Proof of effective consent for direct marketing

Direct marketing consent
Categories:

The requirements for proof of an effective Consent for direct advertising are increasingly the focus of data protection supervisory authorities. This is also shown by the Activity report of the Bavarian State Office for Data Protection Supervision for the year 2025. E-mail marketing and lead generation, there has been a significant increase in complaints.

Complaints about direct advertising without consent are on the rise

The complaints center on cases in which affected persons receive personalized advertising emails or newsletters from companies with which there is no identifiable relationship. In response to requests for information pursuant to Art. 15 GDPR it is often stated that the personal data originates from participation in online competitions. In this context, the responsible bodies regularly refer to a Consent pursuant to Art. 6 para. 1 lit. a GDPR, which is said to have been obtained as part of a double opt-in procedure.

In practice, however, there is a considerable problem: many affected persons deny both the participation in the competitions and the submission of a Consent. In some cases, they can even plausibly prove this, for example by being absent at the time of the alleged confirmation or by not using the logged IP address. This casts considerable doubt on the authenticity of the underlying consents.

Added to this is the complex structure of data processing. There are often several players involved, such as competition operators, data brokers and advertising companies. The data is passed on along this chain, with all parties involved referring to the original Consent support. It is precisely these multi-level data flows that significantly increase the risk of data protection breaches.

Proof of double opt-in is not sufficient

From the perspective of the supervisory authorities, the evidence frequently provided in practice is inadequate. Typically, companies limit themselves to tabular information such as the date of the double opt-in, the IP address, the timestamp or the URL of the competition. However, this information is not sufficient to make an effective and informed Consent in the sense of GDPR to prove.

The legal requirements are clear. According to Art. 7 para. 1 GDPR carries the Responsible persons the full burden of proof for the existence of a Consent. The controller is any body that decides on the purposes and means of data processing (Art. 4 No. 7 GDPR). This means that not only lottery operators, but also data traders and advertising companies are obliged to provide an effective Consent to be able to provide evidence.

An effective Consent in accordance with Art. 4 No. 11 GDPR must

  • voluntary,
  • informed,
  • for a specific purpose and
  • unmistakable


be submitted. These requirements are not only of a formal nature, but must also include content. Documentation take place.

Reading tip: Newsletter without consent? ECJ names requirements

BGH demands complete documentation of consent

The Federal Court of Justice clarified early on that the proof of a Consent goes far beyond technical log data. In its decision of February 10, 2011 (case no. I ZR 164/09), it requires that the specific wording of the Consent must be fully documented and reproducible at any time. In the case of electronic consent, this means in particular that the declaration can be saved and printed out if required. The mere assignment of a IP address is not enough.

Suitable evidence includes, in particular, stored declarations of consent, documented consent processes and confirmation emails as part of the double opt-in procedure. The latter can be additionally secured by technical procedures such as DKIM signatures in order to prove their authenticity.

In addition, the supervisory authorities refer to the guidance issued by the Data protection conference to direct advertising and to the Guidelines 05/2020 of the European Data Protection Board on the Consent. Both documents specify the requirements for Transparency, traceability and accountability.

Link tip: BGH judgment Ref. I ZR 164/09

Robust documentation required for consent

For companies, this means The proof of an effective Consent is not a formal side issue, but a central compliance topic in the Data protection. Companies that personal data for direct advertising should already have robust and tamper-proof processes in place in advance for Documentation of consents.

Particularly in the case of data-driven business models such as lead generation, affiliate marketing or data-based Advertising special caution is required. If there are frequent complaints, supervisory authorities generally require reliable and complete proof of the Consent.

The Activity report of the Bavarian State Office for Data Protection Supervision makes it clear that companies that rely on inadequately documented consent are exposed to a considerable legal risk. Proper consent documentation is therefore not only legally required, but also a decisive factor for sustainable and legally compliant marketing strategies.

Source: 15th Activity Report 2025 of the Bavarian State Office for Data Protection Supervision

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts