Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
Menü
Paul Voigt, Axel von dem Bussche: the EU ePrivacy Regulation – Preliminary Guidance and Commentary
1. Natural or legal persons shall be prohibited from using electronic communications services for the purposes of sending direct marketing communications to end-users who are natural persons unless they have given their prior consent.
2. Notwithstanding paragraph 1, where a natural or legal person obtains contact details for electronic message from end-users who are natural persons, in the context of the purchase of a product or a service, in accordance with Regulation (EU) 2016/679, that natural or legal person may use these contact details for direct marketing of its own similar products or services only if such end-users are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use. The right to object shall be given at the time of collection of such end-users’ contact details and, if that end-user has not initially refused that use, each time when a natural or legal persons sends a message to that end-user for the purpose of such direct marketing.
2a. Member States may provide by law a set period of time, after the sale of the product or service occurred, within which a natural or legal person may use contact details of the end-user who is a natural person for direct marketing purposes, as provided for in paragraph.
3. Without prejudice to paragraphs 1 and 2, natural or legal persons using electronic communications services for the purposes of placing direct marketing calls shall present the calling line identification assigned to them.
3a. Member States may require natural or legal person using electronic communications services for the purposes of placing direct marketing calls to present a specific code or prefix identifying the fact that the call is a direct marketing call in addition to the obligation set out in paragraph 3. Member State requiring the use of such a specific code or prefix shall make it available for the natural or legal persons who use electronic communications services for the purposes of direct marketing calls.
4. Notwithstanding paragraph 1, Member States may provide by law that the placing of direct marketing voice-to-voice calls to end-users who are natural persons shall only be allowed in respect of end-users who are natural persons who have not expressed their objection to receiving those communications.
5. Member States shall ensure, in the framework of Union law and applicable national law, that the legitimate interest of end-users that are legal persons with regard to direct marketing communications sent by means set forth under paragraph 1 are sufficiently protected.
6. Any natural or legal person using electronic communications services to send direct marketing communications shall, each time a direct marketing communication is sent:
(a) reveal his or its identity and use effective return addresses or numbers;
(b) inform end-users of the marketing nature of the communication and the identity and contact details of the legal or natural person on behalf of whom the direct marketing communication is sent;
(c)
(d) clearly and distinctly give the end-users who are natural persons a means to object or to withdraw their consent, free of charge, at any time, and in an easy and effective manner, to receiving further direct marketing communications, and shall provide the necessary information to this end. This means shall also be given at the time of collection of the contact details according to paragraph 2. It shall be as easy to withdraw as to give consent.
7.
(32) In this Regulation, direct marketing communications refers to any form of advertising sent by a natural or legal person directly to one or more specific end-users using publicly available electronic communications services.
The provisions on direct marketing communications do should not apply to other form of marketing or advertising that is not sent directly to any specific end-user for reception by that end-user at addresses, number or other contact details, e.g. the display of advertising on a visited website or within an information society service requested by that end-user. In addition to direct communications advertising for the offering of products and services for commercial purposes, Member States may decide that direct marketing communications may include direct marketing communications sent by political parties that contact natural persons via publicly available electronic communications services in order to promote their parties. The same applies to messages sent by other non-profit organisations to support the purposes of the organisation.
(33) Safeguards should be provided to protect end-users against direct marketing communications, which intrude into the privacy of end-users. The degree of privacy intrusion and nuisance is considered relatively similar independently of the wide range of technologies and channels used to conduct these electronic communications, whether using automated calling and communication systems, instant messaging applications, emails, SMS, MMS, Bluetooth, etc. It is therefore justified to require that consent of the end-users who are natural persons is obtained before direct marketing communications are sent to them in order to effectively protect them against the intrusion into their private life. Legal certainty and the need to ensure that the rules protecting against direct marketing communications remain future-proof justify the need to define in principle a single set of rules that do not vary according to the technology used to convey these direct marketing communications, while at the same time guaranteeing an equivalent level of protection for all citizens throughout the Union. However, it is reasonable to allow the use of contact details for electronic message within the context of an existing customer relationship for the offering of similar products or services. Such possibility should only apply to the same company that has obtained the contact details for electronic message in accordance with Regulation (EU) 2016/679.
(33a) Voice-to-voice direct marketing calls that do not involve the use of automated calling and communication systems are more costly for the sender and impose no financial costs on end-users. Member States should therefore be able to establish and or maintain national systems which allow all or certain types of voice-to-voice calls to end-users who are natural persons and who have not objected, including in the context of an existing customer relationship.
(34) When end-users who are natural persons have provided their consent to receiving direct marketing communications, they should still be able to withdraw their consent at any time in an easy manner and without any cost to them. To facilitate effective enforcement of Union rules on direct marketing communications, it is necessary to prohibit the masking of the identity and the use of false identities, false return addresses or numbers while sending direct marketing communications. Direct marketing communications should therefore be clearly recognizable as such and should indicate the identity of the legal or the natural person sending or the communication and, where applicable, on whose behalf the communication is sent and provide the necessary information for end-users who are natural persons to exercise their right to withdraw their consent to receiving further direct marketing communications, such as valid contact details (e.g. link, e-mail address) which can be easily used by end-users who are natural persons to withdraw their consent free of charge.
(35) Legal or natural persons conducting direct marketing communications through voice-to-voice calls and through calls by automating calling and communication systems should present their identity line on which the company can be called. Member States are encouraged to introduce by means of national law a specific code or prefix identifying the fact that the call is a direct marketing call to improve the tools provided for the end-users in order to protect their privacy in more efficient manner. Using a specific code or prefix should not relieve the legal or natural persons sending direct marketing call from the obligation to present their calling line identification.
Art. 16 ePrivacy Regulation protects the privacy of end-users with specific regard to interferences by direct marketing communications.[1] Besides its fundamental rights related justification, based on Art. 8 ECHR and Arts. 7 and 8 CFR, the provision is also of economic significance.[2] It is supposed to combat aggressive sales practices that interfere with the addressee’s freedom of choice and, thus, their economic freedom.[3] Those undertaking respective practices ignore these interests to gain a competitive advantage and, thus, willingly accept a disadvantage with respect to the time and resources of the addressee.[4] At the same time, such practices might generate an imitation effect and, thus, become an accepted practice. This would let the hurdles of non-compliance with the Regulation fall. Thus, Art. 16 ePrivacy Regulation also protects the general welfare.
As Recital 33a ePrivacy Regulation notes, the legislator was aware of these aspects and included them in its considerations accordingly.[5] The provision encompasses natural persons as well as, to some extent, legal persons, which might also be affected by respective practices.[6] In case of the latter, the right to personal privacy is being replaced by the protection of the commercial sphere and the privacy of business operations.[7]
Art. 16 ePrivacy Regulation applies a technology neutral wording.[8] In the course of “a single set of rules that do not vary according to the technology used” the provision is aimed at being “future-proof”.
[1] Rec. 33 S. 1 et seq. ePrivacy Regulation.
[2] Cf. Mankowski, in: Fezer/Büscher/Obergfell, Lauterkeitsrecht: UWG (2016), § 7 Rec. 44, referring to European Commission, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on unsolicited commercial communications or ‘spam’, p. 8. Accordingly, the financial damage caused by so-called ‘cold calling’, as one means of direct marketing, was estimated to amount to about 2.5 billion Euros Europewide just in terms of productivity loss.
[3] Mankowski, ibid., § 7 Rec. 43
[4] Mankowski, ibid., § 7 Rec. 48.
[5] Even though, in fact, Rec. 33a ePrivacy Regulation relativizes the significance of “cold calling” towards end-users.
[6] Cf. Art. 16 Sec. 5 ePrivacy Regulation, which delegates the Member States to grant legal persons a “sufficient level of protection”.
[7] Mankowski, ibid., § 7 Rec. 44 with reference to Köhler, WRP 2016, 798 (800).
[8] Cf. Rec. 33 ePrivacy Regulation.
As regards the relation with the preceding ePrivacy Directive, Art. 16 ePrivacy Regulation takes over most of its regulatory content. Art. 13 ePrivacy Directive stipulated a general prohibition, which was subject to exceptions, following the fundamental rights based structure of data and privacy protection (cf. Art. 8 ECHR and Arts. 7 and 8 CFR). The same approach can be found in Art. 16 ePrivacy Regulation, as within most of the Regulation’s other material provisions.[9] Exceptions pursuant to the ePrivacy Directive encompassed, e.g., the use of contact information acquired in the context of sales and demanded usage only for marketing of similar products or services. In this case, end-users were entitled to object to respective communications at the time of collection and at each subsequent approach “clearly and distinctly, free of charge and in an easy manner”.[10] Due to Art. 13 Sec. 3 ePrivacy Directive, any other case of direct marketing required the collection of prior consent by the end-user concerned. Consequently, the disguise of a marketing communication’s origin, as in terms of the sender, on whose behalf the communication was made or the address, to which recipients could send objections, was forbidden.[11] This essentially corresponds to the provisions of the ePrivacy Regulation, which will, therefore, not result in any significant changes. This also applies to fact that the ePrivacy Directive’s provisions primarily concerned the protection of natural persons. It included legal persons only to the extent that Member States were obliged to ensure a sufficient level of protection.[12]
The requirements of the ePrivacy Directive were often transposed into the Member States’ unfair competition laws due to the commercial nature of marketing communications.[13] That proximity to unfair competition law, moreover, emerged with regard to related provisions of European Union law, particularly Art. 8 Directive 2005/29/EC (Unfair Commercial Practices Directive) and its Annex I No. 26. Respective legislation became subject to rather fierce objection by legal scholars, who perceived the implementation of privacy protection within the framework of national law of unfair competition as an “alien element”.[14] This was argued with regard to the fundamental rights orientation of privacy law, which served the protection of supreme personal rights as opposed to the earlier, serving the protection of consumers “precisely in their function as market participants”.[15] Alternative propositions consequently regarded a transposition within the very context of national telecommunications and data protection law.[16]
[9] Cf. Arts. 5 et seqq., 8, 12 et seq., 15.
[10] Cf. Art. 13 Sec. 2 ePrivacy Directive.
[11] Art. 13 Sec. 4 ePrivacy Directive.
[12] Art. 13 Sec. 5 ePrivacy Directive.
[13] Note related provisions of Union law, e.g. § 7 German Unfair Competition Act (UWG) and Art. 16 Sec. 2 No. 4; 20; 22 Sec. 3 S. 1 French Act for Confidence in the Digital Economy.
[14] Cf. only Ohly, in: Ohly/Sosnitza, Gesetz gegen den unlauteren Wettbewerb (2016), § 7 Rec. 10.
[15] Ohly, in: Ohly/Sosnitza, Gesetz gegen den unlauteren Wettbewerb (2016), § 7 Rec. 10, with further reference to Köhler, WRP 13, p. 367 Rec. 13.
[16] Ohly, in: Ohly/Sosnitza, Gesetz gegen den unlauteren Wettbewerb (2016), § 7 Rec. 10.
[17] This does not concern Art. 16 Sec. 6 lit. d S. 1 Alt. 2 ePrivacy Regulation, which only pertains to the withdrawal of consent, when provided pursuant to Sec. 1 and, thus, represents an independent stipulation.
Art. 16 ePrivacy Regulation concerns the act of unsolicited and direct marketing communications via electronic communications services. Pursuant to Art. 16 Secs. 1 – 2a ePrivacy Regulation, such communications are generally inadmissible, unless one of the two exceptions exist, namely: (i) the affected end-user has given their prior consent or (ii) their contact information was acquired in the course of a purchase from the advertiser.
Art. 16 ePrivacy Regulation requires the usage of ‘electronic communications services’. The term is defined in Art. 4 Sec. 1 lit. b ePrvacy Regulation in conjunction with Art. 2 Sec. 4 European Electronic Communications Code (‘EECC’) and entails all services provided via electronic communications networks.[18] ‘Electronic communications networks’, pursuant to Art. 2 Sec. 1 EECC, refer to transmission systems permitting the conveyance of signals by wire, radio, optical or other electromagnetic means, irrespective of the type of information conveyed. This includes mobile networks (e.g. cellular or Wi-Fi) as well as cable systems used for the purpose of transmitting signals (e.g. telephone networks, networks of internet service providers or local area computer networks (LAN)).[19]
Of particular relevance in the context of direct marketing communications is the sub-category of ‘interpersonal communications services’.[20] These describe services enabling “direct interactive exchange of information between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s)”. Consequently, electronic communications services are defined in a wide and technology-neutral way, following through with an approach repeated throughout the ePrivacy Regulation. The term does not only include services that are considered classic telecommunications services, as for instance telephone, e-mail or short message services (‘SMS’). It also refers to new types of services, such as so-called over-the-top (‘OTT’) services, which are provided via the infrastructure of others than the host itself, as, for instance, the internet.[21] Examples for OTT services are text messaging and voice-over-IP services like WhatsApp, Signal, Telegram or Threema.
Art. 4 Sec. 2 ePrivacy Regulation further expands the range of application to services enabling communication merely as an ‘ancillary feature’. Thus, services offering chat functionalities besides their primary focus also fall under the term of ‘interpersonal communications services’ and might become subject to stipulations pursuant to Art. 16 Secs. 1 – 2a ePrivacy Regulation. This includes, for instance, chat functionalities in computer games, online shops or the personal messaging functionalities in services, such as Facebook, Instagram, Twitter, Snapchat, TikTok or other web forums. This is a considerable extension compared to Art. 13 ePrivacy Directive, which only covered certain technologies, such as automatic calling systems, fax and email (cf. Art. 13 Sec. 1 and Sec. 2 ePrivacy Directive). In all other cases, it was left up to the Member States to implement “appropriate measures”. In contrast, the adoption of the broad concept of electronic communications services from Art. 2 Sec. 4 EECC and its further expansion by Art. 4 Sec. 2 ePrivacy Regulation to ancillary communication services, pursuant to Rec. 11 S. 3 ePrivacy Regulation, explicitly serves “to ensure an effective and equal protection of end-users when using functionally equivalent services”.
[18] Directive (EU) 2018/1972 of the European Parliament and the Council of 11 December 2018 establishing the European Electronic Communications Code.
[19] For details on the terms of electronic communications services and networks, see Art. 4 No. I.2.
[20] For a detailed definition see Art. 4 No. I.2.b)bb).
[21] For details on OTT services see Art. 1 No. II.1.
The term ‘direct marketing communications’ is defined by Art. 4 Sec. 3 lit. f ePrivacy Regulation as “any form of advertising, whether written or oral, sent via a publicly available electronic communications service directly to one or more specific end-users, including the placing of voice-to-voice calls, the use of automated calling and communication systems with or without human interaction [and] electronic message[s]”. In contrast to the preceding stipulation of Art. 13 ePrivacy Directive, which only regulated specific means of communication (e.g. automated calling systems, fax or e-mail), Art. 16 ePrivacy Regulation is meant to be technology-neutral and applies to all kinds of electronic communication for direct marketing purposes.[22] Therefore, the stipulation shall provide a flexible response to future technological developments. According to Recital 33 ePrivacy Regulation, means of communication explicitly encompassed by the stipulation are automated calling and communication systems (with or without human interaction), instant messaging applications, emails, text messages, MMS or messages sent via Bluetooth.
a) Advertising
The term ‘marketing’ refers to “any form of advertising”. Since a respective definition is not provided by the ePrivacy Regulation itself, a recourse to Art. 2 lit. a Directive 2006/114/EC (‘Advertising Directive’) is necessary. In that regard, ‘advertising’ is defined as “the making of a representation in any form in connection with a trade, business, craft or profession in order to promote the supply of goods or services, including immovable property, rights and obligations”.[23] This broad definition includes not only product-related praise, but also any other form of indirect promotion of sales, such as brand marketing or sponsoring.[24] Recent methods of marketing, for instance, have emerged within social media contexts, involving influencers with large amounts of followers.[25] Marketing actions range from apparent advertisements connected to sales-offers to rather subtle forms of subliminal influence. The adoption of a vague definition under Art. 2 lit. a Advertising Directive aims at regulating new and less obvious forms of product communication and, thus, to ensure a comprehensive protective framework against unsolicited advertising. Further examples include the offering of additional services to existing purchases (even if complimentary), when included in an e-mail message acknowledging the receipt of customer inquiries[26] or customer satisfaction surveys via phone or e-mail[27]. These are generally, at least in part, intended to maintain customers relations and to promote further sales.
Art. 16 Sec. 1 ePrivacy Regulation presupposes the commercial nature of marketing communications.[28] This is evident on the one hand, from an inference to Rec. 32 S. 3 et seq. ePrivacy Regulation, stating that Member States may decide that direct marketing communications may include such, which are sent by political parties or other non-profit organizations. From this it follows that a priori other advertisings than commercial ones are not included by the ePrivacy Regulation. On the other hand, this is confirmed by a historical comparison to Rec. 40 S. 2 ePrivacy Directive, which only spoke of “unsolicited commercial communications”.
Commerciality, as defined by Art. 2 lit. d Directive 2005/29/EC (‘Unfair Commercial Practices Directive’), means any act, omission, course of conduct, representation or commercial communication (including advertising and marketing) by a trader, directly connected with the promotion, sale or supply of a product to consumers.[29] This, consequently, includes all actions before, whilst or after the conclusion of a business-to-consumer (and, in the context of Art. 16 ePrivacy Regulation business-to-business) contract.[30] Conversely, most prominent examples where such a practice is not given are advertisements by political parties or other non-profit organizations.[31]
b) Specific end-user
The advertisement has to be addressed towards a specific end-user.[32] While the original proposal by the Commission[33] had referred to the GDPR’s term of an ‘identified or identifiable person’, the Council’s wording both broadens and clarifies the range of application.[34] Thus, it is no longer necessary for neither the advertiser themselves nor the legal practitioner to discern information which, on its own or in conjunction with other, allows an inference to a natural (or legal) person.[35] Rather, an objectively targeted approach of any kind suffices, so that it includes all situations in which advertisers target end-users without having any information but the fact that he or she can be directly communicated with. On the other hand, it takes such marketing communications out of the equation, in which the advertiser, even though, in principle, having access to personal information about the end-user, does not target them specifically, but rather in the course of a general and automated advertising application. Such advertisements are often directed towards an undefined circle of recipients as members of the general public, even though a targeted approach would principally be possible (e.g. website related online marketing, whenever the advertiser could instead access the end-user’s IP address and address them specifically). Subsequently, Art. 16 Sec. 1 ePrivacy Regulation clarifies that it does not intend to regulate advertising matters by achieving additional protection for personal data, but rather to prevent the interference with privacy in the course of a specifically targeted marketing communication.
aa) Non-personalized advertisements on websites
Non-personalized advertisements on websites are no subject to Art. 16 ePrivacy Regulation, as such advertisements are not sent to identified end-users, but rather shown to the entire audience of the website, regardless of the visitor’s identity as part of an undistinguished public. Recital 32 S. 2 ePrivacy Regulation clarifies that the provision “should not apply to other form of marketing or advertising that is not sent directly to any specific end-user for reception by at that end-user at addresses, number or other contact details, e.g. the display of advertising on a visited website of within an information society service requested by that end-user”. Thus, the same finding applies to so-called contextual advertisement, in which the content of the displayed advertisement does not relate to an individual visitor but rather the kind of content on the website. If, for example, advertisements for cars are being placed on a news website, these are no subject to Art. 16 ePrivacy Regulation.
bb) Personalized advertisements on websites
Personalized advertisements on websites do not fall under this provision, even if they are based on a previous determination of an end-user’s characteristics and preferences, i.e. on behavioural tracking or “profiling”.[36] According to Rec. 32 S. 2 ePrivacy Regulation, Art. 16 Sec. 1 ePrivacy Regulation “should not apply to other forms of advertising, which are not sent directly to any specific end-user for reception by that end-user at addresses, number or other contact details, e.g. the display of advertising on a visited website”. Thus, respective technologies are assigned exclusively to Art. 8 ePrivacy Regulation, which applies to the tracking process of personalised advertising prior to the display of advertising itself.[37]
Pursuant to Recital 33 ePrivacy Regulation’s exemplary enumeration, this provision aims alone at services enabling direct interpersonal and interactive exchange of information, i.e. interpersonal communication services in the sense of Art. 4 Sec. 1 lit. b ePrivacy Regulation in conjunction with Art. 2 Secs. 4 lit. b, 5 EECC. Contrary to automated calling and communication systems, instant messaging applications, emails, SMS, MMS, Bluetooth and comparable services, which allow for a communicative bi- or multilateral exchange, targeted website-advertisings do not imitate regular conversations, but are rather characterized by their particular one-sidedness. Advertisements are merely displayed on a respective website, both without requiring a specific form of personal interaction (apart from sometimes encountered pop-up windows, which need to be closed) nor the underlying function of a (personal) conversation.[38] As legislative history shows, moreover, such form of communication was explicitly not wanted by the legislator as a subject to this provision. The term ‘presented’ had previously been proposed to the provision already and later removed.[39] With regard to the express statement of Recital 32 S. 2 ePrivacy Regulation, the provision must, therefore, be understood to mean that advertising on websites is not covered by the provision and it is, therefore, permissible without applying the specific justification regime under Art. 16 ePrivacy Regulation.
c) Sending
The term ‘sending’ is neither defined in the ePrivacy Regulation, nor in one of the other ePrivacy relevant European acts. According to a colloquial interpretation of the term, sending is defined as an act of dispatchment by means of communication, as in directing, ordering or requesting to depart in a certain direction.[40] Subsequently, for means of individual communication based on messages (e.g. SMS, messenger apps like WhatsApp, electronic mail, fax or voice messages), sending can be understood as the initiation of a message transfer from the sender to the recipient.
The term ‘sending’ does not entirely fit to the process of a call. When voice messages are transmitted in a linear way (either over traditional phone lines, voice over IP or voice calls in messenger apps), such communication is not ‘sent’ in the ordinary meaning of the word but consists of mutual exchange of speech. However, the legislator clearly intended to include direct marketings calls into Art. 16 ePrivacy Regulation, which its corresponding Recital 33 S. 2 clarifies.[41] Neither the European Parliament nor the Council of the European Union have addressed this issue of an unfortunate wording in their respective amendment proposals. Thus, Art. 16 ePrivacy Regulation should be interpreted in a way that allows to extend the limits of the provision’s wording with regard to the legal element of ‘sending’. For instance, the establishment of the phone connection necessary for the performance of a call might be considered ‘sending’ of the voice message to the end-user.
[22] Recital 33 S. 4 ePrivacy Regulation explains this approach with an endeavor to achieve legal certainty. Technology neutral stipulations are expected to be future-proof and might, thus, entail more consistency in application. Cf. in this regard already No. II.1.
[23] Directive 2006/114/EC of the European Parliament and of the Council of 12 December 2006 concerning misleading and comparative advertising.
[24] Cf. Fritzsche, in: Fritzsche/Münker/Stollwerck, BeckOK UWG (2022), § 7 UWG Rec. 45.
[25] German Federal Court of Justice (BGH), judgement of 9 September 2021, I ZR 90/20, I ZR 125/20 and I ZR 126/20 – Influencer I – III.
[26] BGH, judgement of 15 December 2015 – VI ZR 134/15, Rec. 19.
[27] BGH, judgement of 10 July 2018 – VI ZR 225/17 rec. 17-18.
[28] This question is of a two-fold significance: In a first step, it determines the presence of a marketing communication and, thus, the applicability of Art. 16 Sec. 1 ePrivacy Regulation. In a second step, it excludes non-commercial actors from the range of addressees of the provision, as will be discussed in the context of No. II.3.
[29] Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directive 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’); further guidance on the concept of commercial practices is provided by European Commission, Guidance on the interpretation and application of Directive 2005/29/EC of the European Parliament and of the Council concerning unfair business-to-consumer commercial practices in the internal market (2021/C 526/01), p. 28 et seqq.
[30] Cf. also Art. 3 Sec. 1 UCP Directive.
[31] Rec. 32 S. 3 and 4 ePrivacy Regulation; see also Fritzsche, in: Fritzsche/Münker/Stollwerck, BeckOK UWG (2022), § 7 UWG Rec. 45.
[32] Rec. 32 S. 1 ePrivacy Regulation. The Council of the European Union has proposed to change this term to ‘specific end-users’, distinguished by an address, number or other contact detail; Council of the European Union, ST 11001/19, p. 49.
[33] European Commission, Proposal of 10 January 2017, COM(2017) 10 final.
[34] This also eliminates a recourse to data protection law, which appears to be rather devious in this context.
[35] Regarding this definition, cf. Karg, in: Simitis/Hornung/Spiecker gen. Döhmann, Datenschutzrecht, Art. 4 (2019), Recs. 54-56 and Voigt/von dem Bussche, GDPR – A Practical Guide (2017), p. 12.
[36] For the sake of simplification, the following text only deals with targeted advertisement on websites. However, for other uses of targeted advertising, e.g. in apps, games etc., the same considerations apply; for details on the legal requirements of profiling see Art. 4 No. III.4 and Art. 8 No. I.2.c)dd) and also Art. 29 WP, WP 163 (2/2009), p. 11.
[37] For details see Art. 8 No. I.2.a)bb).
[38] To put it bluntly, one could say that this conclusion already follows from the wording itself, insofar as website advertisements are being ‘presented’ to the end-user and not ‘sent’ in terms of Art. 16 Sec. 1 ePrivacy Regulation; cf. Art. 29 WP, WP 247 (2017), p. 20 et seq. also assuming, that most advertising on the web is not “sent” and, thus, not subject to Art. 16 ePrivacy Regulation.
[39] Cf. Council of the European Union, ST 11995/17, p. 8 and also European Parliament, LIBE report A8-0324/2017, 20 October 2017, p. 76.
[40] Merriam-Webster´s Dictionary, available under www.merriam-webster.com/dictionary/send, last retrieved 19 April 2022.
[41] Rec. 33 ePrivacy Regulation.
Art. 16 ePrivacy Regulation addresses both natural and legal persons in different roles, i.e. on part of either the sending or the receiving side of the marketing communication. While the sending party will generally be subjected as addressee of the provision, the receiving party will be protected against associated intrusions to their privacy.[42]
a) Norm addressees
Art. 16 ePrivacy Regulation addresses natural and legal persons alike. Legal persons are entities with legal personality, which are granted specific legal rights or are subject to obligations and restrictions.[43] This applies, for example, to entities like the UK ‘Limited’ (Ltd.) or the German ‘Gesellschaft mit beschränkter Haftung’ (GmbH). As Recital 32 ePrivacy Regulation (e contrario) clarifies, the term must, however, be understood in a narrow way to the extent that it includes legal persons only if these are acting commercially. It, consequently, excludes non-profit organizations and political parties, even though these would principally fall under the definition. Yet, according to Recital 32 ePrivacy Regulation, Member States may decide that direct marketing communications sent by such organizations in order to promote their parties or otherwise support their purposes are included to the term.[44]
b) Protected subjects
Art. 16 ePrivacy Regulation primarily protects natural persons against direct marketing communications, which intrude their privacy. Art. 4 Sec. 1 lit. a ePrivacy Regulation in conjunction with Art. 4 Sec. 1 GDPR defines natural persons as all living mankind, regardless of their age and nationality.[45] This includes not only natural persons in their role as market participants, but rather all natural persons.[46] The ePrivacy Regulation, thus, clarifies that a significantly broader scope of application is intended compared to the law of unfair competition. Conversely, the ePrivacy Regulation excludes natural persons from the scope of protection, if they act in a professional capacity. Art. 15 Sec. 1 ePrivacy Regulation and its corresponding Rec. 30 state that the latter should be treated as legal persons for the purpose of the provisions on publicly available directories. This makes clear that privacy should be protected only to the extent that in fact the private (i.e. not the professional) sphere is affected. The approach follows the assessment that professionally acting persons, be it natural or legal, on the one hand, regularly act publicly anyway and, on the other hand, in view of the increased and specific security requirements of commercial traffic, can be granted less protection against the disclosure of their contact data.[47] This reasoning applies (to the lesser extent) to unsolicited marketing communications, as well. Operating in a commercial sphere goes hand in hand with a constant professional exchange and presupposes a certain openness to commercial offers.[48] In contrast, private individuals can bring to bear an increased interest in protecting their environment. This finding corresponds with a decreased level of protection towards legal persons pursuant to Art. 16 Sec. 5 ePrivacy Regulation, which is likewise to be found in Art. 15 Sec. 3 ePrivacy Regulation. Consequently, natural persons, acting in professional capacity, are generally not eligible to protection under Art. 16 Sec. 1 ePrivacy Regulation.
However, according to Art. 16 Sec. 5 ePrivacy Regulation, “Member States shall ensure, in the framework of Union law and applicable national law, that the legitimate interest of end-users that are legal persons with regard to direct marketing communications sent by means set forth under paragraph 1 are sufficiently protected”. In that, sufficient protection should differ from such of natural persons. In addition to the above made comments, this results from the relativizing wording of the provision. Instead of the terms “same interests” and “same level of protection”, it uses the term “legitimate interest” and “sufficiently protected”. Indeed, the level of protection does not mandatorily have to be lower than that of natural persons, as is evident from the absence of an explicit stipulation in this regard. However, it should also not be substantially higher, taking into account the explanations made above.
[42] Cf. Rec. 33 S. 1 et seq. ePrivacy Regulation.
[43] CJEU, judgement of 23 April 2018, T-561/14 – One of Us, para. 59; for further comments on the term see Art. 1 No. I.1.a).
[44] Regarding the exercise of this delegation cf. Art. 25 ePrivacy Regulation.
[45] Ziebarth, in: Sydow, DSGVO (2018), Art. 4 Rec. 10; Dammann, in: Simitis, BDSG (2011), § 3 Rec. 17.
[46] Cf. § 2 Sec. 1 No. 3 German Unfair Competition Act (UWG); further comments in Mankowski, in: Fezer/Büscher/Obergfell, Lauterkeitsrecht: UWG (2016), § 7 Rec. 48.
[47] Cf. Art. 15 No. II.3.
[48] Cf. in this regard Cf. German Federal Court (BGH), decision of 24 January 1991, I ZR 133/89 – Telefonwerbung IV, No. II.2.a); Pauly/Jankowski, GRUR 2007, 118 (122); different opinion with regard to the economic damage caused by “cold calling” held by Mankowski, ibid.,in: Fezer/Büscher/Obergfell, Lauterkeitsrecht: UWG (2016), § 7 Rec. 44. Since Recital 33a ePrivacy Regulation (even though materially incorrect), however, assumes that no financial damage is caused on side of end-users, the economic argument, however, cannot stand.
The provision takes over the dogmatic concept pursued already in earlier Articles, which subjects privacy-intrusive actions to a general prohibition with the possibility of justification under specific conditions.[49] As in other provisions, the main legal basis is consent (Art. 16 Sec. 1 ePrivacy Regulation). Further privileges are provided by Art. 16 Sec. 2 ePrivacy Regulation, on the one hand, which is designed as a legal basis for follow-up marketing communications after the conclusion of a contract and by Art. 16 Sec. 4 ePrivacy Regulation, on the other hand, which (as already seen in Art. 15 Sec. 3 et seq. ePrivacy Regulation) allows Member States to dispense with the principle of a prohibition of marketing communications under Sec. 1 in favor of a mere possibility to object to direct marketing voice-to-voice calls.
[49] Cf. in this regard Art. 5 et seqq.; 13 and 15 ePrivacy Regulation.
The sending of direct marketing communications to end-users who are natural persons can be justified if valid consent has been provided. This is based on Art. 16 Sec. 1 in conjunction with Art. 4a Sec. 1 ePrivacy Regulation and Art. 6 Sec. 1 lit. a GDPR et seqq.[50] Accordingly, consent must be given voluntarily, specifically and informed and also constitute an unambiguous indication of the person’s wishes by which he or she signifies agreement to the reception of direct marketing communications by a statement or by a clear affirmative action.
Since provisions of the ePrivacy Regulation are designed to particularize and complement the GDPR, the general stipulations of the GDPR apply only, where the ePrivacy Regulation does not contain a specific rule.[51] With regard to the sending of unsolicited marketing communications, it must, therefore, be distinguished between (i) the collection of respective contact data and (ii) the use of this data for a marketing communication, which both fall under the GDPR, as well as (iii) the actual marketing communication itself as part of the stipulations under the ePrivacy Regulation. Thus, consent pursuant to Art. 16 Sec. 1 ePrivacy Regulation does not represent a legal justification for the earlier, meaning that, principally, separate compliance with GDPR rules has to be ensured.[52] Since the requirements pursuant to Art. 6 Sec. 1 lit. b and lit. f GDPR in connection with the explicit clarification under Rec. 47 S. 7 GDPR provide that both (i) the collection of data and (ii) the further use for marketing purposes shall be privileged in principle, this takes effect, however, only to the extent that consent to the interference with the addressee’s privacy under Art. 16 Sec. 1 ePrivacy Regulation will be required.
b) Requirements for valid consent
The general consent requirements pursuant to Art. 4a Sec. 1 ePrivacy Regulation and Art. 6 Sec. 1 lit. a GDPR apply. With regard to the general requirements, reference is, therefore, made to the respective explanations.[53] As concerns the specific conditions of unsolicited marketing, however, following peculiarities should be noted.
aa) Term and form of consent under Art. 16 Sec. 1
Consent refers to the declaration of agreement to the privacy and data protection intervention by way of an unsolicited marketing communication.[54] In contrast to a retroactive approval, consent must always be given in advance of the relevant action and is otherwise invalid.[55] In the case of telephone calls, this includes the time of the pick-up itself, when a privacy intrusion has already taken place.[56] If this interpretation is considered too strict, there is, however, the possibility for Member States to enact corresponding exemptions in accordance with Art. 16 Sec. 4 ePrivacy Regulation. According to this, non-automated voice-to-voice marketing calls can, in principle, be exempted from the consent requirement and, conversely, be subject to a mere right to object. Apart from this, the mere initiation of a marketing communication (be it an e-mail or a call), is considered a privacy-intrusive action by itself and, thus, in need of justification.
Moreover, in the absence of specific regulations under Art. 16 Sec. 1 ePrivacy Regulation and with recourse to the requirements of the GDPR, the form of consent may vary and, therefore, include both explicit and implied declarations.[57] Implied consent may, for instance, be assumed in case of an existing business relationship, during which respective communications have occurred and not been rejected or even been welcomed.[58] Contrarily, it cannot be assumed that implied consent is provided in the course of a mere disclosure of contact addresses, such as in the course of a lottery, industry customaries, personal relations or based on a presumed interest on the basis of assumptions regarding an end-user’s purchasing needs.[59] In this context, also mere inaction or silence is not sufficient, but rather, there must be a positive action. Only the latter allows for a corresponding conclusion, while the former is legally meaningless.[60] For example, it is not sufficient if the called party merely does not object during the call.[61] The same applies to the case that an originally justified advertising behaviour, such as an email advertisement for a certain product, is complemented by follow-up emails for other products. In this case, the follow-up emails are not automatically covered by a prior consent and mere not responding.
bb) Consenting subject, Art. 16 Sec. 1
Consent must be given by end-users who are natural persons. Legal persons are covered by Art. 16 Sec. 5 ePrivacy Regulation, instead. ‘End-users’ can be any person, using a particular online or offline communication access.[62] It is, therefore, not limited to the actual network subscriber.[63]
cc) Freely given and informed, Arts. 4 No. 11; 7 Sec. 4 GDPR
According to Arts. 4 No. 11; 7 Sec. 4 GDPR consent must be given freely and as an unambiguous indication of the data subject’s wishes. Here, the advertiser bears the burden of proof. Rec. 32 S. 2 GDPR clarifies that one form of a valid consent represents the “ticking of a box when visiting an internet website”, whereas “pre-ticked boxes of inactivity should […] not constitute consent”. Consequently, so-called “opt-in” procedures are necessary when obtaining consent for advertising purposes.[64]
In view of the aforementioned assignment of the burden of proof, a so-called “double opt-in procedure” may be helpful to prove that consent has been provided.[65] According to this, the addressee not only (i) consents on a respective website, for example by disclosing their contact address in the advertising context (possible implicit consent) or ticking a consent box (possible explicit consent), but (ii) also and additionally consents by means of a personalised declaration.[66] Such can be initiated by the advertiser, for example, by sending a separate email, requesting the clicking of an activation link (so-called “DOI-mail”). This shall ensure the attributability of consent to the person, which receives the communications respectively. Some countries, as in particular Germany, have made this procedure mandatory.[67]
In that, a “double opt-in” registration only becomes effective when it is confirmed. Thus, in case, the addressee wishes to receive respective communications, he or she can activate the link and confirm their approval. If, however, the entry has been made without their knowledge (or the addressee has changed their mind), they can protect themselves by simply not responding to the confirmation request.
It is questionable, however, to what extent a double opt-in procedure can actually serve to guarantee attributability to a specific person. There are, indeed, situations conceivable, in which the addressee does not consent into the marketing communication, even though ostensibly a double opt-in procedure has been performed successfully.[68] This is possible, particularly, if the indicated medium for communication differs from the medium of opting-in.[69] If, for example, the verification is carried out by telephone instead of e-mail, as would be the indicated target of communications, it is by no means possible to guarantee attributability to the marketing addressee. Much rather, any given third person could pretend to be the latter, and, thus, undermine the double-opting-in-system. Conversely, the entry of an incorrect telephone number cannot effectively be verified by e-mail, since the latter will, at best, ensure attributability to the person entering the information, yet not to the addressee of advertising. Accordingly, DOI-procedures always have to resort to one medium only.[70] If even then (for whatever reasons), the addressee wants to claim that it was not themselves providing consent, he or she must accordingly provide adequate proof. The above-mentioned distribution of the burden of proof is, thus, effectively reversed by a “single-media” DOI.[71]
dd) Transparency requirements, Art. 7 Sec. 2 GDPR
The transparency requirements under Art. 7 Sec. 2 GDPR apply, especially in the case of bundled declarations. On the one hand, this means that the drafting of contracts must clearly distinguish between consent itself and other declarations, i.e., for example, concrete sales offers or subscriptions.[72] On the other hand, the point of reference of consent must be clearly determinable. While consent is generally neither necessary with respect to the collection of contact details pursuant to Art. 6 Sec. 1 lit. b GDPR nor (given the explicit wording of Rec. 47 S. 7 GDPR and the privilege for follow-up marketing communications under Art. 16 Sec. 2 ePrivacy Regulation) with regard to the following processing for advertising purposes pursuant to Art. 6 Sec. 1 lit. f GDPR, it is necessary with regard to the associated privacy intrusion, which takes place during a marketing communication. This should become clear from the wording of the contract.
ee) Specification of purposes, Art. 6 Sec. 1 lit. a GDPR
Besides compliance with the relevant restrictions for marketing communications, all purposes that the relevant data is collected and processed for have to be explicitly specified. In the context of Art. 16 Sec. 1 ePrivacy Regulation, this requires specification on (i) who will be allowed to send marketing communications and (ii) in what context communications are allowed to be made.[73] Also, it is advisable to include information about the duration of the granted consent.[74]
Even if it is not yet conclusively clarified by the CJEU, at least German case law justifiably suggests[75] that the clarification of the use of contact details for advertising also needs to clearly specify the advertised categories of products and services.[76] A systematic comparison with Art. 16 Sec. 2 ePrivacy Regulation shows that the legislator only allows advertising for similar products when contact data is obtained in the context of a sales contract. This makes it clear that the legislator pays attention to the content of the advertising and confirms the assumption that, even if the scope of different products is not limited, the type of products should be clearly indicated.
In contrast, it should not be considered necessary that the specific form of marketing communication is also specified.[77] If the consent-form includes the wording that consent is given by the addressee in order to be contacted in the future for advertising purposes and if he or she provides various contact addresses (such as a telephone number and e-mail address) they must expect that these will later be used for advertising purposes, accordingly.
ff) Duration of validity of consent declarations
While the Art. 29 WP and the EDPB recommend periodic refreshing of consent,[78] there is no rule in the ePrivacy Regulation or the GDPR regarding direct marketing that would indicate a limited timely validity of consent. Only Art. 16 Sec. 2a ePrivacy Regulation provides for a corresponding regulation, according to which it is open to Member States setting a respective time frame (arguably with exclusive regard to Sec. 2). Conversely, Art. 16 Sec. 1 ePrivacy Regulation, which, moreover, was only added later for clarification purposes, cannot be interpreted as stipulating a limited time frame of validity qua legem. However, since consent is always tied to specific purposes and boundaries, it is recommendable to constantly check, whether those still match the planned marketing communication or an objection has been given in the meantime.[79] Generally, if a purpose is no longer pursued or becomes unachievable, the validity of consent lapses.
c) Withdrawal of consent, Art. 16 Sec. 6 lit. d S. 1 Alt. 2
A distinction between declaration processes can be found, moreover, in Art. 16 Sec. 2 ePrivacy Regulation and Sec. 6 lit. d S. 1 Alt. 1 and Alt. 2 with regard to a withdrawal of consent or the objection to data processing for direct marketing purposes.[80] Special attention is due to the relationship between both alternatives and how these correlate with the general restriction of consent under Art. 7 Sec. 3 GDPR. Pursuant to Art. 16 Sec. 2 S. 1 ePrivacy Regulation, end-users who are natural persons need to be given the opportunity to object to the use of their contact details for direct marketing. Art. 16 Sec. 2 S. 2 ePrivacy Regulation specifies that such possibility to object shall be given both at the time of collection (Alt. 1) and each time a direct marketing communication is made (Alt. 2). Since Sec. 2 represents a specific legal basis for marketing communications deriving from a contractual relationship (purchase or service), the possibilities to object are, thus, also specific conditions of a lawful exercise of this legal basis. In contrast, a distinction must be made vís-a-vís the voluntary justification under Sec. 1, which is further specified by Art. 16 Sec. 6 lit. d S. 1 Alt. 2 ePrivacy Regulation. Here, the conditions are specified under which a previously given consent may be withdrawn. In view of the more general withdrawal option under Art. 7 Sec. 3 GDPR, the earlier represents a more specific regulation and, subsequently, supersedes it.
Consent can, in principle, be withdrawn freely, but only with effect for the future.[81] In this respect, Art. 7 Sec. 3 GDPR provides for a comparable regulation, but is subordinate to Art. 16 Sec. 6 lit. d ePrivacy Regulation. Withdrawal is possible informally, even by implied declaration and even if the consent was given in writing.[82] Yet, a respective declaration needs to be addressed in such a way towards the advertiser that it has the opportunity of noticing, i.e. it must be received by the advertiser.
[50] For details on consent under the ePrivacy Regulation cf. Art. 4a No. I et seqq.
[51] Art. 1 Sec. 3 ePrivacy Regulation.
[52] For details see Datenschutzkonferenz (DSK), Orientierungshilfe der Aufsichtsbehörden zur Verarbeitung von personenbezogenen Daten für Zwecke der Direktwerbung unter Geltung der Datenschutz-Grundverordnung (DS-GVO), November 2018.
[54] A detailed definition is provided by Art. 4 Sec. 1 lit. a ePrivacy Regulation in conjunction with Art. 4 No. 11 GDPR.
[55] Cf. Köhler, in: Köhler/Bornkamm/Feddersen, UWG (2022), § 7 Rec. 144.
[56] German Federal Court of Justice (BGH), decision of 20 January 2001, I ZR 227/99 – Werbefinanzierte Telefongespräche = GRUR 2002, 637 (639).
[57] Frenzel, in: Paal/Pauly DS-GVO BDSG (2021), Art. 6 Rec. 11.
[58] Cf. BGH, decision of 8 June 1989, I ZR 178/87 – Telefonwerbung II = GRUR 1989, 753 (754); BGH, decision of 8 November 1989, I ZR 55/88 – Telefonwerbung III = GRUR 1990, 280 (281).
[59] Köhler, , in: Köhler/Bornkamm/Feddersen, UWG (2022), § 7 Recs. 146 -146f.
[60] With further explanations regarding the international handling of the significance of “silence”, Rothermel/Dahmen, RIW 2018, 179.
[61] Köhler, in: Köhler/Bornkamm/Feddersen, UWG (2022), § 7 Rec. 144.
[62] For details on the term, see Art. 4 No. I.2.e).
[63] As, however, assumed pursuant to the German § 7 Unfair Competition Act (UWG). In that regard, for instance, Möller, WRP 2010, 321 (331).
[64] In Germany, a detailed account of the respective requirements was provided in BGH, judgement of 16 July 2008, VIII ZR 148/06 – Payback = GRUR 2008, 1010.
[65] Cf. also Conrad/Treeger, in: Auer-Reinsdorff/Conrad, Handbuch IT- und Datenschutzrecht (2019), § 34 Rec. 505; German Federal Court of Justice (BGH), judgement of 10 February 2011, I ZR 164/09 – Double-opt-in-Verfahren; BGH, judgement of 14 March 2017, VI ZR 721/15 – Robinson Liste = GRUR 2017, 748 Rec. 17.
[66] Specht, in: Specht/Mantz, Handbuch Europäisches und deutsches Datenschutzecht (2019), § 9 Rec. 36.
[67] See German Federal Court of Justice (BGH), judgement of 11 March 2004, I ZR 81/01 – E-Mail Werbung I = GRUR 2004, 517 (519); State Court of Justice (LG), Munich I, decision of 13 October 2009, 31 T 14369/09 = K&R 2009, 824.
[68] Cf., for instance, German Federal Court of Justice (BGH), judgement of 10 February 2011, I ZR 164/09 – Double-opt-in-Verfahren, Recs. 39 et seq.
[69] German Federal Court of Justice (BGH), judgement of 10 February 2011, I ZR 164/09 – Double-opt-in-Verfahren, Recs. 39 et seq.
[70] Cf. again German Federal Court of Justice (BGH), judgement of 10 February 2011, I ZR 164/09 – Double-opt-in-Verfahren, Recs. 38.
[71] Cf. German Federal Court of Justice (BGH), judgement of 10 February 2011, I ZR 164/09 – Double-opt-in-Verfahren, Recs. 35.
[72] Heckmann/Paschke, in: Ehmann/Selmayr, DSGVO (2018), Art. 7, Rec. 79 et seq.
[73] Buchner, WRP 2018, 1283 (1287).
[74] Schneider, K&R 2019, 8 (12).
[75] Cf. Conrad/Treeger, in: Auer-Reinsdorff/Conrad, Handbuch IT- und Datenschutzrecht (2019), § 34 Rec. 504: „the GDPR assigns transparency requirements (in Art. 7 and Art. 13, 14 GDPR) such a central role that the relatively restrictive German GTC case law on consumer consent is likely to remain relevant.”
[76] BGH, judgement of 14 March 2017, VI ZR 721/15 – Robinson Liste = GRUR 2017, 748 Rec. 24; BGH, judgement of 25 October 2021, I ZR 169/10 – Einwilligung in Werbeanrufe II = GRUR 2013, 531 Rec. 24.
[77] BGH, judgement of 1 February 2018, III ZR 196/17 – Mehrere Werbekanäle = GRUR 2018, 545 Recs. 25 et seqq.
[78] Art. 29 WP, WP 259 (2018), p. 21, endorsed by the EDPB in: Endorsement 1/2018 of 25 May 2018.
[79] Schneider, K&R 2019, 8 (11 et seq.).
[80] Cf. also Rec. 34 S. 1 ePrivacy Regulation.
[81] Köhler, in: Köhler/Bornkamm/Feddersen, UWG (2022), § 7 Rec. 148a.
[82] Köhler, in: Köhler/Bornkamm/Feddersen, UWG (2022), § 7 Rec. 148a.
Art. 16 Sec. 2 ePrivacy Regulation governs the use of collected “contact details for electronic message from end-users who are natural persons, in the context of the purchase of a product or a service, in accordance with Regulation (EU) 2016/679, that natural or legal person may use these contact details for direct marketing of its own similar products or services”. It must, consequently, be distinguished between (i) the collection, (ii) the actual use of contact details and (iii) the marketing communication itself. While the first step falls under the legal regime of the GDPR (i.e. Art. 6 Sec. 1 lit. b GDPR), the latter two are governed by Art. 16 Sec. 2 ePrivacy Regulation. In accordance with Art. 1 Sec. 3 ePrivacy Regulation, this represents a lex specialis to the GDPR.[83]
The provision represents a legal justification for respective processing of data and the interference with an end-user’s privacy. Yet, the following restrictions according to Art. 16 Sec. 2 S. 2 and Sec. 2a ePrivacy Regulation must be observed, which provide end-users with the right to object respective processing and communications, as well as Member States with the possibility of implementing a time limitation for such actions. Finally, complimentary stipulations by Art. 16 Sec. 2 S. 1 and Sec. 6 lit. d S. 1 Alt. 1 ePrivacy Regulation apply, stipulating that objection to the use of contact details must be eligible “free of charge, at any time and in an easy and effective manner”.
a) Collection in the context of a purchase
Collection in the context of a purchase of a product or service is not to be understood in a strict sense, as to which only purchase or service contracts are covered. This would remove significant use cases regarding other contractual arrangements without any apparent reason. For example, it would not be comprehensible why contracts for the creation of works, consumer loan contracts, rental contracts or others should be disadvantaged compared to the sales of products and the offering of services, even though electronic contact details are transmitted in all cases and there is, just as well, a legitimate interest in follow-up marketing. Terminology should, therefore, be read to encompasses various contractual arrangements.
Examples for the collection are provided in various situations in which a customer discloses his or her personal data in order to make a purchase order or otherwise conclude a contract. Even if Art. 16 Sec. 2 ePrivacy Regulation is limited to obtaining electronic contact details, the collection of personal data can, however, occur both in on- and offline situations. One might think, for instance, of a company’s provision of order forms and billing services, which today oftentimes include the e-mail address as an addition to classic contact details. Also, the creation of customer files by the company or the corresponding online registration of a profile fall hereunder.
It must be noticed that Art. 16 Sec. 2 ePrivacy Regulation only encompasses contact details for electronic messages. Consequently, the collection and use of other contact details does not fall under the provision and must continue to be handled by the GDPR or respectively by national legal systems – for example within the framework of the law of unfair competition.[84]
With regard to the collection of contact details for electronic messages, it is important that the obtainment unfolds “in the context” of the purchase of a product or service and not separate from it.[85] In any case, this means a factual connection must be given which, in case of doubt, can be supplemented by further criteria, such as a temporal or spatial proximity. It lacks whenever contact details are obtained without prior or subsequent conclusion of a contract, i.e., for example, if companies buy addresses on the free market. Here, the mere intention of a subsequent use to conclude a purchase is not sufficient, since otherwise the specific justification of Art. 16 ePrivacy Regulation, which is granting customers with a demonstrated willingness to buy a certain product lesser interest in not being exposed to further marketing, would be circumvented.
Problematic, however, is the question, if also pre-contractual relations suffice for the legal justification under Art. 16 Sec. 2 ePrivacy Regulation. Such are given any time the conclusion of a contract is merely initiated, as for instance in the course of contract negotiations or similar business contacts, e.g., informatory requests relating to a product or other signaling of purchasing interest.[86] With regard to Art. 16 Sec. 2 S. 1 ePrivacy Regulation’s wording and regulatory intent, this, however, is to be denied. On the one hand, the decision underlying Art. 16 Sec. 2 ePrivacy Regulation is to disadvantage an end-user with regard to the level of their privacy protection whenever they have proven a purchasing interest and, in contrast, to favor marketers in respect to their further going sales and advertising interest. In the case of pre-contractual relationships, however, no purchase interest was proven, but only indicated. A corresponding extension of the scope of application would, therefore, undermine this intent. On the other hand, a systematic comparison with the clear wording of the follow-up provision, Art. 16 Sec. 2a ePrivacy Regulation, shows that the legislator is referring only to completed sales and not their mere initiation. Pre-contractual relations are, thus, excluded from Art. 16 Sec. 2 ePrivacy Regulation.
To the contrary, void contracts, pursuant to the opinion held here, should, indeed, be subsumed under Art. 16 Sec. 2 of the ePrivacy Regulation, insofar as the ground for voidance is based on circumstances of which the parties are unaware. Whenever parties conclude a contract, without knowing legal requirements needed for its validity (e.g., formal requirements), the end-user has proven their general interest in a purchase. In this case Art. 16 Sec. 2 ePrivacy Regulation must be extended teleologically.
b) GDPR compatibility
Contact details for electronic messages must be acquired in accordance with the GDPR. This pertains particularly to the provisions under Arts. 5 to 11 GDPR. Since the collection of contact details itself represents processing of personal data in the meaning of Art. 4 Secs. 1, 2 GDPR, contracting parties must be aware of the principles relating to the processing and the required legal basis according to Art. 6 et seqq. GDPR.[87] This will, in most cases, refer to the individual legal bases for the processing of data under Art. 6 Sec. 1 lit. b GDPR, to the extent that the collection of data represents a necessary prerequisite for the performance of a contract. Further processing in form of the use for marketing communications is generally covered by Art. 6 Sec. 1 lit. f GDPR, as the explicit mention under Rec. 47 S. 7 GDPR clarifies.[88]
c) Marketing of own similar products or services
Pursuant to Art. 16 Sec. 2 ePrivacy Regulation, the use of contact details for unsolicited marketing communications is justified only for the purpose of advertising own products or services, which are similar to the ones purchased in the original sale. This requirement serves to limit the amount of marketing communications towards the addressee. It follows the assessment that a customer, indeed, has shown their interest in a certain product and that the marketer, thus, may be privileged in its comprehensible interest to promote further sales.[89] Yet, this proven interest must not lead to a boundless expansion of privacy interferences and an adequate limitation of further communications is necessary. The latter must not be, so to speak, flooded with follow-up advertisements of all conceivable kinds and, thus, have to give up their equally justified privacy interest completely. Limiting further advertisements to “similar products”, thus, serves as a means of balancing out the conflicting interests.
It is questionable, however, how exactly the term ‘similar’ can be defined, by neither overstretching nor overly limiting respective prohibitions for follow-up marketing calls. Relevant criteria in determining proximity may relate to the category of the product, its appearance or functional similarity.
d) Opportunity to object
End-users must be given the opportunity to object to unsolicited marketing communications. The possibility to opt out must be provided “clearly and distinctly”, “free of charge and in an easy manner”. Objection itself can be declared both in a formal and informal manner. Thus, the end-user does not have to use a specific form or procedure provided by the advertiser.[90] For the latter, this means, even though the provision of forms, links to a respective website or other facilities (in order to allow customers to declare their objection) is mandatory, advertisers cannot rely on their actual usage.
In general, the same standards for withdrawal of consent apply accordingly.[91]
In view of the wording “clear, distinct and easy”, objection possibilities provided by the marketer must not be subject to hurdles too high. Conversely, if the end-user prefers to object on its own terms, already an implied declaration suffices. Such might be given in the course of, e.g., an entry in a so-called ‘Do Not Call lists’ or a demonstrated lack of interest in the offers or advertising behavior.[92] In any case, end-users do not have to use the same communication channel as the advertiser. Yet, a mere non-observance or non-response is not sufficient either, since objection still requires active conduct and a mere inactivity (or ‘silence’) has no legal significance.[93] Moreover, for the objection to be effective, it must be received by the advertiser, so that he or she is able to act on it.[94] An advertiser can only not rely on a lack of reception, if they have not provided the addressee with a valid address to which the end-user can send its objection.[95]
Pursuant to Art. 16 Sec. 2 S. 2 ePrivacy Regulation, the right to object shall be given at the time of collection of an end-user’s contact details and, in case of lacking refusal, each time the advertiser sends a marketing communication to that end-user. It is significant in this respect that Art. 16 Sec. 2 ePrivacy Regulation (partly) replaces the relevant provisions from the GDPR (particularly Art. 21 GDPR) and, thus, represents a lex specialis according to Art. 95 GDPR in conjunction with Art. 1 Sec. 3 ePrivacy Regulation. Yet, the standards for withdrawal of consent (as described above) apply accordingly.[96]
In view of the intricate relation between Art. 16 Secs. 1, 2 and 6 ePrivacy Regulation a delimitation between the provisions is necessary. As stated before, Art. 16 Sec. 6 lit. d S. 1 Alt. 1 ePrivacy Regulation only repeats the formal requirements for an adequate objection possibility, which are already stipulated in Sec. 2, i.e. its provision free of charge, at any time and in an easy and effective manner, as well as providing the necessary information to this end.[97] Art. 16 Sec. 6 lit. d S. 1 Alt. 2 ePrivacy Regulation, in contrast, adds an independent stipulation to the extent that it allows for a withdrawal of consent, whenever such has been provided under Sec. 1.
e) Time limitation according to Art. 16 Sec. 2a
Art. 16 Sec. 2a ePrivacy Regulation allows Member States to implement time limitations under which contact details may be used for marketing purposes. Such limitation may consider the frame of time in which follow-up communications by advertisers are expected. As regards the exercise of this delegation, Art. 25 ePrivacy Regulation applies.
[83] This also applies to a possible withdrawal of consent pursuant to Art. 16 Sec. 2 S. 1 HS. 2 ePrivacy Regulation with respect to Art. 7 Sec. 3 GDPR.
[84] As for instance by § 7 German Unfair Competition Act (UWG).
[85] Examples are provided in the paragraph before.
[86] Cf. § 311 Sec. 2 No. 1 – 3 German Civil Code (BGB).
[87] For details on these requirements, see, for instance, Herbst, in: Kühling/Buchner, DSGVO BDSG (2020), Art. 5 et seqq.
[88] Consequently, only the privacy intrusion in the course of an actual marketing communication remains to be justified separately pursuant to Art. 16 Sec. 1 ePrivacy Regulation.
[89] See No. III.2.a).
[90] Regarding the withdrawal of consent in related German law of unfair competition, cf. Köhler, in: FS Koppensteiner (2001), 431 (441); Seichter/Witzmann, WRP 2007, 688 (701).
[91] See No. III.1.b).
[92] Leible, in: Münchener Kommentar zum Lauterkeitsrecht (2020), § 7 Rec. 63; see also BGH, judgement of 14 March 2017, VI ZR 721/15 – Robinson Liste = GRUR 2017, 748.
[93] Rothermel/Dahmen, RIW 2018, 179.
[94] Köhler, in: Köhler/Bornkamm/Feddersen, UWG (2022), § 7 Rec. 148a.
[95] Köhler, in: Köhler/Bornkamm/Feddersen, UWG (2022), § 7 Rec. 148a.
[96] See No. III.1.c).
[97] Pursuant to both Art. 16 Sec. 2 and Sec. 6 lit. d S. 1 Alt. 1 ePrivacy Regulation, the addressee shall be “clearly and distinctly give[n] […] the means to object […], free of charge, at any time, and in an easy and effective manner […] and shall provide the necessary information to this end.” Furthermore, “this means shall also be given at the time of collection of the contact details according to paragraph 2”. Subsequently, Art. 16 Sec. 6 lit. d S. 1 Alt. 1 ePrivacy Regulation has no regulatory meaning, different from Sec. 2 and must, therefore, be regarded redundant. In this respect see also No. I.3. and No. III.1.c).
Having in mind the balancing of interests between justified marketing in a competitive market environment and the privacy and data protection needs of end-users, Art. 16 Secs. 3, 3a and 6 lits. a, b ePrivacy Regulation stipulate further conditions for the undertaking of unsolicited and direct marketing communications. The aim, here, is to make the origin and nature of a call as a marketing communication clearly identifiable and, thus, to provide the person concerned with a sufficient basis to decide whether to take-on such calls or open electronic messages. The provision, thus, complements the question of an informed and voluntary consent.
In fact, the question arises as to what extent a provision on transparency can actually guarantee additional protection, or whether it is not rather just a repetition of the already existing requirements. Pursuant to Art. 16 Sec. 1 ePrivacy Regulation, respective information on the marketing purpose and the marketer must already be provided in order to allow for an effective declaration of consent. One might assume that those who are already informed of the respective communication background do not need to be presented with the same information again. However, it needs to be differentiated between the initial collection of the addressee’s contact details and the subsequent execution of the marketing call itself. Indeed, the collection of the addressee’s contact details and their respective consent into marketing communications requires comprehensive provision of information, as for instance, purpose and sender of the marketing. Yet, whenever a respective communication is made, this information might not always be directly available. An unclassifiable communication may, thus, despite a declared consent, be just as intrusive as an unconsented one. As regards follow-up communications after a specific purchase under Art. 16 Sec. 2 ePrivacy Regulation, this is true all the more, as in this case the addressee might not even expect respective calls or e-mails, at all. Consequently, additional information is necessary in order to ensure attributability to the marketer, such as its telephone number, a certain prefix indicating the nature of the call or effective return addresses under which the addressee can send a query or verify the origin of the communication.
Thus, the provision also serves to prevent conceivable misuse of the contact details under both Art. 16 Sec. 1 and Sec. 2 ePrivacy Regulation, since advertisers, being aware of their justification, could go ahead and attempt to disguise the nature of communication, knowing that the addressee is entitled to withdraw their consent or to object at any time. Thus, transparency under Art. 16 Secs. 3, 3a, 6 lits. a, b ePrivacy Regulation ensures that the customer retains their decision-making basis for exercising the recall and can make effective use of it. At the same time, it prevents unfair competition among advertisers, banning to gain surreptitious advantages at the expense of the end-user.
According to Art. 16 Sec. 3 ePrivacy Regulation, advertisers shall present their calling line identification (i.e. their telephone number) as an exception to Art. 12 Sec. 1 lit. a ePrivacy Regulation, pursuant to which callers are provided with the opposite possibility.[98] Sec. 6 lit. a adds that marketing calls shall provide for effective return numbers, moreover, which will either need to be provided during a marketing call itself or, if the addressee cannot be reached, be indicated via voice mail.
[98] For details on calling line identification presentation and restriction, see comments on Art. 12 ePrivacy Regulation.
Member States are allowed to implement specific additional stipulations in order to guarantee sufficient transparency in direct marketing. According to Art. 16 Sec. 3a ePrivacy Regulation that includes the introduction of specific codes or prefixes identifying the call as a direct marketing call. Since the provision does not indicate any further stipulations about what kind of numbers such may be, (in the view expressed here) it seems expedient to resort to already existing numbers, such as “0800”-numbers. These entail the advantage that the traffic has already accustomed to them.
As regards email communications, Art. 16 Sec. 6 lit. a Alt. 2 ePrivacy Regulation stipulates that advertisers need to use effective return addresses. This means that, e.g., in the case of widely-spread “no-answer”-email-addresses, contact details of a contact person must be provided, instead. In case intermediaries are commissioned to undertake the advertisement for the company, contact details of the latter need to be presented by the intermediary, pursuant to Art. 16 Sec. 6 lit. b Var. 3 ePrivacy Regulation.
In addition to presenting the calling line identification pursuant to Art. 16 Sec. 3 ePrivacy Regulation and the optional installation of specific codes or prefixes pursuant to Art. 16 Sec. 3a ePrivacy Regulation, advertisers need to reveal their identity to the addressee. The provision aims to prevent misleading product advertisements, which are not attributable to a particular sender and, thus, potentially dangerous to the customer. It also allows for (and requires) unambiguous identification of a communication’s origin, since return addresses or numbers alone might not reveal the actual person behind it. The provision, thus, complements the other transparency obligations regarding the CLIP (Sec. 3) allowing for callbacks, the installation of specific prefixes (Sec. 3a) and the provision of effective return addresses or numbers (Sec. 6 lit. a).
According to Art. 16 Sec. 6 lit. b Var. 1 ePrivacy Regulation, advertisers need to inform end-users of the marketing nature of the communication. This will, particularly, require the indication of the company name and, in cases of an e-mail advertisement, the clear layout as a marketing communication. Of particular significance, moreover, is the case that Member States do not make use of the possibility to require specific codes or prefixes, since then, the marketing nature does not already become apparent according to the calling line identification.
According to Art. 16 Sec. 4 ePrivacy Regulation, Member States are allowed to privilege direct marketing voice-to-voice calls. Recital 33a ePrivacy Regulation clarifies that such calls must not involve the use of automated calling and communication systems. Automated calling systems, in the legislator’s notion, are costly only for the sender and impose no financial damage on end-users. Indeed, this opinion may be doubted, since voice-to-voice calls, very well, claim a high amount of time and nuisance, particularly compared to e-mail marketing. Yet, Art. 16 Sec. 4 ePrivacy Regulation stipulates that Member States may allow such calls (whatever type) towards natural persons who have not expressed their objection. That may also include the context of an existing customer relationship.[99]
[99] Rec. 33a. S. 2 ePrivacy Regulation.
Art. 16 Sec. 5 ePrivacy Regulation addresses the needs of legal persons with regard to direct marketing communications. Member States shall ensure that their legitimate interests are sufficiently protected. In this respect it must be noted that there is a significant difference in the quality of nuisance when comparing marketing communications towards natural persons on the one hand and legal persons on the other hand. While natural persons are affected in their private environment and, thus, in a particularly sensitive aspect of their lives, legal persons are configured to participate at trade and business from the outset. Consequently, they bring along a certain openness towards marketing communications, particularly to the extent that they themselves make use of it. Yet, this openness does not apply in every case (thinking of small and very client-focused operations) and does generally have its limits. Thus, there is a certain need of protection, which has to be considered and adjusted accordingly. This being said, however, the necessity of protection is significantly lower in regard of legal persons than of natural persons.