Evertrack decided to outline the list of important areas of the GDPR that are most relevant for the affiliate marketing industry.
It’s been more than half a year since the GDPR (general data protection regulation) came into effect. The regulations caused a lot of panic on marketers and companies. What does GDPR really means, and why you need to follow it clearly? To help new developers and affiliates Evertrack decided to outline the list of important areas of the GDPR that are most relevant for the affiliate marketing industry.
The purpose of affiliate networks is to drive traffic to advertisers and merchants. Lots of affiliates collect data to launch retargeting campaigns, explore and understand the habits of their customers. Marketers also use the data to define and calculate conversion rates and other vital measurements.
Affiliates must clearly understand what is required by the GDPR and how to play the data protection rules without the risk of huge fines. It is important to understand how the GDPR can affect your business and why it was declared now (we mean this year) and how it ensures the safety and security of data privacy.
What exactly is GDPR?
The GDPR requires businesses to follow the right to privacy. In other words, the regulations have changed the game on how companies should manage personal data.
What personal data refers to
According to the GDPR definition, personal data implies any information that can potentially identify a real person. Further, there is a clarification of an identifiable natural person. So, this is a person who can be identified directly or indirectly by the reference to an identifier, such as a name, identification number, geolocation, online identifier, and other specific factors like physical, psychological, genetic, mental, economic, cultural, and social identity of the person.
In some way, IP address, hair color, political preferences, and job interests can be considered as a personal data. There are three types of consumers that are neutral, negative or normal with the use of their data. What should companies do in such cases? Well, they can ask the consumers about permission of data collection, inform users about a thing called retargeting.
The aim of GDPR
In essence, the GDPR is aimed to bring more transparency to users about what data an organization collects and how it will be used. Also, the new regulations allow people to prevent unnecessary information (sometimes marketers promote products or services that are not interesting for users).
The GDPR doesn’t express clearly about user activity tracking. When it comes to the mapping of the data flow, the answer of how to gather a personal information becomes blurry. What do we know exactly, is that the affiliates and advertisers can use the data only with a warning and obtaining permission from the users. Ignoring the rules your company can pay a very high price.
The purpose of the GDPR is to provide a set of conventional data protection laws through all countries that are EU members. If your company isn’t in Europe geographically, but you work with Europeans, you have to follow these regulations.
The GDPR is primarily aimed to protect the privacy of all EU citizens. Evertrack created a checklist for affiliate networks on what paragraphs of the GDPR they should pay attention to.
Keypoint 1: Check where personal data comes from and whether you can use it
Personal data of consumers is the key question of the GDPR
. Despite the fact that a definitive list of personal identifiers doesn’t exist for affiliate marketers, affiliate networks fall under the prohibition of use such as cookie IDs, customers numbers, IP addresses, device IDs etc.
Summarizing the above, personal data can be anything that can be used directly or indirectly in personal identity, including cookies, names, email information, bank details, IP address, device IDs.
If you plan to collect, process and store applicable personal data of Europeans read the regulations twice. Affiliates and networks can get and use the data through opt-in consent, contractual necessity, public task, or legal obligation. Be clear on what you want or need to collect.
(Global client strategy director at Awin Global) added that new settings required everyone to rethink how they process the data and clearly document the policies around processing.
Keypoint 2: Decide on the territorial boundaries
We’ve already touched a topic of boundaries. It doesn’t matter if your company is located in Europe or beyond. The GDPR applies to the processing of personal data no matter whether it takes place in EU or not. If you work with EU citizens, you have to follow the GDPR. The settings control all the marketing offers (whether payment is required or not).
Affiliate networks that are working with companies from around the world should arrange their policies with GDPR changes. Many companies have already adopted the course to save time and money in the future.
Thus, it is very important to double check the relevant laws in the countries where you want to launch the campaign. Being armed with the knowledge of the legal system means having fewer problems with taxes, fines, and clients.
Keypoint 3: Learn more about the legal basis for processing personal data
According to GDPR regulations, there are six legal bases available
. Two of them are most commonly used in digital marketing, they are consent (accordance), and legitimate interests (rights of the company or other organization). Eitan Jankelewitz
(a lawyer specializing in digital media) made his research about the effectiveness of these two legal bases. He suggested that the impact of processing on individuals is low, and there are useful safeguards that can protect the people.
From a legal point of view, consent is more difficult than other legal bases. Consent needs to be managed, and afford much greater rights. Processing not completely clear or pseudonymous data (for example, data that doesn’t allow to identify a person) brings minimal right to individuals and more freedom to companies and businesses. But this right is much better not to abuse, actually any right.
At the first blush, the legitimate interest seems to be a very good way for CPA networks and affiliate marketing businesses. According to ICO, it looks like the most appropriate decision by using the data that has a minimal privacy impact.
We advise you think twice before combining the consent and legitimate interest. Because a person that didn’t give a permission on personal data use can perceive it as an unfair action. The GDPR was published to give users the right to choose, build customer trust and engagement, raise digital marketing in quality and mastery.
The contract is also a legal basis that is more applicable to a B2B interaction. Affiliate networks use the contract between affiliates, and in some cases with the customers (which allow business to collect and process their personal data).
Keypoint 4: Take penalties into account
Under the GDPR, an organization that will breach the GDPR can be fined to 4% of annual global turnover
(or up to €20 million). This is the highest fine that is appointed for the most serious infringement (i.e. not having the agreement with the client about private data).
If the company infringes on multiple GDPR regulations, it will be fined according to the gravest contravention, including a separate penalty for each position.
Good news - not all infringements will lead to those serious fines. A supervisory authority has the power to issue warnings, reprimands, and orders. The type of fine depend on the nature, gravity, duration, and intentional or negligent character of the disturbance.
According to the law of the European Court of Justice
, “the concept of an undertaking encompasses every entity engaged in an economic activity, regardless of the legal status of the entity or the way in which it is financed”.
Affiliate network has to provide preliminary notification to the client about any material changes to the DPA (data processing agreement), for example publishing the personal data on the site or any changes in customer personal data.
According to the DPA, in any agreement between client and affiliate networks, the client acts as a controller and the network as a processor. It means that any changes (connected to the client private data), which are made on the platform have to be with the accordance of the client.
The GDPR signifies big changes in the area of data privacy. It is very important not only for EU citizens but also for the companies and corporations that don’t need a disclosure of all data. It is also important to understand the obligations that are standing in front of your business and make any amendments that are necessary.