In December 2009, the German data protection authorities (“DPAs”) for the private sector published a resolution on data protection compliance for website audience measurement.  The resolution was adopted at the Düsseldorfer Kreis meeting on November 26-27, 2009.

Many website operators analyze users’ surfing behavior for advertising and market research purposes, or to adapt their websites to suit consumer preferences. To create user profiles, website operators often use software or other services that are offered by third party service providers (sometimes free of charge).

In the resolution, the DPAs specify that website operators must comply with the provisions of the German Telemedia Act (“TMG”) when creating user profiles.  According to the TMG, website operators are only allowed to create user profiles by using pseudonyms.  A user’s IP address, however, does not qualify as a pseudonym under the TMG. The resolution further states that the following TMG requirements must be met:

  • Website users must have the opportunity to object to the creation of their user profiles, and website operators must honor such objections effectively.
  • Pseudonymized user data may not be combined with data about the individual associated with the pseudonym.
  • User data must be deleted (1) if storage is no longer necessary for usage analysis purposes, or (2) if the user requests the deletion.
  • Without the user’s consent, personal data may be collected and used only to the extent necessary to enable the use of telemedia services and for billing purposes. Any other use requires the consent of the user.
  • In their privacy policies, website operators must (1) provide clear disclosure regarding the creation of pseudonymized user profiles, and (2) inform users that they have the option to object to the creation of such profiles.
  • Because complete IP address data may be traced back to a user, analysis of surfing behavior using complete IP addresses (including a geo-localization) is only admissible pursuant to deliberate, explicit consent.  If the user has not given consent, the IP address must be truncated prior to analysis to eliminate the possibility of data being attributed to a specific user.