14 myths about when you can send promotional emails to whom — and when not

Myth 1

“In B2B, the requirements for email advertising are far less restrictive than in B2C.”

That is simply wrong. Reading § 7 UWG shows that the requirements are the same for e-mail advertising. Only when it comes to telephone advertising are they less restrictive in the B2B sector than in the consumer sector.

Myth 2

“The GDPR requires that consent must be obtained for email advertising via double opt-in.”

The term “double opt-in” does not appear in the General Data Protection Regulation or in other legal norms.

A double opt-in is not required for the consent to be legally effective. A single opt-in, a confirmed opt-in and even an oral consent are also effective consents. It is simply a question of providing evidence when it is disputed whether or not there is consent. With the help of the double opt-in process, you can hopefully prove that it was given.

The double opt-in process is a risk-minimizing method to prevent someone from signing up for promotional emails using someone else's personal email address. However, the risk/benefit ratio is best in most cases with confirmed opt-in. Since consent does not have to be activated separately, no opt-in is lost. (Also read: “Subscriber death due to DOI”) Instead, you receive confirmation that you have subscribed to a newsletter. And should the unlikely event occur that the recipient has not subscribed to the newsletter themselves, it can be unsubscribed directly via the unsubscribe link in the confirmation email.

With a single opt-in, the practical risk of escalation is slightly higher, as an advertising message comes out of the blue with the first email.

For everyone who hopes that the double opt-in procedure will provide them with 100% protection in the event of a dispute: Unfortunately, even a double opt-in does not guarantee that an e-mail advertising consent will be accepted as effective in court. This is because the requirements of the case law are extremely strict even with a double opt-in. For example, the Federal Court of Justice (BGH) requires a printout of the confirmation request, i.e. the double opt-in activation email. If this email cannot be presented, no expert evidence is collected as to whether a correct double opt-in procedure was based.

So if you want to do everything correctly, you have to save the DOI confirmation request so that you can print it out if necessary. This email contains a personalized hyperlink or string that must be clicked on. In addition, the web server log file must be saved in order to be able to prove that this exact URL was accessed shortly after the activation email was sent and that it is identical to the link called up in the email. All of these elements together provide the evidence required by the Federal Court of Justice.

In view of these absurdly high evidentiary requirements, a pragmatic approach is recommended: If an advertising recipient denies having granted the opt-in himself and has a lawyer warn, you pay the (usually manageable) warning costs, issue a corresponding declaration of injunctive relief, remove the person from the mailing list and ensure that future advertising mailings are blocked.

Myth 3

“If the IP address and time stamp are also saved with the newsletter subscription, the consent is legally documented.”

No For truly legally binding proof — see above — in addition to the IP address and the time stamps of the individual opt-in steps, the double opt-in activation email, the source or URL of the consent, the consent text and the activation link would have to be permanently stored in the email and in the web server log file. In view of the enormous effort involved, this happens very rarely in practice.

For practical risk management and proof of consent, the time stamp is important, but not the IP address. Since the IP address is usually part of the dynamic address pool of Internet access providers, it has only little evidentiary value with regard to a specific person and their location.

When acquiring newsletter subscribers, many companies neglect the documentation and accountability requirements arising from Article 5 (2) GDPR. After that, advertisers must be able to prove that they have met the requirements of the GDPR. A holistic approach is recommended for this, which, in addition to the time stamp and the link address of the registration page (referrer), in particular also secures the specific text of consent available at the time of registration as a screenshot and thus documents conclusively. And of course, the consent text itself should meet the requirements of the GDPR: It should clearly state who is sending the advertising emails and make it clear which products or services are being promoted.

Myth 4

“B2B customers with an active contractual relationship may receive promotional emails even without their prior express consent.”

No — this is not readily allowed in either B2B or B2C. Without the prior consent of customers, promotional emails may only be sent under the conditions of §7 (3) UWG (in Germany):

• The email address must have been collected in connection with the conclusion of a contractual relationship.
• An opt-out notice was given when the address was collected and this opt-out notice is repeated in every single promotional email.
• The advertiser may only advertise his own goods and services and these must be “similar” to those already purchased. What is meant by “similar” is legally unclear and disputed. As a guide, we think it's useful: The hair dryer is not similar to the washing machine, but the interchangeable lens is similar to the camera because it is an accessory.

Myth 5

“In B2B, you can send advertising emails to existing and interested customers even without an opt-in due to a balance of interests.”

Under the conditions of the German §7 (3) UWG, it is permitted to send advertising emails to customers (both B2B and B2C, but not interested parties) without prior active consent. Here, there is a balancing of interests in favour of the advertiser — but only if the requirements of §7 (3) UWG are met in full (see Myth 4). If this is the case, the interest of the company outweighs the recipient's interest in processing their email address. This results from the will of the legislator expressed in §7 (3) UWG in conjunction with the balancing of interests in accordance with Article 6 (1) f GDPR.

Myth 6

“No advertising consent is required to send service emails.”

Without consent, only e-mails relating to a contract may be sent, e.g. order and shipping confirmations, invoices, cancellation instructions or replies to complaint emails. Such emails are part of contract processing.

Service emails with cross-sell and upsell offers or shopping cart abandonment emails, on the other hand, aim to bring about a (further) conclusion of a contract. Since they are therefore not intended to fulfill the contract, they are clearly advertising.

The term advertising is broadly defined: Anything that serves to promote one's own sales is advertising. Even if additional advertising messages are only inserted in the footer of contract-related transaction emails, this is prohibited. However, since the risk of escalation appears rather low here, it can still be considered. In a similar way, companies also justify sending promotional service emails without consent: However, the sending is then a deliberate, calculated infringement of law that is committed because it makes very economic sense and is effective.

Myth 7

“E-mail advertising is not possible for (usually numerous) existing customers for whom there is no legally effective advertising consent.”

Advertising by e-mail is also possible without consent — as long as the advertising does not take place in the email but can only be seen on the landing page linked therein. For example, if a printer manufacturer informs its customers by e-mail that a firmware update is available for the printer used, this communication is permitted to fulfill the contract and therefore without consent. If this email links to a landing page that offers the firmware update for download, this landing page may also contain advertising for printer accessories or other offers from the manufacturer.

Important: The e-mail itself must be a service communication and must not give the impression that it is only used as a means of transport for advertising. If you look at the wide range of real contract-related events that occur again and again — from changed service hours to a change of name to the new customer portal — the possibilities are few limits. And even with service emails with an indirect sales connection that go beyond the “pure” contract reference (e.g. for end-of-support or end-of-life software), pragmatic risk management can point the way. Because if the email offers the recipient real added value, the probability of escalation with regard to “unauthorised advertising” is very low.

Myth 8

“Contacts with opt-in must also be contacted, otherwise the consent expires after one year at the latest.”

There is no legal provision that requires you to send an advertising email at least every six months or annually so that the advertising consent does not expire. However, for reasons of practical risk management, it is advisable to avoid longer “breaks” from shipping. This is because subscribers quickly forget that they have consented. This can lead to complaints, and proving the opt-in is then often difficult.

Myth 9

“Email advertising consents are generally only valid if the contact has actively agreed via a checkbox.”

No If the registration form is used exclusively for the purpose of collecting subscriptions, clicking on the “Send” button represents active consent. In this case, a separate checkbox would be “double-mopped”. If, on the other hand, the form has another purpose in addition to the newsletter opt-in — such as ordering sneakers or a white paper — the advertising consent must be obtained separately by clicking on a separate checkbox. The legal keyword here is “separate explanatory act” — a phrase introduced by the Federal Court of Justice in its famous payback ruling from 2008. According to the Federal Court of Justice, consent to e-mail advertising must not be combined with another legal declaration, such as the conclusion of a contract.

Myth 10

“The consent of email recipients to click tracking must be given independently of the advertising consent and may only be offered as an option.”

Given that a “separate explanatory action” is required, this sounds plausible at first. This is because tracking is consent under data protection law based on the GDPR, while email delivery is based on “harassment” consent based on the UWG in Germany.

Recital 43 of the General Data Protection Regulation shows the way to combine “harassment” consent with tracking consent. It states: “Consent is not considered to have been given voluntarily if consent cannot be given separately for various processing operations of personal data, although this is appropriate in individual cases.” If you request consent to tracking separately and optionally, it basically conceals two different newsletters, namely a personalized newsletter service and a “watering can” newsletter service. If the company only sends personalized advertising emails that technically require interest tracking, the combination of the two consents in a declaration is “appropriate in individual cases” and the advertising consent can be combined with the tracking consent.

Myth 11

“The number of email subscriptions can be easily and significantly increased by combining them with attractive competitions.”

Due to the coupling ban in Article 7 (4) GDPR, a combination needs to be carefully considered. Linking according to the logic is prohibited: “If you give us your consent to email advertising, you can take part in our competition.” If you turn the mechanics of the competition around, you avoid the pairing ban: “We are giving away... among all subscribers to our newsletter.” In other words, it is allowed to send advertising gifts to people who have given their consent. For a detailed discussion of this topic, we recommend our blog post:” Search: Email Opt-In. Offer: added value.

Myth 12

“Email advertising consents must be obtained again if the shipping service provider changes or the advertiser changes their name.”

Switching to a new email service provider only requires renewed consent if subscribers were explicitly asked for their consent to receive promotional emails from the former email sender when giving their original consent. Obtaining this consent is a manual mistake that should be avoided as far as possible.

The ideal solution is to list the current email marketing platform in the privacy policy and to refer to this privacy policy at the end of the consent text of the promotional email. Example: “I can find more information about the use of my data in the privacy policy.” Such wording meets the obligation to provide information on the data protection notices, which must be fulfilled in accordance with Articles 13 and 14 GDPR. It is also essential to avoid wording according to which the subscriber “confirms” with his consent that he has “read” or even “accepted” the data protection regulations. In doing so, they become part of this consent — with the potentially serious consequences described above. The advantage of mere information: If the email provider (or any other technical detail) changes, only the data protection information needs to be updated. The validity of the advertising consent remains unaffected.

If the advertising company changes its name (only this is meant by the term “change of name”), this does not change the validity of the advertising consent. This is because the legal entity behind the (changed) name remains the same. Even if two companies merge, this usually does not jeopardize the advertising consents submitted by both companies. True, in this case, another legal entity is created. However, due to the overall legal succession defined in the Transformation Act, all rights and obligations of the two merged companies “stick” to the legal successor.

Myth 13

“Email subscriptions obtained before the GDPR came into effect in May 2018 do not have to meet the requirements of the GDPR.”

No If you invoke the validity of advertising consents obtained before May 2018 today, they must meet the requirements of the GDPR in force today.

Myth 14

“The GDPR requires that it must be possible to unsubscribe from promotional emails with one click.”

With many email service providers, clicking on the unsubscribe link in the footer of the email leads to immediate unsubscription. This artificially increases the unsubscription rate without need. Because quite a few subscribers click on the unsubscribe link without really wanting to unsubscribe. Click statistics from senders who work with a two-click unsubscription are informative. For them, the click in the email first leads to an unsubscribe landing page. Only a click on the “Unsubscribe” button displayed there deletes people who want to unsubscribe from the mailing list. Result: Significantly more recipients regularly click on the unsubscribe link in the email than actually unsubscribe on the landing page.

But is a two-click unsubscription process GDPR-compliant? Definitely yes! According to Article 7 (3) sentence 4 GDPR, withdrawing consent must be as simple as granting consent. Since you can't order a newsletter with one click — after all, at least the email address must be entered — it doesn't have to be possible to unsubscribe with one click.

‍

Please note: This article is an English translation of an original text written in German for a German audience. It was prepared for informational purposes only and reflects the context, terminology, and legal framework applicable in Germany at the time of writing. Any references to laws, regulations, or legal concepts pertain specifically to German law and may not apply in other jurisdictions. This translation is provided without any guarantee of accuracy or completeness and should not be considered legal advice.