Convert Inbound Traffic into B2B Leads
Data protection compliant use of LeadRebel in consideration of the GDPR and ePrivacy Directive
Status: December 2020
In November/December 2020, the LeadRebel product was audited by the law firm Schürmann Rosenthal Dreyer PartmbB for compliance with data protection laws, and the use of the tool in its December version was deemed lawful. Legal audit results have also been incorporated into further product development.
Numerous companies compile extensive statistics about their website visits. In the B2B sector, there is an obvious interest in identifying which companies, and thus potential business partners or customers, are among the website visitors.
LeadRebel is a B2B analytics tool used on corporate websites to generate business leads. For this purpose, LeadRebel collects IP addresses and other usage data from website visitors and complements them with publicly available company information. Thus, website operators can track which companies visit their own website and may therefore be interested in the product, service, or cooperation.
How LeadRebel works
For you, LeadRebel follows a three-part modular structure:
Module 1determines, based on IP addresses, which company a website visitor belongs to. This is a passive standard procedure in which the information - as with an HTTP request - is automatically transmitted by the browser. The use of this module is mandatory. Fingerprinting and other methods for recognizing website visitors are not used.
Module 1 represents the core of LeadRebel. By using the IP address, LeadRebel determines the visitor’s company name in the backend via a Whois query, the so-called reverse DNS lookup procedure, and database comparison. When there is a match, the entry is enriched with additional company data and made available in a dashboard to LeadRebel’s customers.
Upon LeadRebel’s customer request, the publicly available contact information of the visiting company’s employees can also be automatically collected. These data are not stored but retrieved anew on every request.
IP addresses that cannot be assigned or are assigned to a private subscriber are filtered out and transferred to a blacklist.
Module 2extends LeadRebel’s functionality by adding optional analytics cookies. These cookies can be used to recognize returning website visitors ("clientID") as well as the respective session ("sessionID"), but also to identify the logged-in user ("auth"). To ensure that website visitors are not (or no longer) tracked, it is also possible to place an opt-out cookie (“opt-out”).
Module3 is used to optionally capture mouse cursor movements to determine which areas the website visitor has looked at or clicked on. These movements are recorded in a video.
Of course, LeadRebel has taken numerous technical and organizational measures pursuant to Art. 32 GDPR to protect its systems and the processed data to ensure an adequate level of data protection.
Data protection compliant use of LeadRebel
LeadRebel adheres to the principles of Privacy by Design and Privacy by Default, according to Art. 25 GDPR and is designed for GDPR-compliant use. The website operators act as data protection controllers according to Art. 4 (7) GDPR and the operator of LeadRebel as a processor according to Art. 4 (8) GDPR. The following describes the data protection requirements that LeadRebel believes must be observed when using the product.
Data processing when using the modules
In our view, the collection of IP addresses within the scope of module 1 is not subject to the consent requirement of the so-called ePrivacy Directive, as there is no access to terminal device information. There is also no legal ground under the GDPR, ascompany-related IP addresses are by convincing assessment not personally identifiable and therefore do not fall within the scope of application of the GDPR.
If, however, it is not possible to assign the IP address to a company (beyond doubt), and if it could therefore be a private subscriber, IP addresses are (indirectly) personally identifiable according to case law. However, since LeadRebel immediately filters out such IP addresses and prevents them from being processed further, the processing can be based on the website operator’s legitimate interests under Art. 6 (1) lit. f GDPR, because the necessary balancing of interests is regularly in the website operator’s favor. Legitimate interests of the website operator include, in particular, range measurement and the commercial evaluation and use of company-related visitor data.
The following aspects must be taken into account:
There is no comprehensive analysis of personal data or cross-site aggregation of data that would make your visitors identifiable.
As part of the consideration, the “reasonable expectations of the data subjects” must be considered. This agrees with today’s technological standards that IP address and browser information are necessarily read out during a website visit for data transmission. Your website visitor not only expects this but intends it.
The aforementioned sorting out serves to ensure the most data-efficient processing possible within the meaning of Art. 5 (1) lit. c GDPR. Besides, the risks for the individuals behind the IP addresses are reduced to an absolute minimum.
Safeguards that address the availability and resiliency of LeadRebel’s systems minimize the risk of data breaches.
Ifmodule 2 is to be used, the first thing to consider is that the opt-out cookie can be used without consent. The use of other cookies, on the other hand, is currently subject to the consent requirement under Section 15 (3) of the German Telemedia Act (TMG) in conjunction with Art. 5 (3) of the ePrivacy Directive. This means that one can use module 2 in a data protection compliant manner if one obtains consent to use these analytics cookies via the cookie banner before starting data processing.
Ifmodule 3 is to be used, consent must be obtained before the recording of the cursor movements begins. Consent management is cookie-based, i.e., website visitors must also consent to the placement of a cookie via a banner. Such a cookie, in turn, represents, in a way, your website visitors’ consent to the recording of the cursor movement. Here, the consent requirement arises from the fact that the cursor movements relate to a specific website call and are therefore linked to the visitor’s IP address (module 1) and the other data determined about the website visit.
Backend data processing
The processing of personal data or data related to a data subject carried out in the backend of LeadRebel can also be based on relevant legal foundations.
Art. 6 (1) lit. f GDPR is again a valid legal ground for matching non-company-related IP addresses with company databases. Since LeadRebel sorts out IP addresses that may be personally identifiable without exception, the balance of interest is in favor of data processing. Similarly, the determination of contact data of employees of the identified company is also frequently in the legitimate interest of the website operators according to Art. 6 (1) lit. f GDPR. In particular, the following reasons speak in favor thereof:
LinkedIn, as well as XING, inform their users in their privacy notices that, if applicable, data can be found in search engines and can be viewed by third parties (assuming appropriate profile settings).
By having employees make their professional profiles publicly available voluntarily, anyone can quickly determine their company affiliation. In this regard, LeadRebel merely simplifies the search process and makes the information available in bundled form.
No storage of determined contact information takes place in LeadRebel’s system.
The functionality is optional and available to customers only upon request.
Role allocation under data protection law
The use of LeadRebel is to be classified as so-called commissioned processing within the meaning of Art. 4 (8) and Art. 28 GDPR, so that it is first necessary to conclude a commissioned processing agreement, which Pulserio AG provides to its customers. Pulserio AG acts as a data processor bound by instructions. Customers retain full decision-making authority over the purposes and means of data processing. LeadRebel also does not process any data arising from the contractual relationship for its own purposes.
4. Data processed by subcontractors
Some of LeadRebel’s service providers are US companies. In its landmark “Schrems II” ruling, the European Court of Justice declared the EU-US Privacy Shield invalid. LeadRebel naturally takes this decision into account when using subcontractors. Therefore, LeadRebel generally legitimizes the corresponding data transfers via the so-called standard contractual clauses and checks whether they are adhered to by the service providers. Furthermore, by employing state-of-the-art technical and organizational measures, LeadRebel ensures a reduction of any risks concerning the transfer of data to the USA. In addition, the transfer of data to the USA can be secured by a corresponding declaration of consent in the website operator’s cookie banner.