"Prohibition of tying" - Since the European General Data Protection Regulation (GDPR) came into force, this term is often used in connection with marketing measures. But very few people are aware of exactly what it means. It is therefore not surprising that many people violate the prohibition on linking without even knowing it. Lawyer Mario Steinberg explains what the ban means for your email marketing.
If you violate the ban on linking with your marketing measures - whether knowingly or unknowingly - it can end badly: At the latest since the Conference of Independent Data Protection Supervisory Authorities published its concept for the assessment of fines on October 14, 2019, it has become clear that data protection violations can also be really expensive for small companies, freelancers and the self-employed.
A breach of the prohibition on linking can often be avoided by making a few changes to the wording. I would like to explain how to do this and what you need to bear in mind in the following article.
What exactly is the coupling ban?
Most violations of the prohibition of tying are probably committed in email marketing. Before we get to the details, however, let's first take a brief look at the legal background to the prohibition of tying (for those who are interested in more detail: There is a more detailed presentation of the legal situation at the end of the article):
As always, the starting point is the European General Data Protection Regulation. One of the ironclad principles of the GDPR is that all data processing requires a legal basis. So if I want to carry out email marketing and send newsletters, I also need a legal basis for this.
The legal basis for email marketing is the consent of the newsletter subscriber. One of the prerequisites for effective consent is that it is given voluntarily.
In connection with the prohibition of tying, this is precisely the crux of the matter: According to Art. 7 para. 4 GDPR, when assessing whether consent has been given voluntarily, it must be taken into account whether the performance of a contract (or the provision of a service) is dependent on consent to the processing of personal data that is not necessary for the performance of the contract (or the provision of the service).
Translated, this means: If I make my service dependent on consent to something else that has nothing to do with my service, the consent is not voluntary.
It is therefore forbidden to "link" a service to consent to something completely different.
Example: Sending a blog newsletter
On a blog website that is purely informative and on which no services (freebies, e-books etc. for download) are offered at all, it is possible to subscribe to a newsletter that provides information about future blog posts. The blogger does not pass on the subscribers' data to third parties and uses it exclusively for sending the newsletter.
From the point of view of the prohibition of tying, this case is completely fine and unproblematic, as no service is "tied" to the sending of the newsletter and therefore there can be no violation of the prohibition of tying at all.
Of course, it should be clear that the other requirements for effective consent of the newsletter subscriber must be met:
- Declaration of consent by actively clicking on a checkbox
- Subsequent confirmation of the e-mail address provided by clicking on a confirmation link sent to it (so-called double opt-in procedure)
Furthermore, due to the principle of data minimization, the newsletter subscriber should only have to provide their email address (and not also their first and last name, postal address, date of birth, etc.) as mandatory information. And the privacy policy must state exactly how the subscriber's personal data collected in connection with the newsletter mailing is processed.
However, the problems with the prohibition of linking start when the newsletter dispatch is linked to any service.
Example: The "free" e-book
A "coach" offers a "free" e-book for download on his website. If a website visitor then clicks on the corresponding download link, they must first register for a newsletter - which of course implies that they consent to the processing of their personal (registration) data, at least by implication (i.e. by conclusive action).
In this case, the prohibition of tying is violated because the newsletter registration (or the associated consent to the processing of the registrant's personal data) is not required for the download of a "free" e-book.
There would be no violation of the prohibition of tying if the coach were to state quite openly on his website - the GDPR calls this "transparent" - that the information to be provided as part of the newsletter registration (the personal data) is the consideration - i.e. the price - for downloading the e-book.
This would communicate transparently that the e-book is not free, but is actually a kind of exchange. This would make newsletter registration necessary for the service (exchange e-book for data) and consent would be voluntary - and therefore effective.
The right communication is everything
It should be clear from these two examples that it is crucial for the prohibition of tying that it is clearly communicated which service is provided for which consideration.
And if an e-book or any other freebie is actually only offered as "free" in order to obtain the e-mail address and possibly other data of the interested party, it is not free - but "costs" an e-mail address and possibly other data.
Consequently:
Finally, here is a little self-test to see whether your email marketing may be in breach of the ban on linking. It becomes problematic if you can answer yes to one of the following questions. Then you should take a closer look at the matter.
- Is it necessary to subscribe to my newsletter in order to receive another service from me (a freebie etc.)?
- Do I advertise the other service as "free"?
- When registering for the newsletter, do I conceal the fact that the information provided (e-mail address etc.) is the consideration for my service?
Finally: The regulations on the prohibition of tying
Here is the somewhat more precise (legal) description of the prohibition of linking mentioned at the beginning: According to Art. 6 para. 1 GDPR, all data processing requires a legal basis. One of these legal bases is the consent of the data subject (of the data processing). The term "consent" of the data subject is defined in Art. 4 No. 11 GDPR as follows
The term "voluntary" and the associated provision in Art. 7 (4) GDPR are important in connection with the prohibition of tying:
The decisive criterion for voluntariness is therefore whether the fulfillment of the contract is made dependent on consent to data processing that is not necessary for the fulfillment of the contract.
If this is not the case, consent is inadmissibly linked to the performance of the contract. In the absence of voluntary consent, the consent is invalid and data processing based on it is not permitted. This data protection violation can result in considerable fines.