Data Protection Regulation, DSGVO, GDPR, E-Privacy, ECJ and cookie banner - these terms have been on everyone's lips among marketers and website and online shop operators at the latest since the new, now Europe-wide regulation on the handling of personal data (on the web) and specific follow-up decisions came into force. Nevertheless, many people in these circles do not know exactly what they are talking about when using the terms in question. Again and again expressions are assigned to wrong contexts. This is not a problem as long as the corresponding measures required for the legally compliant operation of a website are implemented correctly.
What does DSGVO, GDPR, e-privacy, ECJ, cookie banner
mean and how are these terms related?
It is not uncommon for the meaning of the GDPR, e-privacy and cookie law to be completely equated - and the abbreviation ECJ is also regularly used in this context. In fact, however, the descriptions refer to different facts or practically build on each other. The European General Data Protection Regulation - often just called Data Protection Regulation, abbreviated DSGVO or English GDPR (General Data Protection Regulation) - came into force on 25 May 2018. The e-privacy decision should be seen as an extension of the guidelines agreed here and (presumably) includes a cookie law. To date, the E-Privacy Regulation has not been finalized and is thus not yet legally binding. Added for better understanding: The two regulations were originally supposed to come into force at the same time. Due to fierce opposition from the business community, the entry into force of e-privacy has been suspended. This gives companies a little breathing space to adjust to the changes. However, the European Court of Justice, abbreviated ECJ, has already made a ruling in autumn 2019, which very precisely defines the handling of cookies. At the heart of the implementation of this case law is detailed information on cookies in the web presence-internal description of data protection and the so-called cookie banner. Via the latter, website or online shop visitors are requested to give their cookie consent.
The European Data Protection Regulation (DSGVO, GDPR)
The entry into force of the GDPR really shook up both online marketing and e-commerce. Quite a few website operators were so unsettled by the sometimes enormous penalties for non-compliance with the new regulations that they reduced their online activities to a minimum or even withdrew from the web altogether. At the same time, the regulations that now apply throughout Europe are hardly any different from the data protection regulations that are applied in Germany anyway. In fact, even before the GDPR, the legal approach to handling personal data in Germany was much stricter than in other EU countries. The DSGVO focuses on the protection of personal data of EU citizens against improper use and processing. In addition, the regulations are intended to strengthen the right to informational self-determination. Personal data is defined as any information that can be unambiguously attributed to a specific natural person. This includes not only online data, but also handwritten personal data. However, the focus of interest is particularly often on the "wholly or partly automated processing of personal data", as occurs on the Internet. In fact, a particularly large amount of information is also requested online - and this often happens without consent, completely unnoticed. For example, this also includes the time spent or pages viewed within a website or the duration of the articles viewed in the online shop, etc., which can be clearly assigned to a user via the respective IP address. The GDPR applies to all institutions in a business and public context, i.e. online marketers of all forms as well as stationary shops, offices and all other institutions that collect personal data in any form. Excluded are those bodies that view information for law enforcement and prosecution. In recent years, various technical grey areas as well as profit interests have led to considerable encroachments on data protection worldwide. This also applies to Germany. The GDPR and, in the future, the e-privacy regulation are intended to put a stop to such processes.
How do I proceed "correctly" with regard to the GDPR
or what do I have to pay special attention to?
As already highlighted in the last section, the GDPR aims in particular to ensure data protection within the European Union. In addition, the Europe-wide data protection regulation guarantees the user of websites and online shops more rights - especially with regard to the inspection and management of corresponding information. Under these circumstances, you as a website operator or marketer should take the following requirements into account in your online marketing activities.
The EU GDPR stipulates in particular that those who collect information must communicate clearly and comprehensibly how this is done and how data is stored. Accordingly, only website and online shop operators who include the relevant points in their data protection provisions are compliant with the GDPR. The latter must also be as easily accessible as possible. The "hiding" of these facts within nested menu structures, small print and similar circumstances are highly problematic.
Persons or companies collecting data are obliged to provide the purpose of use and a contact person in this regard when requesting information after calling up the page. Furthermore, the additional information is to be given whether the collection is contractually or legally required or not. Any data transfer to third parties and the time frame of data storage must be disclosed.
Persons whose data was collected in the course of a visit to the website or online shop have the right to have the corresponding information corrected or, if necessary, deleted. The removal of stored data can be initiated at any time with an objection in accordance with specific legal bases. In this case, the operator of the Internet presence must only comply if the legal basis applies, but as a rule the request for data deletion is complied with without much examination. Information must always be removed if it is no longer required or has been unlawfully collected or processed.
In order to comply with the GDPR, it is important to ensure that as little data as possible is requested, and that only the data that is really needed for business purposes is requested. For example, when communicating electronically via a contact form, it is essential to avoid requesting too much information that is insignificant in the respective context. In addition, you should always attach a consent to data collection to such a form, for example in the form of a checkbox with a reference to the data protection regulation and your data protection provisions.
E-Privacy meansthe Regulation on Privacy and Electronic Communications.So far, these regulations are not in force, but specific focal points are already emerging. The GDPR regulates the general handling of personal information, whereas e-privacy - as the long version already clearly states - mainly refers to electronic communications in the form of internet presences as well as telecommunications and the data collected there. It supplements the GDPR and specifies corresponding regulations for digital practice. Accordingly, e-privacy actually primarily concerns website and online shop operators. Very centrally - and consequently often mentioned in the same breath as this GDPR extension - the e-privacy regulation organises the tracking of user activities on websites of all kinds via cookies. Consequently, cookie banners and their correct use play an important role here. The aim of the E-Privacy Regulation is once again to protect EU citizens from data misuse in all its forms. However, this applies here specifically with regard to the provision and use of electronic communication. Both the direct content of the communication and its meta-data are taken into account.
What is the "right" way to proceed with regard to e-privacy
and what do I have to pay particular attention to?
Currently (as of April 2020), the e-privacy regulation is in the European legislative process. It is therefore not yet effective. It is expected to be applied in 2021 at the earliest. The implementation or legal validity should then take place promptly as soon as a final version is available. A long lead time for the entry into force, as was the case with the GDPR, should not exist here. Precise tips on how to deal with this can, of course, only be provided once the corresponding regulations have been adopted. In this context, however, the above-mentioned DSGVO requirements already apply. In fact, these will continue to apply even after the e-privacy regulation comes into force. Furthermore, consideration of the points listed below is likely to be particularly relevant.
The prohibition of tying is already part of the data protection regulation, but is likely to become particularly relevant with regard to e-privacy. Accordingly, it should be impermissible to make access to certain content dependent on consent to data collection. The ultimate interpretation of the prohibition of tying will be highly interesting, among other things, with regard to the generation of leads with the help of gated content.
In the future, e-privacy will probably consider direct marketing to private individuals as "unsolicited communication" and thus not in compliance with the GDPR. This will also apply if the user has previously purchased a product or service from the advertising company. It should already now always be possible to simply and clearly object to such advertising.
Presumably, providers of e-commerce solutions, apps and other web- or data-centric software will have to revise their privacy settings when e-privacy comes into force and grant users maximum co-determination with regard to data collection. In general, access from the outside must be technically excluded. It is not yet possible to predict how these requirements and the other points mentioned here will be implemented in practice.
The European Court of Justice (ECJ) judgment
on 01 Oct 2019.
On 1 October 2019, the European Court of Justice (ECJ) handed down a ruling with far-reaching consequences. This was issued as a result of a lawsuit filed by the Federation of German Consumer Organisations (vzbv) against a company that collected user information for third-party advertising purposes in the context of sweepstakes. The decision of this precedent ensures that the handling of cookies or cookie banners, cookie pop-ups and generally cookie consent is already very precisely regulated now, before the actual entry into force of e-privacy. From now on, an active consent to the collection of data via cookies (within a cookie banner) must be given unambiguously for the specific case.
Our support around the topic of web analytics & data protection:
- Support with the DSGVO-compliant application and implementation of your online media.
- Optimization of your email marketing and legally compliant newsletter distribution.
- Design and implementation of meaningful KPIs for the evaluation of your pages or applications. Individual development of dashboards that give you an overview of the relevant key figures.
- DSGVO-compliant implementation of analysis tools (Matomo / Google Analytics etc.) in your pages / applications.
Benefit from our know-how also in the following topics:
Oliver Parrizas will be happy to answer any questions you may have on the subject. +49-800-911-91-91