In addition to several changes to existing rules on data protection, the EU General Data Protection Regulation (GDPR) does also have a considerable impact on online marketing and social media, affecting in particular business models based on advertising tools such as tracking pixels, placed advertisements or social plug-ins.Legitimate interest for online marketing pursuant to the GDPR

The GDPR permits the processing of personal data for online marketing purposes on the basis of legitimate Interests of online providers. Legitimate interests of online providers, however, may be overridden by the interests or fundamental rights and freedoms of an EU resident, called a “data subject.” Those fundamental rights and freedoms include privacy and protection from manipulation, in particular where the data subject is a child. An assessment of the specific interests of data subjects and online providers must be made and the factors of the respective circumstances must be taken into account and weighted on a case-by-case basis.

Other online-activities, such as profiling to determine creditworthiness and cross-device tracking are likely to predominantly require consent to be given and to meet the GDPR requirements to obtain consent. In particular, when assessing whether consent is freely given, it needs to be taken into account whether the performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

The ePrivacy-Regulation and further changes for social media services

Pursuant to EU Directive 2002/58/EC (“ePrivacy-Directive”) users need to give their consent before third-party cookies can be used on a website. After different interpretations of the individual member states, this “cookie” directive resulted in the invention of the (opt-out) cookie banner:

“If you continue to use our website, you agree to the use of cookies”

Currently, the EU drafts a follow-up legislation in the form of the so called ePrivacy-Regulation. An explicit goal of the ePrivacy-Regulation is to abolish cookie banners and require a user’s consent to use cookies. Accordingly, even though the use of marketing and tracking tools might be permissible without consent pursuant to the GDPR, the ePrivacy-Regulation might require such consent or to rely on the “do-not-track” function of browsers.

Even though the ePrivacy-Regulation is unlikely to take effect before the year 2019, companies should closely monitor the additional requirements for social media and online services that are currently being negotiated.