B2B website visitor tracking in an indirect sales model

Is it allowed to share identified website leads with sales partners?

by Dr. Thomas Schafft, specialist lawyer for information technology law, SSH Rechtsanwälte

I. Facts

We discussed the basic facts of the legal admissibility of B2B website visitor recognition in the report some time ago Data protection when tracking websites for lead generation discussed — with an overall positive conclusion.

In the present constellation, the question is whether the manufacturer and operator of a B2B website may transfer the following data obtained using visitor recognition software to his indirect sales partner:

• company name of the identified company (e.g. “XY GmbH”);
• general contact details of the identified company (i.e. postal address, website address, generic company phone number, generic email address such as “info@...”);
• The areas of interest of the website visitor identified by the recognition tool (e.g. “Product Category 1”, “Product Category 2”, etc.);
• The corresponding pages of the website visited, each with
  
  • time stamp (e.g. “07.01.23 17:56:29 “),
  • URL (such as “https://www.hersteller.com/produktkategorie_1 “) and
  • Duration of visit to this page in hours/minutes/seconds (e.g. “00:00:30 “).

The possible submission of further data is outside the scope of this report.

II. Legal assessment

In the previous assessment of cookie-less website visitor identification, one of the main arguments in the balancing of interests was that — normally — there is no transfer of data to third parties and the “number of actors involved” is therefore low: According to the supervisory authorities, a potentially critical aspect of website tracking is when tracking information collected is passed on to third parties who then process this data on their own responsibility (as is the case, for example, when tracking from advertising networks is typically the case).

This is stated in the abovementioned report under the heading “Stakeholders involved”:

“The more responsible persons, contract processors and other recipients are involved in the processing activity, the greater the impact on the persons concerned. In the case of B2B website analysis, however, there is only one person responsible (namely the website operator) who uses the tracking service provider as the only order processor. There is no particular impairment for the persons concerned.”

The question therefore arises as to what influence the transfer of company data to indirect sales partners described above has on these arguments and the balancing of interests based on them.

1. Not a personal connection, but a company connection

The admissibility of the described transmission is initially supported by the fact that the recognition solution's data collection based on static (non-dynamic) IP addresses does not collect personal data, but only company-related data, so that the scope of application of the GDPR per se is not opened up. In this regard, reference is made to paragraph 2. a) of the above basic report. The considerations there regarding the lack of personal reference to the processed data also apply to the transmission of the data categories described in Section I above to sales partners. In the absence of applicability of the GDPR, the arguments raised in the introduction are therefore not decisive at all as part of the balancing of interests.

2. Balancing of interests in indirect sales

If — contrary to the above considerations — the data processed by the tracking software is personal, the question remains whether the transfer of the data categories described in Section I above to sales partners can still be justified by a balancing of interests in accordance with Art. 6 para. 1 f) GDPR. Here are the following considerations:

• The supervisory authorities' concerns mentioned above are essentially based on the fact that the transfer of data to third parties may result in a de facto “loss of control” of their data by data subjects. In the context of website analysis, the supervisory authorities are thinking in particular of independently acting “players” such as Google, Facebook or large advertising networks, which collect data on many different third-party websites and then process this data on their own responsibility (and largely at their own discretion). However, such a “loss of control” can be avoided if the website operator does not pass on the data collected via the recognition platform to an indefinite number of recipients, but — ideally — only to one of its sales partners who is best positioned to process the corresponding lead (e.g., in the case of regionally organized sales, the respective regionally responsible sales partner).
• To prevent the potential loss of control by the persons concerned, it can also be provided that the sales partner may not freely use the data received from the website operator at its own discretion, but that the sales partner contractually — insofar as relevant and practicable — subject to the same restrictions that the website operator imposes on himself with regard to the data collected via website tracking. In particular, this includes that the sales partner must also delete the data received within the deletion periods set by the website operator and may not pass it on to additional third parties (or at least only under the same restrictions as with the website operator himself, i.e. the transfer of the sales partner to a sub-sales partner could be just as possible and regulated as the previous transfer of the website operator to his immediate sales partner).
• As a result of such contractual arrangements with the sales partner, his position is closer to that of an order processor for the website operator, even if the actual contact with the interested party is made by the sales partner as an independent company and in his own name, i.e. under its own data protection responsibility (so that there is no order processing in the strict sense of the word). This position, which is approximate to order processing, is an additional argument that the persons concerned are not at a disadvantage as a result of the involvement of sales partners in this way.
• An important argument in the balancing of interests is also the legitimate expectations of the affected website visitors, see recital 47 sentence 1 of the GDPR. In view of these expectations, the website privacy notices should not only provide information about the use of recognition technology as such, but also about (i) indirectly organized distribution and (ii) the transfer of the data set out in Section I above to these indirect sales partners.

In view of these considerations, there are no significant disadvantages for the affected website visitors even in the constellation considered here. There are therefore better arguments here too that, in any case under the conditions described above, i.e. with

• transmission only to the (one) responsible sales partner,
• contractual transfer of restrictions set by the website operator for handling website company visitor data (e.g. short storage period with the sales partner, further data transfers from the sales partner to (one) possibly responsible sub-sales partner, etc.) and
• corresponding information about the involvement of indirect sales in the website privacy policy

The transfer considered here can also be based on the balancing of interests in accordance with Art. 6 para. 1 f) GDPR. Any consent from website visitors is therefore not required in this respect either.

Whether the transfer of data would be permitted even without the described framework conditions (e.g. to an unlimited number of distribution partners without requirements for their further data processing) is not the subject of this report.

3. Competition law requirements

The fact that, when transmitting data to indirect sales partners, among other things, a (generic) telephone number and/or a (generic) e-mail address of the company is transmitted, does not mean that the sales partner may automatically use this data to contact you by telephone and/or e-mail. Even in the B2B environment, Section 7 UWG in Paragraph 2 No. 1 and No. 2 sets relatively tight requirements for commercial contacts by telephone and/or e-mail, which are generally only permitted with the prior consent of the respective addressee. These legal requirements must — of course — also be observed by the respective sales partner.

The consent of the addressees required in accordance with § 7 UWG cannot necessarily be obtained via the recognition software. Nevertheless, the transmission of telephone number and e-mail address to the sales partner appears to be useful (and therefore necessary in terms of data protection law), since, for example, after a successful initial contact by letter — which is also permitted without the consent of the addressee — with positive feedback from the contacted company, this data is required for further coordination with the interested party.

However, the details of the competition law restrictions under Section 7 UWG applicable to advertising contacts without prior consent are not the subject of this report.

4. International data transfers

As an additional facet, it should be noted that the GDPR, in its Art. 44 ff., imposes certain restrictions on the transfer of personal data to countries outside the EU. If you regard the data described in Section I as personal (which, in the opinion expressed here, is already not the case, cf. section II.1 above) and the indirect sales partner is based outside the EU, the corresponding transfer would have to be considered in more detail in the light of Art. 44 et seq. GDPR.