German data protection authorities published new guidelines in December 2013 about the collection and processing of personal data for advertising purposes. The 2013 advertising guidelines (available here in German) supplement another set of advertising guidelines published in October 2012 (available here in German). Together, the 2012 and 2013 guidelines help to clarify how German data protection law relates to advertising activities.
The 2013 guidelines cover the following three main topics:
The “list-privilege” exception. The Bundesdatenschutzgesetz (Germany’s Data Protection Act) provides an exception to the rule that consent is required before personal data is processed for advertising. Certain personal data, such as name, address and year of birth, may be used for an organisation’s own marketing purposes without prior consent as long as the data is aggregated. The 2013 guidelines provide useful information on this exception by, for example, clearly stating that e-mail addresses and telephone numbers do not qualify for this exemption, and by providing commentary on how long the information qualifies for this exception after the last time it is used to contact the person to whom the data relates (generally two years, but the 2013 guidelines state that the time period can vary based on the facts).
Consent. The 2013 guidelines confirm that leaving business cards at a trade show for the express purpose of receiving information from business contacts constitutes consent to contact the person named on the business card for advertising purposes. For the digital world, the 2013 guidelines advise a double opt-in for consent provided electronically (e.g., via e-mail or SMS). Under the 2013 guidelines, double opt-in consent means that the person providing personal data about himself or herself must: (i) affirmatively consent (e.g., by clicking a button or checking an unchecked box on a website) at the time of data collection; and (ii) confirm his/her consent after receiving a written request for confirmation of consent (e.g., a detailed e-mail requiring confirmation by clicking a link) that includes enough information to enable the person to provide informed consent.
Right to object to use of personal data for advertising purposes. The 2013 guidelines state that when a person indicates (whether in writing or otherwise) that he/she no longer wishes to be contacted for advertising purposes, the organisation holding the data should take action in accordance with such a request without “undue delay.” (The 2013 guidelines don’t specify what time period is acceptable for undue delay.) The 2013 guidelines do, however, recognise that stopping all communications immediately may not be feasible, and advises organisations to inform individuals of any time lag to avoid complaints. The 2013 guidelines also remind organisations that a statement publicising an individual’s right to object should be included on every marketing communication, not just in (often lengthy) website terms and conditions.