability, akin to tracking measures, is likely limited to exceptional cases. On one hand, Art. 6(1) sentence 1 lit. b GDPR may be relevant, suggesting that consent is unnecessary if profiling is strictly indispensable to fulfill a contract. However, such instances are challenging to envision.

On the other hand, Art. 6(1) sentence 1 lit. f GDPR might be invoked if the sender has a legitimate interest in conducting profiling measures. It’s essential to note that the conflicting interests of email recipients in safeguarding their data should not override this, weighing whether they reasonably anticipated these measures.

Exceptional cases may be conceivable, such as with personalized newsletters, but contingent on providing clear and explicit information that profiling measures are undertaken for newsletter delivery.

 

Requirements for (Obtaining) Consent

The requirements for obtaining consent, in both cases, i.e., concerning tracking as well as profiling measures, are derived from the General Data Protection Regulation (GDPR). In this regard, Art. 4 No. 11 and Art. 7 GDPR specifically regulate the detailed conditions for data protection-related consents.

According to these provisions, consent is understood as “any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her for a specific purpose.” Essential content elements of the consent text include the identification of the data controller and processing purposes, a notice of the revocability of the consent, as well as descriptions of the technical processes and functionalities of the measures. The details can be described in a privacy policy, so only a reference to it is necessary in the consent text.

It is also advisable to provide information about the shipping service providers and the duration of processing in the privacy policy. Although providing a separate, unprechecked checkbox is a simple way to obtain consent for the measures, it is not a mandatory requirement. Our advice: Combine consent for tracking and profiling measures with other declarations, such as consent for newsletter subscription.

The only requirement is that email recipients clearly know that their given consent also includes tracking and profiling measures. This requires a clear and explicit notice, which should be placed, for example, in close proximity to the submit button. It’s important to note that consent to tracking measures does not imply consent to profiling measures. Both measures must be explicitly mentioned for consent to extend to both tracking and profiling measures.

 

Promotional Communication with Existing Customers

In addition to the previously discussed avenue of sending promotional emails with explicit consent, there exists the opportunity for established customers to receive such communications without explicit consent as per § 7(3) UWG, albeit confined to products or services akin to those previously purchased.

In this scenario, it is vital that customers were apprised during the ordering process of the potential receipt of promotional emails. Furthermore, clear information on the right to object should be provided.

However, exercise caution: The privilege for existing customers, allowing the dispatch of newsletters for similar products, does not extend to tracking open and click rates or profiling measures. Separate consent remains obligatory for these tracking and profiling measures.

To secure consent, it is feasible to request it during the ordering process (checkout). Yet, careful consideration of the “coupling prohibition” from Art. 7(4) GDPR is essential. This prohibition dictates that the act of granting consent must not be a prerequisite for concluding a contract unless it is strictly indispensable for the contract.

Hence, refrain from tethering consent acquisition for tracking and profiling measures to the completion of the ordering process. Otherwise, consent obtained in this manner may be deemed involuntary under the law.

We strongly discourage post-contractual outreach (via email) for the purpose of obtaining consent for tracking and profiling measures, as such communication itself necessitates consent.

In the event that an existing customer withholds consent, newsletters for similar products can still be dispatched under the existing customer privilege. However, these newsletters should abstain from employing technologies for measuring open and click rates.

 

Deletion of Previously Established Profiles

When profiles have been generated for recipients of promotional emails without obtaining the necessary consent, it is advisable to delete these profiles.

However, the process of deletion may pose challenges, as certain newsletter senders may not allow it. In such instances, an alternative approach involves exporting the addresses, deleting all addresses, along with their associated profiles, from the platform, and subsequently re-uploading the addresses. This method ensures compliance with consent regulations while navigating the constraints imposed by certain newsletter platforms.

 

Proof Obligation Regarding Obtained Consents

Key Point: The sender of emails with promotional content must prove that the recipient has given consent!

When establishing consent, it is imperative to choose the most secure verification method. This involves exclusively obtaining consent through the “Double-Opt-In” process:

Once the prospect has enrolled in your mailing list, you must subsequently dispatch an initial email soliciting confirmation of their subscription to email advertising, sent to the provided email contact address (the “Confirmation Email”).

(Logging consent in log files for evidentiary purposes in the context of a Double-Opt-In process is obligatory.)

Caution: The confirmation emails themselves must refrain from containing any advertising content (such as product offers, event announcements, special deals, links to Facebook, etc.). This restriction applies because such advertising can only be dispatched to the individual if they have previously agreed to receive promotional messages.

 

Consequences of Ignoring the Consent Requirement

Disregarding the consent requirement can lead to severe consequences, with data protection authorities having the authority to impose fines under Article 83(5) of the GDPR. These fines have the potential to reach up to 4% of the previous year’s revenue or 20 million euros, whichever is higher.

In addition to financial penalties, senders also open themselves up to the risk of compensation claims under Article 82(1) of the GDPR, potentially resulting in substantial financial liabilities.

Moreover, senders must anticipate the possibility of recipients demanding the cessation of further promotional email deliveries. In such cases, the sender is obligated to cover legal costs. Issuing a legally binding cease-and-desist declaration comes with the risk of contractual penalties, ranging from 500 to 5,000 euros for first-time offenses, in case of non-compliance.

 

Conclusion

For those seeking to gauge the effectiveness of their newsletters through open and click rates, coupled with the desire to implement profiling measures, securing the consent of individuals is paramount to sidestep potentially costly repercussions.

Individuals receiving promotional emails need unequivocal awareness of newsletter tracking procedures at the time of subscription. While a standalone checkbox isn’t obligatory, a distinct and lucid notification within the consent declaration becomes imperative.

The necessity for obtaining consent for tracking and profiling measures extends to existing customers, despite the privilege granted for newsletter dispatch under § 7(3) UWG.

Moreover, newsletter senders must rigorously adhere to the obligation of providing adequate proof for the obtained consents. This meticulous approach is vital to navigate the intricate landscape of data protection regulations successfully.