GDPR & Online Marketing – Tips about the General Data Protection Regulation

With the General Data Protection Regulation (EU GDPR), the strictest data protection marketing restrictions were introduced in 2018 in all European countries  .

The GDPR  – effective since May 25, 2018 – not only harbors a lot of uncertainty and potential risks for companies, but also some opportunities, especially with a view to (online) marketing. We’ll go into that in this post.

While the Federal Data Protection Act (BDSG) put many obstacles in the way of German companies and authorities in terms of marketing in the years before 2018, the GDPR offers more room for maneuver in some areas. Where there is light, however, shadows are also cast. Tracking of online activities in particular suffers from the GDPR. The chances of the GDPR for the promotional activities of companies are mostly drowned out in the great discussion about procedural directories and risk analyzes. That is why we point this out and describe in this technical article what to look out for. In return, we do not mention potential fines. Everything that is written about fines is very theoretical and does not bring anything to the implementation of the necessary. 

GDPR –  Can online marketing still operate ?

Acquiring new customers, promoting products, creating personalized advertising – the GDPR should regulate all of this and much more in terms of user data protection across Europe.

In the past, the Federal Data Protection Act (BDSG) was there for this in Germany. This law was strict – the biggest hurdle  contained in the BDSG : Even the use of such personal data, which was publicly accessible, required the direct consent of the persons concerned to use it for marketing purposes.

The rules of the General Data Protection Regulation legitimize the use of publicly available personal data, provided that data protection is maintained.

Overall, companies are thus granted a legitimate interest in individualized advertising measures in the context of generating new customers.

The premise here is that the basic rights of the person concerned do not outweigh the legitimate economic interests of companies and do not have to conflict with them. However, companies are required to handle personal data carefully if they use it for advertising activities.

GDPR rules for handling personal data in marketing

An essential GDPR rule is the requirement for the data subject’s explicit consent in the context of data collection and processing. The “indirect” approval of such a process, for example by simply using a company website, is not compatible with the GDPR .

Rather, the General Data Protection Regulation requires a clear confirmatory action, which can be made, for example, in the form of a written declaration or announced by means of a clickable checkbox.

It should be noted, however, that the consent according to Art. 4 No. 11 GDPR must be given ” voluntarily “, “in an informed manner and unambiguously”. In addition, it must relate to specific data processing. The consent must also be tied to a specific purpose .

ePrivacy Regulation – Supplement to the GDPR regulations that we have to deal with

The ePrivacy Regulation embodies a supplement to the regulations of the GDPR. This concerns the handling of personal data on the World Wide Web in view of the protection of privacy.

This regulation reinforces the rights of the user :

  • The encryption should not only be ensured by the user. Instead, the providers are obliged to secure the data according to the state of the art and to protect them from unauthorized access. From this passage it is concluded that websites are to be secured with https certificates !
  • Furthermore, an obligation on the part of the provider is intended to rule out undermining the protection of users in order to prevent trading in backdoors. The website’s content management system must therefore always be kept up-to-date and protected as well as possible from hacker attacks!
  • There will be a strong transparency and documentation requirement. Providers must comply with requests to disclose government requests. The documentation obligations include keeping a procedure directory .
  • processing without the consent of the user will no longer be possible to be.
  • For users who do not want to be tracked, an effective tracking protection must be established.
  • All settings in software and hardware should have the data protection-friendly variant by default.

In contrast to the General Data Protection Regulation, the ePrivacy Regulation is still in political discourse. It could take until 2021 before this becomes final after a transition period.

Social Media Marketing and the GDPR

By means of so-called ” social media monitoring ” it is possible for companies to analyze user comments in social networks in an anonymised manner. The ” social listening ” also makes detailed evaluations of the specific statements and their context visible.

The result is in online marketing the intention, on the basis of these data to establish targeted advertising. The exchange between user and company can also be optimized in this way . Since the user generally lacks knowledge of the corresponding data collection in relation to this procedure, his consent is not given. And that’s not how it should be!

However, if specific prerequisites exist, the legislature makes an exception : If the data is publicly available , as explained above, or if it has been published by a body that has been authorized to do so, data collection is legal (whereby a weighing of interests is also decisive here ).

So the decisive factor is the privacy settings , for whom which contributions should be accessible. The duties of social media monitoring therefore include:

  • Notification of the data subject when their data is saved for the first time and
  • the data subject’s right to information and
  • the right to delete and block the respective data at the request of the person concerned.

Due to these clear rules, all social networks adapted their general terms and conditions in 2018. Since then, users can set much more individually in the respective backend. You are often asked explicitly to go through these basic settings and, if necessary, make changes to them.

Many social media networks rolled out these changes worldwide. And this also applies to the ad managers of the networks.

If there are detailed questions about the advertising offers of the social media networks, then you should contact the support of the platforms. It is often worth taking a look at the network itself beforehand : Facebook provides quite detailed information about the GDPR. Instagram and WhatsApp also come from this company.

From opt-in to opt-out: what is permitted in email marketing according to the GDPR?

Unwanted advertising can quickly get on your nerves. In order to protect the consumer from this, a confirmation by the person concerned is required for a legitimate registration in an e-mail distribution list. According to the BDSG, this has been true for a long time for newsletter marketing , the GDPR only sheds light on this once more!

While consent is not always required for existing customers in this context , it is mandatory for new customers. The double opt-in procedure is to be used, whereby the user must expressly consent to the sending of newsletters in a two-part process.
Important detail: The selectable boxes, which serve to announce the user consent, must not be pre- filled. The user must therefore carry out this action without authorization. Every user activity, i.e. both the first click and the subsequent click in the confirmation email, must be clearly recorded and saved by the company. Information about this must be available on request.

Here, the data collection should only those information are limited, which – based on the specific service – are essential. Data minimization is the keyword!


Companies should always strive for an interface that is easy to use when it comes to giving consent from those affected. In addition, legal information about the opt-in must be provided. Furthermore, the option of ” unsubscribing ” is essential.

PS: In addition, there is also the opt-out procedure, in which consent is assumed unless an explicit objection is expressed. This form is not permitted in the context of digital marketing .

Cookies on websites – consent management systems ask for consent

Well-functioning consent management systems have been available since autumn 2019. After integrating such a solution on the website, every new user is asked how they feel about tracking – does the website visitor only want to consent to the use of essential cookies? Or are cookies okay for the user that support marketing, enable tracking or make external media (YouTube videos or map services) visible.

We currently recommend these four consent management systems:

The four software solutions manage the active consent very well. You speak of GDPR-compliant. However, the design of the query window is still being debated. Here ” psychological tricks ” are sometimes used to achieve “accept all”. It is not certain whether this will be allowed to stay that way.

The GDPR & Google Analytics as well as other (Google) tools: YouTube, Optimize, Maps, ReCaptcha

The use of the “Google Analytics” tool is considered lawful , provided certain requirements are met.

An “adequate protection” of the user in the context of the use of Google Analytics must always be affirmed, provided that the respective data protection declaration of the website draws the attention of those concerned to the use of Google Analytics and informs them about the corresponding technical principle.

Another important point is the anonymization of the IP address when collecting data using Google Analytics. In addition, the user’s consent must be obtained when “entering the website” 

Since Google acts as a data processor for companies with its “Analytics” tool, a processor contract must also be concluded with Google. This is possible digitally. Google offers this agreement in the Google Analytics administration – just follow the corresponding dialogs that can be found in the Analytics administration under “Account”> “Account Settings”.

In addition to Google Analytics, there are numerous other online and website tools whose integration into the source code of a website leads to data transfers that are GDPR-sensitive. Here are a few less obvious examples:

  • various WordPress plug-ins (e.g. for website analyzes or online forms)
  • Google Optimize, Optimizely or other A / B testing tools
  • hotjar, Mouseflow and similar UX and user engagement tools
  • YouTube, Vimeo, Wistia and other embeddable video formats
  • Google Maps and many other map and navigation services
  • Google Fonts and other external web design tools
  • ReCaptcha from Google and other security tools
  • AddThis, Monarch, and other social sharing button services

Here, too, the following always applies: If data from your own website is transmitted to third parties so that they can provide evaluations, then these serve as data processors for the website operator, who is responsible .

In such cases, the process belongs in the directory of procedures and a processor contract must be considered. In addition, consent must be asked for via the Consent Management System – many of these tools fall under the heading “Marketing” and “Tracking”.

Need  I  for retargeting to  DSGVO  a  user – consent ?

Much of the data that is collected with Google Analytics – or the Facebook pixel – should be used in other tools for the purpose of advertising. Analytics data is sent to Google Ads via a link. Facebook pixel data is the basis for setting up “Custom Audiences”, user-defined target groups.

These data clusters are then used to set up retargeting or remarketing advertising. Data protectionists are convinced that this procedure fundamentally violates the General Data Protection Regulation. The inclusion of retargeting in the data protection declaration on the website does not change anything, according to the data protection officers.

Google and Facebook see it – of course – very differently! It run numerous court disputes in this regard. In the end, however, the previous retargeting procedure will probably be overturned by court decisions. 

Leave a Reply