This is a guest contribution by Pavlos Sideris. If you would like to submit a contribution please contact Bill Beatty for submission details. Thank you.
Across the UK and the rest of Europe, businesses from all industries use data collection as a way to drive their companies forward. While this has proven an effective method, especially as we move into a more virtual world, there have been a number of setbacks including companies using this data for more nefarious means, or that data being targeted for theft.
While there have been laws in place for several years to protect people’s rights and personal information, there were still many changes that needed to be made in order to fully satisfy the security of people’s personal information and the way it is collected, handled and used.
That’s where the GDPR comes in, which will come into effect on the 25th May 2018, with the aim to enforce more protection of consumers while also imposing stricter penalties on companies that don’t comply.
The purpose of affiliate sites is to drive traffic to merchants and operators. Most affiliates collect data on their visitors not only for remarketing purposes, but also to understand their habits and ultimately improve customer journey and conversion rates. Affiliates will need to understand what is required by them under the GDPR and what actions they must take, in order to be fully compliant and avoid the risk of huge fines.
Why The Need For Change?
While not overly popular at a time of significant change in the industry, to understand how the GDPR will affect you, it’s important to understand why it has come about and how it will ensure safer and more secure data privacy.
OECD
The GDPR is based on the ‘Guidelines on the Protection of Privacy and Transborder Flows of Personal Data’ which was first published by the Organisation for Economic Co-operation and Development (OECD) in 1980. This publication outlined 8 principles which were put forward in regards to the processing of personal data:
• Collection Limitation Principle
• Data Quality Principle
• Purpose Specification Principle
• Use Limitation Principle
• Security Safeguards Principle
• Openness Principle
• Individual Participation Principle
• Accountability Principle
While these principles later formed the basis of many laws concerning data privacy across the EU, they were only guidelines and so the degree of data protection and privacy employed by organisations varied significantly from state to state.
Data Protection Directive 95/46/EC
Introduced in October 1995, Directive 95/46/EC was an attempt to harmonise the varying laws of different member states. However, still, it was only a directive and so was open to interpretation.
With the rapid advancement of technology, the internet, social media, and the way data is collected and used, more stringent, enforceable legislation was required. Even in 2013 we had generated 90% of the world’s data in just two years.
The GDPR aims to improve standards in line with modern technology and its usage, to “protect the fundamental rights of individuals throughout future waves of innovation”.
Who Will Be Affected?
This legislation will affect any organisation who processes data about individuals in the context of selling goods or services to citizens of EU countries, whether or not that organisation is situated in an EU country.
What Areas Does It Cover?
The GDPR not only aims to protect individuals’ data, it also aims to empower individuals over the use of their data and allow them to understand how and why their data is being used. It will accomplish this in six broad areas:
• Breach Notifications – alerting a Data Protection Officer (DPO) to a security breach.
• Right To Access – the right of individuals to obtain a copy of the data held on them.
• Right To Be Forgotten – the right to have data deleted from a company’s records.
• Data Portability – the transfer of data to other controllers/companies.
• Privacy By Design – the consideration of data privacy over all stages of system design.
• Data Protection Officers – the requirement for internal record keeping, and in some cases appointment of a dedicated officer.
What Counts As Personal Data?
The GDPR defines personal data as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Personal data can range from something as simple as a person’s name, to their email address, the posts they share on social media platforms, bank details, political views, and even their IP address or cookies used to track their habits online.
Affiliates should review their systems in great depth and list the various ways they are collecting data, both directly and indirectly. Collecting an IP address, or using web analytics software might seem innocent, however that information can be used to build a ‘profile’ of an individual and expose their true identity.
Methods In Which Affiliates Collect Data
Affiliates are discovering numerous new ways to collect and use data to better understand their audience and acquire new ‘customers’. However, the core methods in which most affiliates collect data are:
• Collecting and storing of names, email addresses and phone numbers for the purposes of newsletter or SMS campaigns
• Account features which allow users to sign up to a website/platform, and in turn collect and store personal details
• Gaining access to users social media profiles for the purposes of ‘signing in’ to a platform, or entering a competition.
• Collecting browsing habits and behaviour to better understand site usage and customer journey.
• Collecting browsing habits and behaviour for the purposes of advertising/remarketing.
• Geo-targeting of IP addresses in order to serve relevant offers.
• Installation of affiliate tracking codes and/or cookies
Are You A Controller, Or A Processor?
“A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”
In other words, you’re a controller if your company is the entity using the data to its benefit, and you’re a processor if you’re collecting the data on behalf of the controller, or delivering the tools required to collect that data.
Most affiliates are controllers as they use the data they collect to market or remarket to individuals, and grow their audience. Suppliers of web analytics or email marketing software, on the other hand, are processors, because they provide affiliates with the tools to collect and apply that data.
Ultimately, all affiliates set tracking cookies, else they wouldn’t get paid. And most (if not all), will employ some kind of web tracking software to better understand their audience – so it’s quite safe to say that all affiliates are at least a controller.
Note that it’s not mutually exclusive – a great number of affiliates will be both processors and controllers, because they both use data to their advantage, and create their own tools to collect and process data, whether it be via in-house newsletter subscription functionality, or a custom cookie which stores preferences.
Does it matter? The GDPR can and will hold any party accountable for data misuse or non-compliance, but the onus points more towards processors as data collectors and holders. So, like most (if not all) affiliates, if your website has the ability to collect personal information, whether it be a name, email address, IP address, or cookie, then you need to comply else you risk prosecution.
How Can You Comply?
1. Consent
Consent plays a key role in the changes that are going to made by the GDPR. Consent must be gained prior to any data being collected, and the date and time of consent recorded for auditing purposes. It can no longer be tucked away in small print T&Cs, it must be separate from other policies on your website, and presented in an “intelligible and easily accessible form”.
In reality, your request for consent can be provided on a separate page of your website i.e. privacy policy, but it must be clearly laid out, easy to understand, and must explain the following:
• What data you are collecting
• Why you want the data
• What you will do with it
• How long you will keep the data
• Remind the data subject they can withdraw consent at any time
An opt-in/confirmation checkbox (or similar) should be presented prior to specifically collecting any data from an individual (with a link to the full request for consent) such as when subscribing or signing up to your newsletter or website. Note that pre-ticked boxes and opt-out boxes, are no longer acceptable. The date and time of consent, and version of your request for consent or privacy policy, should be recorded, as well as the options the individual has consented to if applicable.
For existing subscriber databases, it might be necessary to obtain re-permission from your subscribers if your existing opt-in practices aren’t GDPR compliant. Review your processes and privacy policy, and if they aren’t compliant you will need to get your users to opt-in again, giving their consent as outlined in your new privacy policy or consent document.
It should also be “as easy to withdraw consent as it is to give it”. Users should therefore be given the option to easily unsubscribe or close their account, and any further marketing or usage of their data should cease immediately.
Cookies, in terms of the GDPR, is a little more complex than other topics. However, in short, if cookies are used in a way to track behaviour across websites, while collecting purchasing habits or other personal data, then consent is required.
The usual cookies used to store session data or on-site preferences are considered essential cookies – they’re required to access secure areas of websites, and most sites can’t function properly without them. These types of cookies don’t even fall under the ‘Cookie Law’, and don’t require consent under the GDPR.
The standard Google Analytics code (without Advertising Features enabled) doesn’t track across websites, and doesn’t collect demographic or other data for advertising purposes. It also therefore doesn’t fall under the Cookie Law. However, this is non-essential functionality, and so users should at least be informed about why it has been implemented.
If you have Advertising Features enabled, or use any other kind of tracking cookies for advertising or remarketing purposes, then you must obtain consent before those cookies are set.
Tracking cookies used in affiliate links technically aren’t set on an affiliate’s website, they’re only set once the user clicks off the website to go to the operator. However, as the tracking links are installed by the affiliate (and unless we want affiliate networks to start presenting ‘interstitial’ consent pages to visitors before being redirected to operators!) then affiliates should be transparent about the tracking links they use and the reason for them. Strictly speaking, affiliates should also offer the ability to opt-out, but as the setting of affiliate cookies isn’t actually performed on the affiliate’s site and isn’t under their control, information on how to block such cookies via the browser would suffice. It could also be argued that users give ‘implied consent’ over the setting of affiliate cookies, by clicking on banners and ‘get bonus’ buttons.
Sensitive data such as bank details, racial or ethnic origin, political or religious beliefs, should be handled with extreme caution, and explicit consent must be obtained prior to it being collected. As most affiliates don’t collect this type of data, we won’t go into any more depth here, but if you do, then you should seek legal advice on how to ensure you are compliant.
Lastly, consent is only applicable for the data listed in your ‘request for consent’, and for the purposes you have explained. If at any point you decide to collect additional data, would like to use existing data in other ways, or if you partner with a third party who will have access to your data, then you must obtain additional consent for the new purposes and give users the option to update their consent, or revoke it completely.
Ultimately, relying on consent will introduce challenges both in terms of obtaining that consent, as well as justifying the use of data in an audit. If you can operate without requiring consent, or at least can limit the consent required to a minimum, then that would be the recommended approach.
2. Security
It goes without saying that security should be treated with the utmost of importance, both prior to and after the introduction of the GDPR. Now is as an important time as ever though, as a breach of your database could be very serious. Ask yourself these questions:-
• What are you doing to prevent a security breach?
• If a breach did happen, how is the data stored, and how could it be abused?
• What levels of encryption are you using?
The most advisable course of action would be to encrypt any personal data that you store (not just passwords) as it could save a great deal of embarrassment, your reputation, misuse of that data, and of course a serious penalty.
3. Breach Notifications
Where a security/data breach is likely to “result in a risk for the rights and freedoms of individuals” it should be reported to the local Data Protection Authority within 72 hours. Data processors will also have to notify data controllers – so expect 3rd party companies to be asking you to confirm your contact details very soon if not already.
4. Access Rights
Data subjects have a right to know whether or not personal data concerning them is being processed, where and for what purpose. You are also obliged to provide them with a copy of that data, if they request it, within 1 month. The data should be delivered in a commonly used electronic form (i.e. CSV file), and structured in an easily understandable format.
Subjects also have a right to correct or amend any inaccurate information, as well as object to processing of certain data.
5. Right To Be Forgotten
A data subject can request that the data controller erase their personal data, whether it be due to them wanting to leave your platform, the data no longer being relevant for processing, or them withdrawing their consent.
Any data that could be used to identify an individual, or provides a link to their “advertising profile”, must be deleted. This could include deleting their data from Google Analytics, if that data is linked to them in any way (Google recently announced that they are introducing a user deletion tool using Client ID, User ID or App Instance ID).
6. Privacy by Design
Failures in data protection has always been a serious offence. However, under GDPR, failure to “implement appropriate technical and organisational measures..in an effective way” both in existing systems and in the design process of new systems, will now be a legal requirement and carries the harshest banding of penalties under the GDPR.
The legislation states that controllers should only collect data that is deemed absolutely necessary to operate, and that data should be restricted from anyone within the organisation (as well as outside) who doesn’t specifically need to access it.
Most affiliates might brush past this one – but be beware – the rules set under the GDPR apply to employees, freelancers and contractors. So if your content writer has access to the same system which stores your users’ data, then you need to implement some security roles immediately!
7. Data Protection Officer
A dedicated DPO is only necessary for organisations involved in regular or systematic monitoring of data on a large scale including the handling of extensive personal information or large volumes of ‘special category data’.
Nevertheless, organisations are expected to keep internal records of the data they collect, the consents they received, and the ways in which they process the data.
What If I Don’t Comply?
Any organisation that doesn’t comply with GDPR can expect a penalty of the greater of 4% of annual global turnover or €20 million. This fine applies to the most serious of failings, with less serious offences such as incurring a 2% fine of annual global turnover.
Penalties can apply to all failures under the GDPR, including not delivering a breach notification, as well as collecting personal data without consent.
This article contains general information for affiliates to make their own informed decisions about the upcoming GDPR. You must not rely on the information in this article as an alternative to professional legal advice. The article has been contributed by Pavlos Sideris of NoWagering.com – the only dedicated resource of no wagering casinos, wager-free spins, and low wagering bonuses.