Web push notifications are basically a function of browsers that requires consent. Therefore, web push notifications per se can only be sent to users who have agreed to receive them on the respective website via the browser’s consent dialog.
According to the General Data Protection Regulation (GDPR), data processing is lawful if the data subject has given his/her consent to the processing of personal data relating to him/her for one or more specific purposes. According to Art. 4 No. 11 GDPR, consent is “any freely given specific, informed and unambiguous indication of wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her”.
(1) Obtaining effective consents for push notifications.
When designing consent dialogs, care must be taken to ensure that consents are given in an informed manner. The fact that consents are given by an unambiguous confirming action is ensured by the dialog provided by the browser.
In the consent dialog, users should be informed that the notifications are triggered behaviorally or tailored to the user’s interests. Art. 7 Abs. 3 sentence 3 GDPR, postulates that the data subjects must also be informed that they can revoke their consent at any time. To comply with this, a link with further information on data protection and a note on the unsubscribe option can be inserted in the browser settings. These requirements are e.g. fulfilled by the following dialogs:
Invitation dialog: “XYZ Notification Service: Would you like to be informed about news and exclusive offers?”
Here is the GDPR compliant consent process for web push notifications to illustrate:
(2) Unsubscribe and opt-out option for push notifications
In addition to the standard passage regarding the use of etracker technology on your website, we recommend including the following note regarding web push notifications:
If web push notifications are enabled, a service of the respective browser is used to provide this function. Only anonymous or pseudonymous data is transmitted for sending web push messages. You can opt out of receiving notifications at any time via your browser settings. For information about opting out of web push notifications for each browser, click here:
(3) Data protection assessment of web push notifications
One advantage of web push notifications over traditional direct mail is that no personal data is required to send them. Upon consent, a pseudonymous subscriber ID is stored with the value of the randomly generated anonymous or pseudonymous tracking cookie ID for visitor recognition by etracker (example: 108bf9a85547edb1108bf9a85547edb1).
Since etracker does not store any clear names or personal data, it is not possible to draw any conclusions about the person concerned. Segmentation when sending notifications is made possible by the fact that the subscriber ID and tracking ID have the same value. The segmentation attributes also do not contain any (clear) data with which a personal reference can be established. They contain only pseudonymous information about the behavior on the website.
The sending of notifications is based on the consent of the data subjects. The mere processing of behavioral data for the purpose of direct marketing may be covered by Art. 6 para. 1 f GDPR. It states:
“The processing of personal data for the purposes of direct marketing may be regarded as processing serving a legitimate interest.”
Data processing is carried out exclusively for the respective website operator and not across customers (processed separately and not made accessible to third parties). The interference with the rights of the persons concerned does not have particularly serious consequences for these persons. There is no processing of particularly extensive data sets or even sensitive data. The depth of intervention is therefore low. In our opinion, there is no profiling within the meaning of the GDPR, as the data processing procedures described do not have any legal effect on data subjects. A data protection impact assessment in accordance with Art. 35 GDPR therefore does not appear to be necessary. It can further be stated that data processing with the aim of playing out notifications oriented as far as possible to the actual or presumed interests of the data subjects ultimately serves the legitimate interest of both parties, i.e. that of the website operator as well as the users. This precisely avoids harassment by advertising according to the “watering can principle”.