1. bookVolume 2022 (2022): Issue 2 (April 2022)
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

Checking Websites’ GDPR Consent Compliance for Marketing Emails

Published Online: 03 Mar 2022
Volume & Issue: Volume 2022 (2022) - Issue 2 (April 2022)
Page range: 282 - 303
Received: 31 Aug 2021
Accepted: 16 Dec 2021
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

The sending of marketing emails is regulated to protect users from unsolicited emails. For instance, the European Union’s ePrivacy Directive states that marketers must obtain users’ prior consent, and the General Data Protection Regulation (GDPR) specifies further that such consent must be freely given, specific, informed, and unambiguous.

Based on these requirements, we design a labeling of legal characteristics for websites and emails. This leads to a simple decision procedure that detects potential legal violations. Using our procedure, we evaluated 1000 websites and the 5000 emails resulting from registering to these websites. Both datasets and evaluations are available upon request. We find that 21.9% of the websites contain potential violations of privacy and unfair competition rules, either in the registration process (17.3%) or email communication (17.7%). We demonstrate with a statistical analysis the possibility of automatically detecting such potential violations.

Keywords

[1] F. Al Maqbali and C. J. Mitchell. “Web Password Recovery: A Necessary Evil?” In: Proceedings of the Future Technologies Conference. Springer. 2018, pp. 324–341.10.1007/978-3-030-02683-7_23 Search in Google Scholar

[2] R. Amos, G. Acar, E. Lucherini, M. Kshirsagar, A. Narayanan, and J. Mayer. “Privacy Policies over Time: Curation and Analysis of a Million-Document Dataset.” In: Proceedings of The Web Conference 2021. WWW ’21. Association for Computing Machinery, Apr. 19, 2021, p. 22. doi: 10.1145/3442381.3450048.10.1145/3442381.3450048 Search in Google Scholar

[3] Art. 29 Data Protection Working Party. Opinion 5/2004 on unsolicited communications for marketing purposes under Article 13 of Directive 2002/58/EC. Feb. 2004. Search in Google Scholar

[4] Austrian Data Protection Authority (Datenschutzbehörde). DSB-D130.073/0008-DSB/2019. https://gdprhub.eu/index.php?title=DSB_-_DSB-D130.073/0008-DSB/2019. 2019. Search in Google Scholar

[5] Baden-Württemberg Data Protection Authority (LfDI Baden-Württemberg). LfDI - O 1018/115. https://gdprhub.eu/index.php?title=LfDI_-_O_1018/115. 2018. Search in Google Scholar

[6] Y. Bakos, F. Marotta-Wurgler, and D. R. Trossen. “Does anyone read the fine print? Consumer attention to standard-form contracts.” In: The Journal of Legal Studies 43.1 (2014), pp. 1–35. Search in Google Scholar

[7] D. Bui, K. G. Shin, J.-M. Choi, and J. Shin. “Automated Extraction and Presentation of Data Practices in Privacy Policies.” In: Proceedings on Privacy Enhancing Technologies 2021.2 (2021), pp. 88–110. Search in Google Scholar

[8] M. Chatzimpyrros, K. Solomos, and S. Ioannidis. “You Shall Not Register! Detecting Privacy Leaks Across Registration Forms.” In: Computer Security. Springer, 2019, pp. 91–104.10.1007/978-3-030-42051-2_7 Search in Google Scholar

[9] J. Cohen. “A coefficient of agreement for nominal scales.” In: Educational and psychological measurement 20.1 (1960), pp. 37–46.10.1177/001316446002000104 Search in Google Scholar

[10] M. Degeling, C. Utz, C. Lentzsch, H. Hosseini, F. Schaub, and T. Holz. “We Value Your Privacy... Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy.” In: Network and Distributed Systems Security (NDSS) Symposium. 2019.10.14722/ndss.2019.23378 Search in Google Scholar

[11] Deutsche Bundestag. German Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb) in the version published on 3 March 2010 (Federal Law Gazette I p. 254), as last amended by Article 1 of the Act of 10 August 2021 (Federal Law Gazette I, p. 3504). 2021. Search in Google Scholar

[12] Deutsche Bundestag. German Telemedia Act (Telemediengesetz) in the version published on 26 February 2007 (Federal Law Gazette I p. 179, 251), as last amended by Article 3 of the Act of 12 August 2021 (Federal Law Gazette I, p. 3544). 2021. Search in Google Scholar

[13] J. Devlin, M.-W. Chang, K. Lee, and K. Toutanova. “BERT: Pre-training of deep bidirectional transformers for language understanding.” In: arXiv preprint arXiv:1810.04805 (2018). Search in Google Scholar

[14] Directorate-General for the Information Society and Media (European Commission). ePrivacy Directive, assessment of transposition, effectiveness and compatibility with the proposed data protection regulation. doi:10.2759/419180. 2015. Search in Google Scholar

[15] K. Drakonakis, S. Ioannidis, and J. Polakis. “The Cookie Hunter: Automated Black-box Auditing for Web Authentication and Authorization Flaws.” In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020, pp. 1953–1970.10.1145/3372297.3417869 Search in Google Scholar

[16] L. Edwards. The New Legal Framework for E-Commerce in Europe. ISBN 978-1-847-31261-7, Hart Publishing, 2005. Search in Google Scholar

[17] V. Emmerich and K. W. Lange. Unfair competition (Unlauterer Wettbewerb). ISBN 978-3-406-72639-2, C.H. Beck, 2019.10.17104/9783406746475 Search in Google Scholar

[18] S. Englehardt, J. Han, and A. Narayanan. “I never signed up for this! Privacy implications of email tracking.” In: Proceedings on Privacy Enhancing Technologies 2018.1 (2018), pp. 109–126. Search in Google Scholar

[19] L. Epstein and A. D. Martin. An introduction to empirical legal research. Oxford University Press, 2014. Search in Google Scholar

[20] European Commission. Guidance on the implementation/application of Directive 2005/29/EC on Unfair Commercial Practices. May 25, 2016. Search in Google Scholar

[21] European Data Protection Board. Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities. Mar. 2019.10.21552/edpl/2019/2/12 Search in Google Scholar

[22] European Data Protection Board. Guidelines 05/2020 on consent under Regulation 2016/679 (GDPR). May 2020. Search in Google Scholar

[23] European Parliament, Council of the European Union. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 1995. Search in Google Scholar

[24] European Parliament, Council of the European Union. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (’Directive on electronic commerce’). June 8, 2000. Search in Google Scholar

[25] European Parliament, Council of the European Union. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). 2002. Search in Google Scholar

[26] European Parliament, Council of the European Union. Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the Internal Market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’). May 11, 2005. Search in Google Scholar

[27] European Parliament, Council of the European Union. Directive 2006/114/EC of the European Parliament and of the Council of 12 December 2006 concerning misleading and comparative advertising. Dec. 12, 2006. Search in Google Scholar

[28] N. Gelernter, S. Kalma, B. Magnezi, and H. Porcilan. “The password reset MitM attack.” In: 2017 IEEE Symposium on Security and Privacy (SP). IEEE. 2017, pp. 251–267.10.1109/SP.2017.9 Search in Google Scholar

[29] J. Gluck, F. Schaub, A. Friedman, H. Habib, N. Sadeh, L. F. Cranor, and Y. Agarwal. “How short is too short? Implications of length and framing on the effectiveness of privacy notices.” In: Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). 2016, pp. 321–340. Search in Google Scholar

[30] I. J. Goodfellow, J. Shlens, and C. Szegedy. “Explaining and harnessing adversarial examples.” In: arXiv preprint arXiv:1412.6572 (2014). Search in Google Scholar

[31] M. Hamin. “don’t ignore this:” Automating the Collection and Analysis of Campaign Emails. Tech. rep. Princeton University, 2018. Search in Google Scholar

[32] H. Harkous, K. Fawaz, R. Lebret, F. Schaub, K. G. Shin, and K. Aberer. “Polisis: Automated analysis and presentation of privacy policies using deep learning.” In: 27th USENIX Security Symposium (USENIX Security 18). 2018, pp. 531–548. Search in Google Scholar

[33] D. Jahnel. Legal commentary on the General Data Protection Regulation (GDPR) (Kommentar zur Datenschutz-Grundverordnung (DSGVO)), Art. 7 Conditions for consent (Bedingungen für die Einwilligung). ISBN 978-3-709-70178-2, Jan Sramek Verlag, 2021. Search in Google Scholar

[34] A. Javanmard and M. Soltanolkotabi. “Precise statistical analysis of classification accuracies for adversarial training.” In: arXiv preprint arXiv:2010.11213 (2020). Search in Google Scholar

[35] Judgement of the Court of Justice of the European Union from November 11, 2020. C-61/19, EU:C:2020:901. 2020. Search in Google Scholar

[36] Judgement of the Court of Justice of the European Union from October 1, 2019. C-673/17, EU:C:2019:801. 2019. Search in Google Scholar

[37] Judgement of the Federal Court of Justice (BHG) from February 1, 2018. III ZR 196/17. 2018. Search in Google Scholar

[38] Judgement of the Federal Court of Justice (BHG) from July 10, 2018. VI ZR 225/17. 2018. Search in Google Scholar

[39] Judgement of the Federal Court of Justice (BHG) from July 16, 2008. VIII ZR 348/06. 2008. Search in Google Scholar

[40] Judgement of the Federal Court of Justice (BHG) from March 14, 2017. VI ZR 721/15. 2017. Search in Google Scholar

[41] Judgement of the Federal Court of Justice (BHG) from May 28, 2020. I ZR 7/16. 2020. Search in Google Scholar

[42] Judgement of the Higher Regional Court of Munich (OLG München) from February 15, 2018. 29 U 2799/17. 2018. Search in Google Scholar

[43] P. Kast. Automating website registration for GDPR compliance analysis, Bachelor’s thesis, ETH Zurich. Bachelor’s Thesis. 2021. Search in Google Scholar

[44] V. B. Kumar, R. Iyengar, N. Nisal, Y. Feng, H. Habib, P. Story, S. Cherivirala, M. Hagan, L. Cranor, S. Wilson, et al. “Finding a Choice in a Haystack: Automatic Extraction of Opt-Out Statements from Privacy Policy Text.” In: Proceedings of The Web Conference 2020. 2020. Search in Google Scholar

[45] Legal team of the Certified Senders Alliance. DOI: if not now, then when?! https://certified-senders.org/blog/doi-if-not-now-then-when/. 2017. (Visited on 08/25/2021). Search in Google Scholar

[46] R. Liepin, G. Contissa, K. Drazewski, F. Lagioia, M. Lippi, H.-W. Micklitz, P. Palka, G. Sartor, and P. Torroni. “GDPR privacy policies in CLAUDETTE: Challenges of omission, context and multilingualism.” In: 3rd Workshop on Automated Semantic Analysis of Information in Legal Texts, ASAIL 2019. Vol. 2385. CEUR-WS. 2019. Search in Google Scholar

[47] T. Linden, R. Khandelwal, H. Harkous, and K. Fawaz. “The privacy policy landscape after the GDPR.” In: Proceedings on Privacy Enhancing Technologies 2020.1 (2020), pp. 47–64. Search in Google Scholar

[48] D. Machuletz and R. Böhme. “Multiple purposes, multiple problems: A user study of consent dialogs after GDPR.” In: Proceedings on Privacy Enhancing Technologies 2020.2 (2020), pp. 481–498. Search in Google Scholar

[49] P. Mankowski. Legal commentary on the German Act against Unfair Competition (Kommentar zum Gesetz gegen den unlauteren Wettbewerb (UWG)), § 7 UWG Unacceptable nuisance (Unzumutbare Belästigungen), Par. 238, in K. Fezer, W. Büscher and E. Obergfell. Unfair competition law (Lauterkeitsrecht). 2016. Search in Google Scholar

[50] Is email marketing dead? https://optinmonster.com/is-email-marketing-dead-heres-what-the-statistics-show/. Search in Google Scholar

[51] Marketing email tracker 2019. https://dma.org.uk/uploads/misc/marketers-email-tracker-2019.pdf. Search in Google Scholar

[52] A. Mathur, G. Acar, M. J. Friedman, E. Lucherini, J. Mayer, M. Chetty, and A. Narayanan. “Dark patterns at scale: Findings from a crawl of 11K shopping websites.” In: Proceedings of the ACM on Human-Computer Interaction 3.CSCW (2019), pp. 1–32. Search in Google Scholar

[53] A. Mathur, M. Kshirsagar, and J. Mayer. “What makes a dark pattern... dark? Design attributes, normative considerations, and measurement methods.” In: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. 2021, pp. 1–18.10.1145/3411764.3445610 Search in Google Scholar

[54] A. Mathur, A. Wang, C. Schwemmer, M. Hamin, B. M. Stewart, and A. Narayanan. Manipulative tactics are the norm in political emails: Evidence from 100K emails from the 2020 U.S. election cycle. https://electionemails2020.org.2020. Search in Google Scholar

[55] C. Matte, N. Bielova, and C. Santos. “Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework.” In: 2020 IEEE Symposium on Security and Privacy (SP). IEEE. 2020, pp. 791–809.10.1109/SP40000.2020.00076 Search in Google Scholar

[56] A. M. McDonald and L. F. Cranor. “The cost of reading privacy policies.” In: ISJLP 4 (2008), p. 543. Search in Google Scholar

[57] D. Mederle. The regulation of spam and unsolicited commercial emails (Die Regulierung von Spam und unerbetenen kommerziellen E-Mails). Heymanns, 2010. isbn: 3452272680. Search in Google Scholar

[58] H. Micklitz and M. Schirmbacher. Legal commentary on the German Act against Unfair Competition (Kommentar zum Gesetz gegen den unlauteren Wettbewerb (UWG)), § 7 UWG Unacceptable nuisance (Unzumutbare Belästigungen), Par. 203 in G. Spindler and F. Schuster, Electronic Media Law, 4th edition 2019, (Recht der elektronischen Medien, 4. Aufl. 2019). 2019. Search in Google Scholar

[59] H. Micklitz and M. Schirmbacher. Legal commentary on the German Telemedia Act (Kommentar zum Telemediengesetz (TMG)), § 4-6 TMG, in G. Spindler and F. Schuster, Electronic Media Law, 4th edition 2019, (Recht der elektronischen Medien, 4. Aufl. 2019). 2019. Search in Google Scholar

[60] M. Nouwens, I. Liccardi, M. Veale, D. Karger, and L. Kagal. “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence.” In: Proceedings of the 2020 CHI conference on human factors in computing systems. 2020, pp. 1–13.10.1145/3313831.3376321 Search in Google Scholar

[61] J. Oh, J. Hong, C. Lee, J. J. Lee, S. S. Woo, and K. Lee. “Will EU’s GDPR Act as an Effective Enforcer to Gain Consent?” In: IEEE Access (2021).10.1109/ACCESS.2021.3083897 Search in Google Scholar

[62] C. Routh, B. DeCrescenzo, and S. Roy. “Attacks and vulnerability analysis of e-mail as a password reset point.” In: 2018 Fourth International Conference on Mobile and Secure Services (MobiSecServ). IEEE. 2018, pp. 1–5.10.1109/MOBISECSERV.2018.8311443 Search in Google Scholar

[63] C. Santos, N. Bielova, and C. Matte. “Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners.” In: Technology and Regulation (2020). 2019, pp. 91–135. Search in Google Scholar

[64] J. Sim and C. C. Wright. “The kappa statistic in reliability studies: use, interpretation, and sample size requirements.” In: Physical therapy 85.3 (2005), pp. 257–268. Search in Google Scholar

[65] M. Trevisan, S. Traverso, E. Bassi, and M. Mellia. “4 years of EU cookie law: Results and lessons learned.” In: Proceedings on Privacy Enhancing Technologies 2019.2 (2019), pp. 126–145. Search in Google Scholar

[66] J. Weiser. “The possibility of using a partnership exchange can be “selling a service” in the sense of the UWG (Nutzungsmöglichkeit einer Partnerschaftsbörse kann “Verkauf einer Dienstleistung” im Sinne des UWG sein).” In: GRUR-Prax, (Gewerblicher Rechtsschutz und Urheberrecht, Praxis im Immaterialgüter- und Wettbewerbsrecht) 2018.10 (2018), p. 291. Search in Google Scholar

[67] S. Wilson, F. Schaub, A. A. Dara, F. Liu, S. Cherivirala, P. G. Leon, M. S. Andersen, S. Zimmeck, K. M. Sathyendra, N. C. Russell, et al. “The creation and analysis of a website privacy policy corpus.” In: Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers). 2016, pp. 1330–1340.10.18653/v1/P16-1126 Search in Google Scholar

[68] S. Zimmeck, P. Story, D. Smullen, A. Ravichander, Z. Wang, J. Reidenberg, N. C. Russell, and N. Sadeh. “MAPS: Scaling privacy compliance analysis to a million apps.” In: Proceedings on Privacy Enhancing Technologies 2019.3 (2019), pp. 66–86. Search in Google Scholar

[69] K. A. Zscherpe. “Direct marketing by e-mail – How can companies proceed legally? (Direktmarketing per E-Mail – Wie können Unternehmen rechtlich einwandfrei vorgehen?)” In: Journal of Business and Consumer Law, (Zeitschrift für Wirtschafts- und Verbraucherrecht) 2008.9 (2008), pp. 327–322. Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo