Are email lists in effect

E-mail addresses as advertising triggers - court: Custom Audience is a legal violation without consent

Many companies still use custom audiences on social networks to deliver targeted advertising only to those people with whom they have previously been in contact. For this purpose, e-mail addresses - in encrypted form - are uploaded to the networks for comparison. The Bavarian Administrative Court has now decided that this practice violates data protection.

In its decision of September 26, 2018 (Az. 5 CS 18. 1157), the VGH Munich decided that Custom Audience is not permitted under data protection law without the consent of the person concerned according to BDSG old version. The VGH thus confirmed the judgment of the lower court and previous statements by the Bavarian supervisory authority.

Facebook Custom Audience with email lists

Facebook Custom Audience enables targeted targeting of advertisements on Facebook. With Custom Audience, Facebook offers the possibility of targeting individual customers in the social network via advertisements. The advertising company has to send its customer list to Facebook. If Facebook can assign the email to a member, the advertisement will be delivered. The upload is not made in plain text, but encrypted using a hash process. Facebook then compares the data records alienated with the same hash process to determine a match.

LDA Bayern: Request for deletion

The Bavarian data protectionists consider this procedure to be a data protection violation. The authority is bothered by the hash method used, which allows simple backward calculation. In this way, the transmitted e-mail addresses in particular could easily be determined again from the hash values. Even with a more secure hash process, a different assessment would probably not be justified: the e-mail address cannot be read out without further ado. In any case, via the comparison, Facebook knows that the member in question is in the customer list during a match and can enrich the member's profile with this information. This can hardly be justified with the legitimate interests of the advertising company (or Facebook).

Incidentally, the proceedings came to court because an online shop refused to accept an order from the data protection supervisory authority in Bavaria. This had forbidden the shop operator to continue using the audiences and had given up on deleting the data created under their Facebook account.

Consent Requirement

The subject of the dispute was the email addresses of the company's customers, which were forwarded to Facebook. The court found that the email addresses were personal data that would not be anonymized by the hashing process. Hashing does not completely remove the personal reference and it is possible to assign the data to a specific or identifiable person without disproportionate effort. In this respect, a specific consent of the data subject to the transmission of his data to Facebook is required. The consent can only be effective if the customer knows what he is consenting to. This excludes hiding the consents in the terms and conditions and contenting oneself with a reference to the terms and conditions. Rather, such consent must be given separately and voluntarily.

In the opinion of the Munich judges, the upload is not permitted unless the person concerned has given their express consent.

Consent requirement also according to GDPR

It should not be overlooked that the decision of the VGH Munich was issued on the old legal situation according to the old version of the BDSG, since in the present case it was the legal situation at the time of the last official decision that mattered. However, the General Data Protection Regulation (GDPR) has been in force since May 25, 2018. For Facebook Custom Audience, however, not much has changed in principle. Even under the new law, it will be difficult to find a legal basis for data comparison with Facebook beyond consent. In this respect, the consent requirement remains up to date. Thus, Custom Audience constitutes a GDPR violation without the corresponding consent of the data subject for the transmission of their data.

No order data processing by Facebook

The court also commented on another - very topical - long-running favorite. The shop operator had defended himself, among other things, by stating that Facebook was only the contractor for order data processing with regard to advertising. However, the court rejected this.

For the assessment of whether Facebook is active in the context of order data processing, the full and intended use of the “Facebook Custom Audience” service should be taken into account. It depends largely on who is responsible for processing the data. Because only the complete subordination of the collection, processing and use of the data to the specifications of the client with regard to the means and purpose of data processing entitles to accept the data transfer to a contract data processor from the legal justification requirements for the transfer of personal data.

In the present case, however, Facebook decides independently by evaluating the usage behavior of its members, which users correspond to the target group definition of the company concerned and are advertised. Thus, Facebook makes the selection of the applicants on the basis of the profile data known and available only to Facebook and is only able to determine the customers to be advertised and to display the advertising. Since Facebook has its own scope for decision-making and discretion in determining the group of customers to be advertised, the transmission of the hashed e-mail addresses, in the opinion of the VGH Munich, does not take place by way of order data processing.

Rather, one should also assume joint responsibility for Custom Audience - as with the operation of Facebook fan pages and probably also with the integration of Facebook widgets.

Conclusion: Better to let custom audience stay with the customer list

The control of advertising via customer lists should be left better. This is all the more true as, unlike in the past, users can easily see which companies have uploaded their customers' data to Facebook for advertising purposes. Under

“Settings → Advertisements → Advertisers → Those who have added a target group to Facebook” the user can see a list of advertisers. From there it is not far to assert claims for information.

You might also be interested in

  • One-time e-mail contact does not constitute consent

    Author: Martin Schirmbacher. The Munich District Court ruled on July 9, 2009 that a single email contact does not constitute consent to receiving promotional emails. Dr. ...

  • The email is dead - long live the email

    Author: Maya Reinshagen. The rumors about the demise of the e-mail medium are increasing. In the age of instant messaging, RSS and social media, email is "out". But the dead are alive ...

  • Email marketing isn't easy

    Author: Maike Joana Kruse. E-mail marketing is very simple at first glance - you create an e-mail, send it to permission addresses and you have many new, paying ...

Dr. Martin Schirmbacher is a specialist lawyer for IT law in the law firm HÄRTING Rechtsanwälte, which specializes in media and technology, and is the author of the book Online Marketing und Recht. You can find his blog on law in online marketing at More information about himself is available at