Accept email

Data protection for newsletters and email marketing

Sending newsletters has become a popular marketing tool. Many companies regularly send out emails to thousands of customers to notify them about their products and services. However, it is noticeable that data protection is often neglected with this form of advertising. A shockingly high number of companies regularly send out newsletters to customers for advertising purposes, without ever having checked the legal situation and e.g. to have obtained express consent.

For precisely this reason, the sending of newsletters and e-mail marketing are among the areas with the most common violations of data protection regulations. These should not be underestimated, as there is a risk of warnings (e.g. due to a lack of consent), the defense of which in turn entails high legal fees. It is interesting that especially small companies are affected more often than average by warnings for violations of applicable data protection law.

The focus is on emails with a marketing or advertising character. This exists as soon as the email prompts you to purchase products or services. Regarding how the term “advertising” is to be understood, there is neither a clear definition nor case law. It can be assumed to be of a promotional nature if the e-mail contains product recommendations (including in the signature!) Or sponsorship information.

What do you have to consider when sending newsletters from a data protection point of view?

In the past, it was perfectly normal to “collect” email addresses on a large scale and then use them for marketing purposes. The recipients' express consent was rarely obtained and the double opt-in procedure was used much less often in advertising. Because the number of advertising emails then skyrocketed, the legislature intervened. Today, the privacy of mail recipients is well protected by the law, which is why companies need a framework for the legally secure mailing should create.

This is especially true for sending emails addressed to consumers. Both the Act against Unfair Competition (UWG), the Telemedia Act (TMG) and the EU General Data Protection Regulation provide for restrictions on the sending of newsletters and advertising to consumers. Contact via e-mail for advertising purposes may only take place if the recipient has given their consent in advance. Without prior consent (e.g. for registration in a newsletter), legally secure advertising is almost impossible.

What about advertising to existing customers?

Many companies have built a large customer base over the years. In the shopping environment in particular, it is not uncommon for numerous data records to be available, including the customer's e-mail addresses. In such a situation, the temptation is of course great to transfer these data sets to a professional platform for e-mail marketing and newsletter dispatch.

From a legal point of view, shop operators are only permitted to work with the e-mail addresses of existing customers under precisely defined conditions. Here it is important to have precise knowledge of the creation of your own email address database. In other words: Customers can be contacted via e-mail, even if they have not once done a double opt-in. However, it should be noted in the same breath that the same several requirements must be metin order to be able to send promotional emails to existing customers.

First of all, it is crucial that the receipt of the E-mail address must be due to a purchase. At the same time, only attention is drawn to one's own products or servicesthat expressly a close proximity to the former purchase have (e.g. similar products or up-selling).

In addition, the retailer has to provide understandable information on how to unsubscribe from the emails and to whom the recipient can turn with his questions. A corresponding note must also have been visible when entering the email address. If the recipient unsubscribes from the promotional emails or newsletters addressed to him by opting out, his email address must be removed from the mailing list.

All of these conditions must be met so that the sending of the newsletter without express consent can be justified.

What do opt-in and opt-out mean?

In connection with email marketing, the two terms opt-in and opt-out are often used. Both methods are of a technical nature and are basically easy to understand. They allow the recipient to give his consent and to withdraw it again.

  • Opt-in: Denotes that active Consent of the data subject to the processing of his data, e.g. by ticking the box.
  • Opt-out: The opposite of opt-in, processing is actively contradicted. Example: The tick is already set is actively removed to contradict the previous consent.

What is a double opt-in?

The double opt-in is a variant of the opt-in that does one significantly improved spam protection promises. With the classic opt-in, it is sufficient to enter the email address in a field and send it off. With the double opt-in, the actual inclusion in the newsletter / mail system can only take place after the recipient has responded to an email sent to him. This contains an activation link that he must first click. Only after the consumer has clicked on the activation link does the actual opt-in and thus the inclusion of the email address in the newsletter distribution list take place.

This system not only acts as a spam protection, but also protects the advertiser. With the click, the recipient gives their express consent to be included in the newsletter and to receive advertising from the company.

It should be noted that the double opt-in procedure is not a mandatory requirement for legally compliant email marketing. Finally, the recipient can also give his express consent to receiving future mails in another way. For example, it is possible to provide contract forms with appropriate fields and clauses for consent. Even e-mail addresses of competition cards can be used in marketing, provided the cards have been designed in a legally secure manner and correctly filled out by the recipients.

What else do companies have to pay attention to?

Not only the consent of the mail recipient is relevant from a legal point of view. The following points can also be relevant for individual companies in terms of newsletter data protection.

  • Protection of data: E-mails are to be sent in such a way that none of the recipients can see what the mail addresses or names of other recipients are. This and other personal data must under no circumstances be made visible by the company.
  • Transfer of data to third countries: Most companies use professional software solutions for their email marketing. In particular, cloud services, such as Mailchimp or Cleverreach, are often used to send advertising to the respective recipient. However, the servers of some providers are located abroad. In the case of Mailchimp, the servers are in the USA and therefore in a third country. A transfer of personal data to third countries is not permitted without the consent of the person concerned. Obtaining explicit consent to be included in the newsletter at a later date is difficult because experience has shown that many of the recipients do not respond to corresponding inquiries. (However, it may also be possible to use Mailchimp or services from other US companies by making contractual agreements (e.g. based on standard contractual clauses) that guarantee an appropriate level of data protection.)
  • Purchase of records: There is a lively data trade on the Internet, including e-mail addresses for newsletter advertising. Companies buying records for promotional purposes need to be extremely careful. If the recipients have not given their consent, there may be great trouble. It is advisable to check whether the mail recipients have expressly given their consent to the disclosure of their personal data and the receipt of a newsletter.

Amount in dispute and fines

To measure the amount in dispute, the individual case is always taken into account. In particular, what relationship (is there competition or is there a relationship under private law) that exists between the two parties. In addition, the degree of disruption is taken into account: Was the recipient overwhelmed with emails, does he use his email account for work or exclusively for private purposes, was the email content marked as advertising?

In the case of professional or business use, an amount in dispute of 10,000 euros can be applied. If the recipient is in a competitive relationship, even 30,000 euros. For private use, a main item value of 7,500 euros can be applied.

What can an external data protection officer do?

In numerous companies there is an urgent need for action in order to introduce legally secure data protection in newsletters and email marketing. The EU General Data Protection Regulation influences the legal situation and forces companies to take additional data protection measures.

An external data protection officer provides valuable support, for example by developing the data protection concept and overseeing the implementation of the company. Thanks to the expertise available, implementation can be carried out quickly and cost-effectively. You want Your email marketing fit for data protection and are you therefore interested in data protection advice? We look forward to your inquiry.