Express Consent – When is the provision of an email address not sufficient?

A German court has ruled that merely providing an email address during an online transaction does not constitute express consent. In order to rely on an existing business relationship exemption, it is not sufficient that a similar product is included in the email. The similarity needs to relate to all products being marketed.

The judgement was made by a District Court in Berlin, when an individual complained that his personal data was used without consent. After giving his email address during an online transaction, the defendant started to send emails containing marketing messages.

The offending company claimed that the plaintive had effectively given consent to receive marketing emails when he:

  • provided his email address; and
  • agreed to the company’s “privacy policy”

(the correct term should be ‘privacy notice’ within this context. A ‘privacy policy’ is something quite different. If you don’t understand the difference, leave a comment in the box below. – Ed)

Section 7 of the Unfair Competition Law requires recipients’ prior express consent before marketing emails are sent. In this particular incident, the company’s actions did not qualify as consent, i.e.:

  1. the mere mention of an email address in the context of online order processing; or
  2. the mention of marketing purposes in the company’s Terms & Conditions and “Privacy Policy”.

How must Express Consent be sought?

According to GDPR law, express consent must be given as an expression of will:

  • that is given without coercion; and
  • with which the data subject accepts that their personal data is being processed.

This must be clearly explained separately from Terms & Conditions of the service being provided, or the online transaction. It can not be included in content containing other explanations or references.

As stated in the ICO document ‘How should we obtain, record and manage consent?‘ :

Consent requests need to be prominent, concise, easy to understand and separate from any other information such as general terms and conditions.

If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

This case demonstrates that it is not sufficient that a similar product is being marketed in the respective email. The defendant could therefore not rely on an existing business relationship to send marketing messages.

Editor’s comment: The subject of Consent in GDPR law can be complicated and is highly contextual. The GDPR Guys recommend that advice is sought from a suitably qualified GDPR expert.

Source: Providing an Email Address During the Ordering Process Does Not Constitute Consent – Dr. Martin Schirmbacher, Lawyer, HARTING Rechtsanwalte – www.absolit.de  (in German)

Leave a Reply