Digital Compliance | GDPR

Data Privacy in Online Marketing

On May 25, 2018, the European General Data Protection Regulation (GDPR) came into force. The GDPR creates uniform regulations for data protection in Online Marketing throughout Europe. The laws have been simplified in part by the GDPR, but at the same time, they have a significant impact on the entire European Economic Area. Companies are obliged to follow these principles for data protection in Online Marketing.

Data protection in Online Marketing – what is regulated by the GDPR?

The GDPR aims to standardize European data protection. Its formulation, which is legally binding for all EU member states, considers technological developments in digital communication and collecting, processing, and storing data. The new legal regulations primarily serve to provide comprehensive and useful protection of personal data of private individuals. Personal data is defined as all information that allows conclusions to be drawn about a person’s identity. As such, personal data includes names, address and account data, IP addresses, or location data. Some personal data, such as health information, is classified by the GDPR as particularly sensitive.

The GDPR formulates the following points as essential data protection principles:

  • The affected person must actively give consent to the collection and processing of personal data.
  • Data collection must be purpose-oriented and transparent, which means that the data collected through the website may only be for specified, transparent, and legitimate purposes.
  • Transparency requires that all personal information must be easily accessible, easy to understand and written and clear and straightforward.
  • To minimize data, you may only process data if the processing’s purpose cannot be achieved reasonably by other means
  • The data must be processed in a way, that ensures adequate security. Organizational and technical measures must ensure this.

Further requirements of the GDPR relate to companies’ information and documentation obligations that work with personal data and the appointment of a data protection officer. Digital companies are obliged by law to guarantee their customers and all other contact persons informational self-determination.

Essential aspects for protecting the data of your users and customers

The following points are particularly important for data protection in online marketing:

Balancing of interests

The GDPR as well as the e-privacy regulation – unlike the previous legislation – also reference the legitimate interests of online entrepreneurs. If these outweigh the legitimate interests of private individuals and – in a broader context – of companies, personal data may be used for online marketing. However, It is essential,, to weigh up the interests in advance, considering the degree of impairment for the persons concerned.

Consent to use cookies

When using cookies, Internet users consent must always be obtained, which can be done digitally. As a rule, this procedure is accompanied by a reference to the company’s data protection declaration. We have demystified some of the myths surrounding Switzerland’s cookies in our cookie fact check.

Double opt-in procedure for newsletter

If the legitimate interests of a company in the collection and processing of personal data do not clearly outweigh the interests of a company, data protection in online marketing requires that companies provide their digital customers with an explicit opt-in procedure. This also means that if people provide their contact data for a newsletter subscription, they must reconfirm their subscription order and the use of their data. Confirmation links sent by email are now commonplace. The consent must be voluntary, active, and explicit. Before the introduction of the GDPR, it was also possible to accept implicit consent without legal problems.


For an informed opt-in declaration to be made, commercial website visitors need to receive comprehensive information regarding what data is collected and how it might be used.This requires a clearly worded data protection declaration that states what data is collected and for what purpose. The GDPR has not changed the requirement that online advertising must be marked accordingly.

Opt-out procedure

It is equally vital that qualified leads and customers are provided with uncomplicated opt-out options to make use of their right to object to an order. In online marketing, one-click solutions are optional for this, with which an actual or potential customer relationship can be terminated quickly and easily.

Data economy

Data economy is one of the basic requirements of the GDPR, which should always be followed in online marketing. Here, data from different digital services of a company must not be linked to each other in order to create comprehensive user profiles. It also makes sense to make user data anonymous or pseudonymous. This point is also crucial for data protection in online marketing concerning IP addresses’ anonymization when using Google Analytics.

Legal notice obligation in social media

The new regulations for data protection in online marketing stipulate an imprint obligation for commercial providers in social media. On the one hand, companies must be identifiable in the event of data protection violations. On the other hand, private consumers have a fundamental right to receive all the information regarding the use of their data – social media channels are explicitly included here.

The obligation for correctness and memory limitation

According to the principle of accuracy, the GDPR obliges companies to keep data up to date or to correct or delete incorrect data if the company is informed of this. It must also be specified how long these personal data are stored. The user or customer must at least be able to inform themself about this in the data protection declaration.

Use of third-party embedded content

Whether social media plug-ins or YouTube videos are embedded on a website, in most cases, user data is collected in the background by these third-party providers and automatically transferred. Depending on the third-party content used, there are different ways to protect the users of your website. Some providers, such as YouTube, already offer embedding that is compliant with data protection laws. However, this is by no means the case for all third-party content and should be checked accordingly before implementation. Our blog on the GDPR and the social plug-ins already summarizes critical information regarding this topic.

Facilitation for online marketing

The introduction of the GDPR has even made data protection in online marketing easier in some cases compared to the previous legal situation. Until 2018, the old Data Protection Act partially intervened in the data-related design of individual advertising measures – in place of such specifications, uniform regulations for compliance with data protection principles have been introduced.

In addition to the GDPR, the e-Privacy Regulation (ePR), which is also based on European law and regulates, particularly, the use of cookies and other electronic tracking procedures, also plays a role in data protection in online marketing. Within Europe, the GDPR, thanks to standardization, has removed barriers where a company previously had to comply with different standards for different countries. It may now be easier to internationalize a company in Europe if the fundamental work on data protection has already been done.

Data protection in online marketing – a look into the future

The GDPR and the associated legal regulations have established the legal framework for data protection in online marketing, at least for the foreseeable future. However, it is expected that the importance of data protection issues will continue to grow in the coming years. Also, the implementation of the GDPR involves an extensive catalog of obligations for companies. If they are not fully complied with, online providers must expect severe penalties.

In Switzerland, we expect the revised Federal Act on Data Protection (FADP) to come into force in the first quarter of 2021. As there are some differences in content to the GDPR, and it also depends on the company whether the GDPR, the FADP or both are relevant, we recommend that you obtain detailed information on this and, where necessary, obtain in-house support.

As an agency for online marketing, analytics & compliance, we would be pleased if you would contact us for a non-binding consultation on this important topic as well.

We cover a broad range of GDPR topics, read more.

Subscribe to our newsletter and be up to date.