Why does Quora need your legal ID

Data protection for tracking, web controlling and analysis tools



What is tracking anyway?

The term tracking is understood to mean the collection and evaluation of user behavior in the internet. Tracking can serve various purposes:

  • to be able to better adapt the offers on the website to one's own target group
  • Understand user click paths and minimize abandonment rates
  • To be able to determine preferences regarding certain manufacturers and products
  • To draw conclusions about the software used by the users (which browser, which plug-ins, etc.)
  • To gain clues for programming, search engine optimization and the design of the order processes

Depending on the requirements, there are various programs for this, from free programs with low basic functions to professional professional tracking tools for recording and evaluating user behavior.

After the site operator has inserted a specific tracking code into the source code on all pages of his website that are to be recorded and evaluated, the tracking tool automatically begins to record and evaluate user behavior. The webmaster can then - depending on the tracking tool - view the corresponding statistics just a few minutes after the recording or even live.

Since user behavior can be recorded in great detail through the use of tracking tools, data protection requirements in particular must be complied with in order to prevent misuse of the data.

Legal basis: User tracking on websites

The legal regulations on this subject can be found in the fourth section (data protection) of the Telemedia Act (TMG). On the other hand, the Federal Data Protection Act (BDSG) contains numerous requirements for handling personal data that must be observed in the context of web tracking and the evaluation of user access.

Due to the countless data scandals of the past few months, there has been an increased legal dispute in connection with tracking tools, in particular with regard to the storage of user IP addresses without the express consent of the internet user. Some providers of tracking tools have made a conscious decision to offer solutions that meet the strict data protection requirements in Germany.



Continuing controversy: storage of IP addresses

In particular, on the question of whether the storage and evaluation of IP addresses is permitted under data protection law, a dispute between data protectionists and companies from the marketing environment has been raging for years. Data protectionists in the respective data protection authorities, for example, have assumed for years that IP addresses are personal data, regardless of whether they are dynamic or static IP addresses.

The opponents hold (legally simplified) against the fact that one can determine an Internet connection and possibly also a connection owner via an IP address. However, an IP address cannot be used to determine which person actually acted.

In addition, there has been no case law on this issue for many years. Even at the moment one cannot speak of a uniform line of the courts. There are two contrary judgments by the Berlin Regional Court (judgment of September 6, 2007, Az. 23 S 3/07) and the Munich District Court (judgment of September 30, 2008, Az. 133 C 5677/08).

While the judges of the Berlin Regional Court rejected the storage of IP addresses as unlawful without the consent of Internet users and the Federal Ministry of Justice prohibited the storage of IP addresses when accessing their own website, the Munich District Court was of the opinion that the storage of IP addresses without the consent of the user does not constitute a violation of data protection regulations.

How do the different judgments of the courts come about?

The main difference between the two mentioned judgments lies in the question of how the courts categorized the criterion "IP address". With their judgment, the judges of the LG Berlin have affirmed that an IP address is personal data which, according to the Federal Data Protection Act (BDSG), may only be stored with the express consent of the Internet user and also not with the corresponding tracking data. User profiles created using tools may be associated.

The AG Munich, on the other hand, takes the view in its judgment that IP addresses are not personal data, as the subscriber cannot be identified at this point. Although it is theoretically possible to assign the connection owner to the IP address via the Internet provider, the website operator de facto lacks the legal basis for receiving relevant information from the provider. As a result, the AG Munich dismissed a corresponding action for injunctive relief.

IP tracking only with the consent of the user?

The question of the permissibility of storing IP addresses without the consent of the user in the context of tracking tools is still highly controversial. If you regard IP addresses as personal data, this means in practice that it can only be stored and processed in a legally compliant manner with the prior and express consent of each individual user. If the Internet user has consented to the storage of personal data, for example when placing an order in an online shop, this is not a legal problem.

In practice, however, it looks different. Data such as the IP address are already recorded when "entering" the website without the visitor having the opportunity to read through a corresponding data protection declaration and to give the necessary consent for the collection, storage and evaluation of his IP address.



Google Analytics and Google Universal Analytics

One of the most frequently used tracking tools are Google Analytics and the new cross-device variant Google Universal Analytics.

On the one hand, because Google is technically well versed in processing data volumes. On the other hand, because the tool is free. Google Analytics or the cross-device variant Google Universal Analytics also stores the IP addresses of site visitors and transmits them to the USA. For this reason, Google obliges its users to publish a corresponding data protection declaration on their website, in which reference is made to the corresponding use.

However, it is highly controversial whether a simple explanation by the site operator is sufficient. If one takes the view that IP addresses are personal data, the express consent of the user would be required here. As a consequence, this means that, in the opinion of the data protection officers, a large number of the tracking and analysis tools currently on offer are illegal. However, the German data protection authorities seem to have zeroed in on Google at the moment. This not only applies to the dispute over Google Street View, but also to Google Analytics.

Google is currently working on a browser plug-in that will enable users to prevent their data from being tracked via Google Analytics. It remains to be seen whether this is sufficient to dispel the data protection concerns.

Newsletter tracking

Newsletter and e-mail tracking works in most cases using small images that are only 1 pixel in size. These web beacons or tracking pixels are integrated into the newsletter. When the image is retrieved, certain information about the recipient can then be retrieved:

  • IP address of the recipient
  • Time of retrieval
  • E-mail client of the recipient
  • Click on links in the email

The tracking pixels can then generate a unique ID that can be assigned to the recipient email address. The sender of the mail can track which recipient opened the mail, which links were clicked and whether the mail led to a purchase.

From a legal point of view, this type of email tracking is always sensitive in terms of data protection law. In any case, the email addresses of the recipients are personal data. Without the consent of the user, these may not be saved or evaluated.

How can you implement newsletter tracking in a legally secure manner?

In these cases of mail tracking, it is not enough to simply put a passage in the data protection declaration. There are 2 options for legally compliant implementation:

1. User consent

For understandable reasons, however, this variant is not relevant in practice. Who wants to explain to their newsletter recipients for pages which data is used and evaluated by which external newsletter sender for which purposes and then also obtain consent for it?

In practice, newsletter tracking is therefore simply illegal in most cases. A legally compliant solution is not that difficult:

2. Order data processing for newsletters

The German data protection law provides in § 11 BDSG that certain forms of data processing can also take place without the express consent of the data subject.

The whole structure of order data processing is not that easy to explain from a legal point of view. However, the correct legal and contractual implementation is a matter for the provider of email and newsletter software.

Entrepreneurs and website operators who want to track the success of their email and newsletter campaigns don't really have to do much more than themselves

  • looking for a newsletter software provider based in the EU
  • concludes an order data processing contract with its customers

That’s the theory. Unfortunately, this means that many providers from the USA are eliminated. In the opinion of many data protection authorities, commissioned data processing with companies in the USA is actually not legally possible.

And also in the EU there are not many providers who work in compliance with data protection regulations. For this reason, we decided on Klick Tipp. The software offers a lot of interesting features and implements - what is of course most important from a legal point of view - the requirements of order data processing correctly.

If you know providers who also implement this, please send us an email. We are currently working on an overview of the relevant providers of mailing and newsletter software.

 Practical tips for tracking and web analysis:

There are three options for website operators and marketing agencies:

  1. The tracking tools will continue to be used, and the risk of data protection violations is consciously accepted.
    Disadvantage: There may be warnings and fines from the data protection authorities.
  2. The collection of personal data such as the IP address is waived.
    Disadvantage: Meaningful tracking is often not possible in this case.
  3. Tools are used that, for example, optionally anonymize IP addresses, meet the applicable data protection requirements.
    Disadvantage: There are currently relatively few providers who offer legally compliant tracking and analysis software.


The majority of the tracking services and newsletter providers currently used are legally inadmissible according to the strict opinion of the data protection authorities. In recent years, the view has also gained acceptance in the courts that data protection violations can be warned.

In the future, the topic of legally compliant tracking will play an increasingly important role for another reason: Due to the data scandals of the recent past, users are placing much more value on legally compliant handling of their data.