Email marketing has not lost its relevance even in times of the General Data Protection Regulation. But the GDPR places high demands on advertising sent via mail. The data protection supervisory authorities report on typical mistakes that continue to happen to companies and that have come to the attention of the relevant supervisory authority as data protection deficiencies.
Whether standalone emails, newsletters, transactional emails, trigger or event emails: email marketing is diverse and has a high return on investment (ROI), according to the Bundesverband Digitale Wirtschaft (BVDW). For more than 70 percent of readers, the content of a newsletter is relevant for a purchase decision.
More than half of marketers plan to increase budgets in email marketing in the future. The possibilities for individualization, measurement, and automation are considered success factors. “Email marketing remains the most important channel for customer dialog,” explains André Görmer, Chairman of the Email Focus Group at BVDW.
It is therefore important not to make any data protection mistakes with email marketing because not only customers could be annoyed, but data protection supervisory authorities are also paying particular attention to email marketing because of its high importance.
Among the large number of newsletters sent out every day, there are always mails that do not comply with the data protection requirements of the General Data Protection Regulation (GDPR). The data protection supervisory authorities regularly report on such cases.
Companies that want to use email marketing for their business model should avoid also making these mistakes, which are now presented with corresponding examples.
In one specific case, a publisher had provided free software on an online portal in return for mandatory consent to newsletter sign-up. Alternatively, the software could be purchased for a fee on the publisher’s own portal without consent to promotional use.
As the data protection supervisory authority (Bavaria) explains, registrations for a newsletter in return for a free product are only voluntary if the same product is offered on the same platform for a fee and without an obligation to register for the newsletter. Accordingly, it is not sufficient to offer this product for a fee on a completely different platform from a third-party provider.
Unfortunately, the prohibition of tying in newsletter registrations is often disregarded.
Solicitation e-mails for the evaluation of an online store
A company in Thuringia, which also operates an online store, had sent a customer an e-mail asking him to rate the online store after completing an online purchase. The purpose of this e-mail was to analyze and improve the online store.
The customer had not given any consent to this as part of his purchase transaction, as reported by the data protection supervisory authority in Thuringia. The customer concerned filed a complaint with the Thuringian State Commissioner for Data Protection and Freedom of Information (TLfDI).
Important to know: The request to rate a store is an advertising measure. Therefore, the following applies: The sending of an e-mail for the purpose of requesting a rating of the online store previously used by the data subject constitutes a violation of the GDPR as long as there is no consent according to the GDPR.
After hearing the responsible company, the TLfDI issued a warning to it. At the same time, the responsible company made a technical change. The sending of such rating emails now only takes place after the explicit consent of the customer, so that a legally compliant situation has been created, as the supervisory authority explains.
Open e-mail distribution lists lead to data breach
Time and again, the Thuringian State Commissioner for Data Protection and Freedom of Information, for example, becomes aware of cases in which responsible parties send out e-mails to a large number of recipients in such a way that all e-mail addresses are visible to all recipients of the e-mail. Often this is done unknowingly in the function of the email client, according to the supervisor. The email addresses are often entered into the “To” field, which allows any recipient to see who received that email.
The fact that e-mail addresses of data subjects are visible to everyone on such open e-mail distribution lists may pose a risk to the rights and freedoms of the natural persons concerned, which is why data controllers have been advised to use the functions of e-mail clients in a manner that complies with data protection requirements, according to the supervisory authority.
Controllers must therefore ensure that personal email addresses are not disclosed to third parties without authorization. The BCC function in the e-mail can be used for this purpose.
Newsletter despite order cancellation
The data protection supervisory authority in Saxony reports that the following or similar information is frequently found on e-commerce platforms: “After entering your e-mail address, you will receive personalized offers and recommendations related to your purchase. You can object to this at any time without additional costs, for example, via the unsubscribe link at the end of each of our e-mails.”
Such information refers to the legal situation under the Unfair Competition Act (UWG), which permits advertising to (existing) customers in the case of electronic mail, but does not refer to the consent given in the ordering process.
It can also be inferred from “your purchase” that the notice is only directed at existing customers, according to the supervisory authority. Advertising is permissible in these cases, but the data subject has the option of objecting to direct advertising.
However, the situation is different in this case: advertising in the case of aborted order processes that have not led to a valid contract is not permitted. The e-mail address from the aborted order process may not be used for advertising purposes.
The question of the legal basis
Another example from Rhineland-Palatinate shows that e-mails should only ever be sent if the legal basis has been clearly and positively examined.
After the home match against Borussia Mönchengladbach on August 24, 2019, 1. FSV Mainz 05 e.V. evaluated which tickets sold were used to enter the stadium. Based on this evaluation, the club sent emails to 10,103 ticket buyers.
In the process, ticket buyers whose tickets were not used to enter the stadium received different e-mail content than ticket buyers who were assumed to be present at the match in the stadium because their ticket was used to enter the stadium.
If the ticket was used to enter the stadium, the email contained a thank you for their support at the game. If, on the other hand, the ticket was not used, regret was expressed that the ticket purchaser was not present at the game.
Neither for the evaluation of the stadium access nor for the sending of the e-mail could the club provide consent from the data subjects. The processing could also not be based on any other legal basis.
The Rhineland-Palatinate State Commissioner for Data Protection and Freedom of Information issued a warning to the club on the basis of these facts at the beginning of 2020, as it had evaluated the entry behavior of 10,103 people at the home match without the consent of the data subjects, in order to subsequently send an e-mail with targeted information – depending on whether the data subject was present at the match or not – to these people.
It shows: Not only e-mail marketing should be very important to companies, but also the legal basis for sending the mail. Otherwise, the successful advertising tool can annoy customers and bring the data protection supervisory authority onto the scene.