Data privacy and website tracking

I. How it works

The tracking tools primarily evaluate the IP addresses of the respective website visitors. Using publicly available “Whois” databases and, where appropriate, additional proprietary databases, providers can assign specific static IP addresses to a specific organization. For example, it can be recognized that a (fictitious) website visitor with the IP address 160.46.226,100 is probably an employee of BMW, a visitor with the IP address 143.163.12.100 is likely to be an employee of Volkswagen and the IP address 141.113.0.100 speaks for a Daimler employee's visit to the website. Website visitors with dynamic IP addresses, on the other hand, are ignored by B2B tracking tools, as such visitors (i) are “just” private individuals and (ii) cannot be identified more precisely based on the dynamic IP address anyway.

The main service of providers is therefore to filter out unidentifiable website visitors based on their (dynamic) IP address even before tracking and only to record visits that can be assigned to a specific company based on the (static) IP address. In addition to identifying this company, the providers collect the typical other information of web analysis software, such as the so-called referrer (in order to recognize the “source” of the visit and, for example, associate it with a specific Google Ads campaign) or the visitor behavior on the website, for example in order to infer the specific areas of interest of the visitor from the pages visited.

It is noteworthy that the providers of such tracking tools do not typically use cookies for their analyses, i.e. it is a variant of “cookie-less tracking.” Certain information can therefore necessarily not be collected for technical reasons, such as the cross-session recognition of repeated visits by the same user. However, for lead generation in the B2B context considered here, such additional information is of secondary importance anyway.

‍

II. Legal assessment

Like any other website tracking, the technology described here also raises data protection issues. These include, in particular, the European Electronic Communications Privacy Policy (Directive 2002/58/EC as amended by Directive 2009/136/EC, see below under 1.) and the European General Data Protection Regulation (“GDPR”, then under 2.).

1. Electronic Communications Privacy Policy

The “cookie banners”, which are becoming increasingly prominent on many websites, asking for consent to cookies and the website tracking based on them, are primarily based on the privacy policy for electronic communication. Article 5 (3) of this Directive reads literally (with highlighting and omissions (...) only here):

“Member States shall ensure that the Storing or accessing informationwhich are already stored in the terminal device of a subscriber or user, only allowed is when the participant or user concerned (...) has given his consent. This does not preclude technical storage or access if (...) this is absolutely necessary so that the provider of an information society service, which was expressly requested by the subscriber or user, can provide this service.”

This legal norm is remarkable for the following reasons:

• The “storage of information” in a user's device and “access to information that is already stored in the device (...)” means in particular the use of cookies that are set or read out in the browser of a website visitor.
• According to Article 5 (3), such cookies (and comparable storage technologies such as DOM Storage) are only permitted if
  
  • either the user in them consented has (cf. sentence 1 of the provision cited above) or
  • They technically absolutely necessary are in order to make the visited website available (cf. Set 2 of the regulation cited above).

Tracking and marketing cookies are virtually never “absolutely necessary” within the meaning of sentence 2, so that they are only admissible under sentence 1 with consent. The aim of cookie banners that are being used more and more frequently is to obtain such consent.

However, these legal considerations arise only with cookie-based website tracking, since only then does it become a “Storage of information” in a user's terminal device and for “Access to information that is already in the device (...) are saved” is coming. However, as described above, the providers of specialized solutions for B2B tracking considered here typically work without the use of cookies or similar storage technologies; they are content with evaluating the IP address. Unlike “normal” (i.e. cookie-based) website tracking, Article 5 (3) of the Data Protection Directive for Electronic Communications therefore plays no role here — the admissibility of B2B tracking is based solely on the GDPR.

2. GDPR

a) IP addresses as personal data?

The GDPR applies exclusively to the processing of “personal data.” According to the legal definition in Article 4 No. 1 GDPR, these are

“any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); a natural person is regarded as identifiable who, directly or indirectly, in particular by means of Assignment to an ID such as a name, an identification number, location data, a Online identifier or can be identified as one or more particular characteristics which are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.”

The limitation to “natural persons” (i.e. people) means in particular that data about organizations and legal entities, such as a GmbH or AG, does not fall within the scope of the GDPR.

The first question is whether static IP addresses, which are typically only used by companies and not by private individuals, affect natural persons at all. If not, they (and any other information collected with them) do not constitute personal data and the GDPR is not applicable at all. In the case of dynamic IP addresses of private Internet users, the music industry's systematic legal action against illegal file sharing shows that individual Internet users can in many cases be identified (and thus also legally prosecuted) via their Internet service provider on the basis of their dynamic IP address. Case law therefore assumes that dynamic IP addresses are rather not anonymous, but personal data at least in certain cases (see, for example, a Federal Court of Justice ruling of May 16, 2017). Static IP addresses, on the other hand, are only assigned to one organization such as “XYZ GmbH”, mentioned in the introduction. In contrast to Internet service providers with their dynamic IP addresses, such companies do not in most cases create any log files about the Internet usage of their individual employees. As a result, the necessary additional information is simply missing to be able to assign the visit to the website in question by “XYZ GmbH” to a very specific employee of this company. The personal identification of static IP addresses is therefore highly questionable.

Technically, you can also try not to use the static IP addresses used for analysis directly, but to further encrypt them by using “one-way hashes” that cannot be traced back. The argument that such “hashing” leads to the anonymization of the underlying initial data is not accepted by supervisory authorities, at least in the case of clearly structured initial data such as telephone numbers or e-mail addresses, and at least so far, the courts have supported this view (see paragraph 45 of a ruling of the VG Bayreuth of May 8, 2018, the next instance of the VGH Munich validates was). However, the use of such one-way hashes is still useful and desirable as an additional measure to protect data. In any case, it reinforces the argument that the data used is only company-related and not personal, in order to thus leave the scope of data protection law.

Even if you do not follow these considerations and also consider static IP addresses to be personal data, the personal reference to them is at least extremely weak. Identifying a natural person based on their name, address or email address is very easy, so that the use of such “identifiers” is possible and comprehensible for virtually anyone. In contrast, the B2B tracking considered here would require — if it is even possible — at least considerable research effort to identify not only the identity of the company but also the specific natural person who has visited the website (e.g. with the help of log files stored by that person's employer for Internet use, which — if they exist at all — are virtually never accessible to third parties outside the company). In addition, as a rule, neither the website operator nor the tracking service provider used have any interest in identifying this natural person. Instead, companies use B2B web analysis to identify those organizations in which sales potential can be suspected through their website visit, not which specific natural person at this organization has visited the website and has thus expressed interest. Even if you regard static IP addresses as personal, they are at least “almost anonymous,” which plays a role in the subsequent legal assessment.

b) Data protection justification

If you would regard the data collected by the B2B trackers as personal, the next question is how the processing of this data can be justified under the GDPR. For this purpose, at least one of the permitting requirements set out in Article 6 (1) GDPR must be met.

One approach for this would be a consent in accordance with Art. 6 para. 1 a) GDPR. Such consent would have to be obtained via a “cookie banner” of the type mentioned above, i.e. when the website is accessed, a corresponding pop-up appears asking for consent. From the website operator's point of view, this solution has the disadvantage that many visitors will not be inclined to give consent. The website operator then necessarily loses information about their visits.

Not all processing of personal data requires consent. Alternatively — and more economically viable — website tracking can also be based on a Balancing of interests are supported in accordance with Article 6 (1) f) GDPR. The prerequisites for this are:

“Processing is necessary to protect the legitimate interests of the controller or of a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail...”.

It is generally accepted that the interest in targeted advertising is a legitimate interest of the respective website operator. The question therefore remains as to whether the “interests or fundamental rights and freedoms” of website visitors outweigh this advertising interest of the website operator.

It is important that this balancing of interests is based solely on possible counterinterests of the individual employee whose personal data is collected during website tracking. The confidentiality interests of his employer, who may not wish to reveal which topics the company is currently interested in, are not personal and therefore should not be taken into account as part of this balancing of interests.

Any type of balancing of interests under Article 6 (1) f) GDPR is subject to a certain degree of uncertainty. However, the supervisory authorities for data protection in Germany have opinion (see in particular page 11 et seq.) show that tracking of visitors under Article 6 (1) f) GDPR may well be justified, in particular for “less sensitive” websites. With regard to the parameters used by supervisory authorities for balancing interests (see page 16 of opinion), the following can be stated, particularly with regard to B2B website visitor recognition:

• Reasonable expectation of data subjects and predictability/transparency: Of course, the website's privacy policy must provide information about the use of a B2B tracking tool. However, the supervisory authorities also regard two aspects as critical, namely
  
  • the possible transfer of tracking information to third parties, who then process this data on their own responsibility (as is typically the case when tracking advertising networks, for example). In the case of the B2B website analysis considered here, this is no problem, as the relevant service providers act as mere contract processors and are therefore “in the warehouse of the website operator” from a legal point of view; or
  • Techniques that can understand and document the behavior of website visitors, such as by recording mouse and scrolling behavior, which, in the opinion of regulatory authorities, is outside the users' expectations. The extent to which such techniques are used and therefore have a negative impact on the balancing of interests depends on the specific design of B2B website tracking.
• Intervention options for data subjects: B2B tracking tools typically offer website users the opportunity to object to the collection of their data. This unrestricted right of objection is a positive factor in the balancing of interests.
• Linking of data: The sole aim of B2B tracking solutions is to recognize and record the use of their own website by specific companies. There is therefore no risk of linking with other data sets, as would be the case with cross-website usage recording, for example. This is also a positive factor in the balancing of interests.
• Actors involved: The more responsible persons, contract processors and other recipients are involved in the processing activity, the greater the impact on the persons concerned. In the case of B2B website analysis, however, there is only one person responsible (namely the website operator) who uses the tracking service provider as the only order processor. There is no particular impairment for the persons concerned here.
• Duration of observation: As part of the evaluations, it is relevant how long it is possible to recognize users and to be able to collect and assign information about usage behavior. With the “cookie-less tracking” considered here, it is already technically impossible to recognize individual visitors across sessions, which also has a positive effect on the balancing of interests.
• Group of people affected (such as people in particular need of protection): B2B website tracking is limited to employees of companies who visit a third-party website as part of their professional activities. There is no particular need for protection for such groups of people.
  
• Data categories: Various aspects play a role here
  
  • The evaluation should take into account which categories of data are collected and to what level of detail information is collected (e.g. mere logging of which pages and files were accessed, as a particularly uncritical design; a further recording of mouse movement and scrolling behavior as a more critical design). Once again, it depends on the specific design of B2B website tracking which of these techniques are used and therefore have either a positive or negative impact when balancing interests.
  • As part of the balancing of interests, it must also be considered whether the person concerned can be identified directly or only indirectly. The “almost anonymous” nature of the data collected as described above plays a role here, as the specific person of the website visitor cannot usually be identified by the website operator.
  • Finally, the B2B nature of the websites visited must be considered. Visiting such a website is not suitable for evaluating “personality descriptive aspects” such as work performance, economic situation, health, personal preferences or interests, reliability or the behavior of the visitor in general. This is also a positive factor in the balancing of interests.
• Scope of data processing: The larger the amount of data processed, the higher the risk to the rights and freedoms of the data subject.
  
  • Here, too, it depends on the specific design of B2B website tracking how much detailed information is collected about the visit to the website, which in turn is either positive or negative when weighing up interests. In terms of their basic structure, however, the B2B tracking tools are designed to be more “data-efficient”, as it is primarily about the — very manageable — information, (i) that a specific company has visited the website and (ii) which subject areas on the website were of interest.
  • The scope of data processing is also closely linked to the storage period. The shorter the storage period of the collected data set by the website operator, the better this is as part of the balancing of interests. If data is stored permanently over a long period of time, this increases the scope of data processing. If, on the other hand, the website operator decides to store the data collected by the tracking tool for a rather short period of time, this is considered positive as part of the balancing of interests.

III. Conclusion

In light of these considerations and in light of the opinion published by the supervisory authorities, it appears very reasonable to use the solutions considered here to record B2B website visitors even without the prior consent of website visitors.

You can also read about this in our blog: Three B2B website tracking tools in a comparative test and B2B web analysis: Identify anonymous website visitors with sales potential

‍

Please note: This article is an English translation of an original text written in German for a German audience. It was prepared for informational purposes only and reflects the context, terminology, and legal framework applicable in Germany at the time of writing. Any references to laws, regulations, or legal concepts pertain specifically to German law and may not apply in other jurisdictions. This translation is provided without any guarantee of accuracy or completeness and should not be considered legal advice.