From the Hogan Lovells blog, Chronicle of Data Protection:
On November 23, the data protection authority (DPA) of the German Federal State of Hamburg imposed a€200,000 fine [link in German] against the Hamburg-based savings & loan Hamburger Sparkasse due to violations of the German Federal Data Protection Act (the BDSG) for, among other reasons, using neuromarketing techniques without customer consent. The case – which attracted much negative publicity in Germany, including page 1 headlines and “top spots” in television news – may very well influence the assessment of neuromarketing techniques under data protection laws beyond Germany.
Between 2005 and 2010, Hamburger Sparkasse disclosed its customers’ bank account data regarding incoming and outgoing payments to customer consultants on a regular basis. In addition, the bank used customer, sociodemographic, account balance, and product use data to create personality profiles of its customers. For this purpose, the bank made use of modern neuromarketing and brain sciences techniques. The customers were classified in different categories, such as “adventurer” or “connoisseur.” Based on this information, the bank extended custom-tailored offers to its customers. The customers hade not been informed of and had not consented to the bank’s activities.