How the New German Interpretation of GDPR Affects Data Tracking
By Michael Lee
Interpretation of EU Datenschutz Grundverordnung (EU-GDPR) by Federal Court of Justice in Germany (Bundesgerichtshof – BGH)
PLEASE NOTE: The information in this article is for informational purposes only. Please contact your legal team to obtain advice with respect to any particular issues or problems.
The judgment by the Federal Court of Justice in Germany in May, 2022 came with the interpretation of part of the Telemedia Act (Telemediengesetz, TMG) — namely, sec. 15 para 3, sentence 1 — which had previously been used to justify that pseudonymized email tracking technologies (which do not store email or IP addresses with the usage data) could be done without the consent of the affected person.
This recent decision states that this is not the case and that all access to data on the affected person’s device would require explicit consent. It now applies to pseudonymized tracking as well, and the decision applies to email, text messages, push tracking technologies, as well as cookies on websites.
What's more, the new Telecommunications-Telemedia Data Protection Act (Telekommunikation Telemedien Datenschutz Gesetz, TTDSG) brought new rules around the storage of information and access to this information on the user's terminal equipment. With this law, Germany has, with considerable delay, transposed the “ePrivacy Directive” (Directive 2002/58/EC as amended by Directive 2009/136/EC).
What Does This Mean?
Essentially, all types of campaign tracking that are considered profiling are only permitted with prior explicit consent of the affected person, no matter if it is personalized or pseudonymized.
For Bloomreach Engagement customers, this means the following types of campaign tracking are affected:
- campaign event with action_type email (status: clicked, opened)
- campaign event with action_type transactional_email (status: clicked, opened)
- campaign event with action_type sms/mms (status: clicked)
Browser push notifications
- campaign event with action_type browser notification (status: delivered, clicked, closed)
- campaign event with action_type mobile notification (statuses: delivered, clicked)
- banner event with type in-app message (statuses: all statuses)
These statuses can now only be tracked once prior explicit consent has been given.
Which Countries Are Affected by This Decision?
The ePrivacy Directive applies in the entire EU (as implemented by member states in their local laws). The recent decision simply clarified interpretation of a German statutory provision in light of the ePrivacy Directive. It is up to the client to decide on their approach towards risk and compliance.
How Bloomreach Can Help You Stay Compliant
Ask your CSM to enable the standalone tracking consent feature. This feature will activate the tracking consent option for in-app messages and the following scenario action nodes:
- Browser push
- Mobile push
The explicit tracking consent will be used for tracking affected events and statuses mentioned above.
The main prerequisite of using this feature is to collect prior explicit consent for tracking. Feel free to reach out to our Client Services team, who will help you set up the collection use case.
Please keep in mind that the use of this feature can influence the data within the email evaluation dashboard (open rates and click-through rates will be affected). Our Client Services team will provide a custom evaluation dashboard that will also reflect the prior explicit consent for tracking.