No (Further) Damage Claims For Spam Under GDPR
Plaintiff sought damages for an unsolicited email. In an effort to prevent a court action, defendant offered €50 to plaintiff. Plaintiff felt the amount insufficient and pursued a court action.
The AG Diez ruled any fine had to be commensurate with the harm. It questioned whether any amount was appropriate in the instant case, which involved only a single email. Since defendant had already voluntarily offered €50 (albeit outside any court action), the court determined any further claims would be inappropriate and disproportional to any alleged harm.
jbho: if only plaintiff could have brought claims under the TCPA…
A lower court decision, but interesting to see that actual damages are being considered in the determination of any fines.
Three Cases Delineate The Boundaries Of The “Soft Opt-In” In Germany
1) Product Inquiry No Grounds For Soft Opt-In – OLG Düsseldorf
An insurance company allegedly sent two marketing emails to a consumer who had asked about – but had not purchased – products from the sender. The lower court ruled the inquiry alone was not sufficient to establish consent to send the marketing emails.
The regional court agreed, finding that collecting contact information as part of an inquiry was not “collected in connection with a sale.” Thus, there was no implied consent.
However, the court overturned the lower court decision since the insurance company was able to produce sufficient evidence that it had obtained consent orally, and the subjects of the emails fell within the scope of that orally obtained consent.
2) Soft Opt-In Does Not Apply to Entire Catalog Of Goods and Services – LG Frankfurt
An online retailer sent a marketing email to a customer who had previously purchased a gaming chair. The email offered a coupon valid for “150,000 items” available at the online store. The court found there was no consent since the email advertised products beyond the similar products/services previously purchased by the customer. That is, the “Soft Opt-In” consent did not extend to the entire product catalog.
3) No Consent If Can Only Opt-Out Later – LG München
An online store for baby products required users to create an account to make a purchase. To create the account, users were required to provide an email address. The final step presented users with the following language:
The company argued it could leverage the “Soft Opt-In” consent as the contact information was collected connection with a sale. The court disagreed, finding that for the “Soft Opt-In” to be valid, individuals must have an opportunity to decline to be contacted when first providing contact details. The statement “I can revoke this consent at any time” was insufficient to meet that requirement.
jbho: an important clarification. Previous advice indicated an inquiry could establish a “soft Opt-In” consent. It appears in Germany, that may not be the case. Additionally, it appears the “Soft Opt-In” doesn’t permit all 1st party marketing, but is a consent limited to the specific product categories purchased. Finally, a reminder that pre-checked tickboxes remain controversial. One wonders if there truly is a safe way to do them in the EU. In the last case (baby product website) it appears there was pre-checked tickbox on the website’s “add to cart” page asking for email consent, but that may have not been sufficiently connected to the registration process to validate a final consent.
So I’m updating my guidance:
A “Soft Opt-In” is where the following conditions are met:
• Personal information is collected in conjunction with a sale
• No ‘sensitive information’ is used
• Marketing is restricted to
similar products/services similar to those purchased by the consumer (i.e., 1st party marketing)
• Individuals have an opportunity to decline to be contacted when first collecting contact details, and offered an opt-out in every message sent
Note that a pre-checked tick box, in and of itself, does not constitute a “Soft Opt-In.” All the above conditions must be met. That is, to the extent you want to try to rely on a pre-checked tick box.
Also, a reminder that if you are obtaining consent orally, it’s a good idea to keep call recordings.
€140,000 For Unsolicited Telemarketing
Gas and Power provider E Wie Einfach allegedly made calls encouraging consumers to change their energy providers. The Bundesnetzagentur determined that the calls were telemarketing, and issued the fine based on the volume of complaints it received over the past three years. The Bundesnetzagentur also noted E Wie Einfach could not shift liability for calls made by its vendors, finding “companies who fail to control thier telemarketing vendors must expect high fines in the future.”
E Wie Einfach has appealed the decision.
jbho: a reminder to get opt-in consent for telemarketing, and don’t try to overload ‘operational’ messages with marketing. And make sure to vet vendors making calls on your behalf.
Providing Email Address At Signup != Email Marketing Consent
An online sporting goods store required users to provide an email at signup. Sign-up terms included a message stating, “As a customer, your data will be used for the purpose of fulfilling the contract and for our own advertising purposes.” The court ruled this was insufficient for consent to market, as the user was only proving an email for the purposes of effectuating an order.
Consent to market required a separate, express indication of consent, such as a check-box. Thus, the unsolicited mails were spam.
jbho: a reminder that you have to tell people they will be marketed to, and let them object before the first message is sent.
And some great GDPR advice: market to people who want to be marketed to!
Customer Survey Emails Are SPAM
The regional court in Hannover ruled that a customer satisfaction email sent by a seller on amazon constituted an advertisement. The email read:
“You recently bought a product from us and we would like to again thank you. If you are satisfied with the product, we would appreciate a quick feedback.
If you have any questions about your product or experience a problem, my team and I are always happy to help.
We hope you enjoy your item and hope you will come back soon as an Amazon customer …”
The court ruled that since the purpose of the email was to promote customer loyalty – an indirect promotion – the email was advertising, and required the explicit consent of the recipient.
jbho: interesting. Since the mail was sent in the context of a purchase, I would think consent for an marketing email was provided though a Soft Opt-In. Although, I haven’t seen the entire purchase flow, so perhaps there weren’t sufficient disclosures to indicate consent?
Nonetheless, a reminder that there is no primary purpose rule in Germany, and any marketing content makes the whole message marketing.
Company Logo In Email Signature is Not Marketing
The regional court in Frankfurt found that inclusion of a logo in an email footer, with a link to a company’s home page, did not constitute adverting. The court found the logo placement was simply informational, and not intended to promote the sale of a specific good or the provision of specific service. The (invisible) link behind the logo created no confusion, or need to mentally “sort out” any advertising in the e-mail, thus was not spam.
jbho: good to see the court take a common sense approach.
Although, serves as a reminder that jurisdictions outside the US do not recognize the “primary purpose” doctrine under CAN-SPAM, and any incidental marketing content can make the whole email marketing.
Promotional Material In Auto-Reply Email Is Spam
The regional court in Bonn ruled that autoreply emails that included a text block promoting security services was unsolicited advertising. The text read:
“How do you protect yourself and your data from cybercriminals and other threats? We’ll show you what to watch for at “
Since individuals had no way to prevent receiving such (marketing) messages, the messages were unsolicited spam.
jbho: don’t overload operational messages with marketing content. Alternatively, keep separate lists of opted-in/opted-out users to determine when it’s okay to add the incidental marketing.
This opinion is consistent with other courts in Germany, that warn against including any form of self-promotion, including messages like ‘download our app’ or ‘visit our new website.’
300,000 Euro For Unsolicited Telemarketing
The Bundesnetzagentur (BNA – Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway) has issued a €300,000 fine against Energy2Day for a telemarketing scheme designed to get individuals to change their energy service provider. The BNA initiated the investigation after receiving some 2,500 consumer complaints. Although calls were not made by Energy2Day, it was liable since it failed to exercise proper control over the subcontractors making the calls.
€300,000 is the maximum penalty the BNA can issue.
jbho: a reminder that if you are going to engage third parties, make sure to perform due diligence to ensure any data they use is collected in a fair and lawful manner. Additionally, get representations and warranties that proper consent is obtained, and do your own due diligence to make sure the vendor is meeting those obligations. And make sure you have well-constructed contractual agreements to make sure vendor obligations are clearly defined, and liability is appropriately distributed.
Bundling Invalidates Consent; ‘Customer Service’ Too Vague To Be Meaningful
The high court in Köln ruled language embedded in consumer facing telecom contract was insufficient to deem consent to use personal information. The language read:
“I would like to be informed about Telco’s new offers and services by email, phone, SMS or MMS. I agree that Telco may use data provided under the agreement for customer service purposes, through the end of the year following the termination of the agreement. I voluntarily provide my data as necessary for Telco to fulfill the agreement [contract conclusion, amendment, termination, settlement of fees].”
The court found that the clause addressed multiple consents:
• marketing, across multiple channels
• use of data for ‘customer service’ purposes
• retention of data beyond end of the contract
For the above, only a single tickbox was provided for all consents.
Thus, ruled the court, any consent was not specific. Additionally, the court felt ‘customer service’ was too vague to provide any meaningful consent. Finally, the court felt the retention clauses was excessive. If a contract terminated in January 2017, Telco would be allowed to keep data until December 2018 – almost two years after contract termination.
jbho: a reminder that you can’t bundle marketing consent in Germany, and that a ‘take it or leave it’ proposition will invalidate consents.
The court declined to rule on the validity of the channel bundling in the marketing consent clause, but it did note that although phone contact requires opt-in consent, the tick box could have been valid – if not for the bundling of the other consents.
Unchecked Opt-Out Box Not Consent
An online booking agency included an unchecked tickbox for marketing consent on its order/onboarding form. The text adjacent to the tickbox read:
“The information you provide is used solely to contact you regarding your booking, unless you register with our subscribers list. Subscribers will receive information from (us) and our partners. If you do not wish to receive our offers, please check the box.”
If consumers failed to check the box, they were enrolled in the subscriber list.
A competitor sued the agency, and the Hamburg court agreed that the language was misleading. Inaction, particularly in the face of a misleading statement, could not be considered a valid, affirmative consent. The complainant was awarded €75,000 (~$85,000).
jbho: a reminder that it’s not just consumers that can enforce marketing violations in Germany. Competitors can file suit for anti-competitive marketing violations as well.
Note that the court also alluded to the fact, that even if the consent may have been sufficient for email (e.g., Soft Opt-In), it was insufficient for telephone consent. Therefore, it’s a good idea to seek channel specific consents.
€1,000 For A One-Time Spam Email
A law firm had received an unsolicited e-mail invitation to a (not-free) seminar, sued the sender, and was awarded €1,000 (~$1,200). The sender appealed, but the court found the amount was appropriate.
jbho: not much detail. I just found it interesting, and perhaps an example to better quantify damages related to broken email campaigns in Germany.
No Opt-Out Sticker? No Harassment In Nordrhein-Westfalen.
NOTE: EINKAUF AKTUELL is an unaddressed bulk mail circular usually bundled with other junk mail, so you can see the challenge of honoring opt-outs.
A consumer brought suit against Deutsche Post for receiving copies of promotional newsmagazine EINKAUF AKTUELL after allegedly opting-out. After informing Deutsche Post by letter of his desire to be excluded, the consumer received five copies (some years later) of the newsletter.
The court (LG Dortmund) found that plaintiff failed to follow the opt-out instructions provided (attaching a provided “no thanks” sticker to his mailbox). Nonetheless, Deutsche Post made a good-faith effort to block sending. The ‘outliers’ were honest mistakes, and did not constitute unreasonable harassment.
The court ordered the consumer to pay the court costs of €6,000.
jbho: an argument that consent revocation must be express as well?
Interesting that this decision seems to run counter to decisions in Niedersachsen and Schleswig-Holstein, where the courts found that lack of cost effective opt-out was no excuse, and consumers could not be compelled to put stickers on their mailboxes.
BGH, here we come?
Opt-Out Applies To Current Email Address Only
The High Court in Berlin recently ruled an individual who had opted-out of receiving emails from a company at his web.de address, did not necessarily opt-out of emails at his gmx.de address. Thus, although the company was obligated to respect one opt-out, that opt-out need not apply to all email accounts on file for the user.
The court did note that had the consumer specified a list of emails accounts in the opt-out request, all those accounts would need to be opted-out.
jbho: nice if you can provide a preference center where your customers can manage multiple contacts and determine which messages they would like to receive through which channels/accounts.
High Court Clarifies Email Consent Requirements
A complainant sought damages for emails he received after signing up for free software. The sender argued, and a lower court agreed, the complainant had consented, as the forms he completed clearly indicated below the field where he entered his email address (roughly translated):
“By clicking the link and initiating the download, you agree to the terms and conditions , which include receipt of marketing from us and our partners.”
The link lead to terms stated:
“By submitting your personal information, you agree to receive marketing at the email provided from us and these partners .”
The ‘partners’ link then led to a list or 26 companies (including defendant).
The high court (Bundesgerichtshof) ruled these clauses to be insufficient, as simply listing third parties was not enough – the types of products to be marketed needed to be clarified as well. Thus the disclosures were too generic to constitute valid consent.
The court did rule it was acceptable for defendant to retain the complainant’s information, as this would be needed to maintain its internal opt-out (‘Robinson’) list, and to comply with the court issued injunction against unsolicited marketing.
jbho: so close! So it looks like getting consent for third-party marketing is an even higher bar than previously expected. It would seem you could intuit the products to be marketed based on a company’s name. But I guess that’s not quite enough in Germany. So make sure you add some brief descriptions of each partner to your third-party marketing page.
Unsolicited Customer Satisfaction Survey Emails Are Spam
The high court in Berlin recently ruled that a survey mail asking about consumer experiences related to a recent purchase required prior consent. Since the purpose of survey email was to promote future business, it was an advertisements. Therefore, the sending of such survey ‘advertisements’ without consent constituted harassment, as well as unfair competition under the UWG.
jbho: I haven’t seen copies of the mail, but the decision seems to indicate satisfaction surveys are advertisement by their very nature. The decision here deviates from lower court decision in Berlin, but is consistent with opinions from the high courts in Köln and Dresden. So you might want to add a tick box in your preference center for surveys, and start including unsubscribe links in your survey emails.
Second Mail In Double Opt-In Might Not Spam After All
A recent decision from the Oberlandesgericht in München indicated the second mail in a Double Opt-In process is not necessarily spam. This contradicts an earlier ruling from the same region calling the second mail spam.
jbho: not sure what caused the change of heart. Admittedly, I haven’t seen the email copy. Perhaps it’s a question of what messaging is included in the second mail? Stick to business and you’re safe, but if you try to overload it with marketing content its spam?
Good to see that the double opt-in process may be valid in Germany’s southeastern most state.
Second Spam Offence Costs Another €3,000
In 2011, a small business operator received an unsolicited email marketing advertising services. Judgement was awarded in the recipient’s favor, along with a fine of €3,000. In 2014, the same person received another unsolicited mail from the same sender. The court upheld its initial penalty, and awarded plaintiff another €3,000 (~$3,200).
jbho: a reminder that EU spam laws can apply in a B2B context as well.
Proof of Consent Required, Consent Expires
A regional court in Bonn ruled that it was not sufficient for a company to claim it used a double-opt-in. An entity relying on consent must be able to demonstrate each user went through the process. Additionally, a consent obtained in 2011 could not be considered valid in 2015 – especially since there had been no activity in the interim four years.
As a result, the sender was ordered to pay the plaintiff €255.55 plus interest and court costs.
jbho: looks like consent expires after four years in Germany.
Automatic Opt-In Clause Illegal
An insurance company ran a lottery at a conference. The entry form required entrants to provide contact details (name, address, phone, email), sign the entry, and agree:
“Ich bin mit der Speicherung meiner Daten und mit der Kontaktaufnahme (Telefon, E-Mail) zum Zwecke der Information, Beratung und Zusendung von Infomaterial (…) einverstanden.”
The regional court in Konstanz determined that since the form did not permit individuals to choose to receive the aforementioned promotional materials, the marketing consent was invalid, and the form itself illegal.
jbho: a reminder that many international jurisdictions do not permit bundling of consent.
Second Mail In Double Opt-In Not Spam
OLG Dusseldorf has confirmed – despite a contrary ruling in München – a confirmation mail in double opt-in process is not spam.
jbho: what a bizarre circuit split…