A large swathe of the UK’s leading affiliate companies have joined forces claiming pursuit of a “clear, consistent message” around the impact of the General Data Protection Regulation (GDPR) on clients’ performance marketing activity. 

Those companies involved – including affilinet, Awin, CJ Affiliate, Impact Radius, Optimise, Performance Horizon, Rakuten Marketing, Skimlinks, Tradedoubler and Webgains – have begun communicating the guidance to publishers as of this morning (March 5), suggesting key areas publishers will need to focus on in order to achieve GDPR compliance.

The update follows an earlier rallying by affiliate network Awin in February, which urged competing networks to clarify their stance on data-handling in the run-up to GDPR and whether they conform to the definition of a data ‘controller’ or ‘processor’ – a defining trait that would have implications on both the network and its advertisers’ responsibility over the data it uses for tracking purposes.

Today’s announcement – which is available to view here (PDF) – shifts the focus to the responsibility of the affiliates themselves, identifying several key areas where it suggests publishers will have to address as a matter of urgency before May 25 rolls around.

On the subject of personal data – the handling of which sits at the heart of the GDPR update – the advice suggests that any publishers using affiliate tracking will be obliged to ensure they are legally compliant with the new regulation.

“Data the affiliate industry relies on that is not currently considered personal data may under the GDPR now be classified as such,” reads the announcement; “Whilst a definitive list of personal identifiers does not exist for affiliate marketers, we can safely assume it will include information such as cookie IDs, customer numbers, IP addresses, device IDs etc. These are identifiers that many networks and platforms capture as part of their standard tracking.”

The announcement also tackles the required legal basis for processing personal data, with the two most significant for the affiliate industry being consent and legitimate interest, and reaffirms the Interactive Advertising Bureau Europe’s development of an industry-wide ‘consent tool’ in time for the May deadline, which could be available to publishers for free integration under the right circumstances.

‘Not all rosy’

Despite the best motivations for providing clear and consistent industry-wide guidance to publishers, the statement seems to have raised more questions than answers among members of the affiliate community itself.

“The announcement that the affiliate networks put out together looks like good advice for publishers but behind the scenes, it’s not all rosy. I think it’s fair to say that publishers should be concerned as each network has a slightly different policy or view, despite the fact that they all use data in a very similar way,” said commentator A.

This viewpoint is echoed by others, who added that in order to keep working with multiple networks, “a lot of tech work” will be needed to ensure publishers are complying with each network’s nuanced approach. It’s also the case, they added, that advertisers will have their own separate set of guidelines leading to further complexity when dealing with the preferences of different partners and campaigns.

As predicted by Awin earlier in the year, this could lead to the knock-on effect, shifting the power balance to larger affiliates as first-party data becomes a premium commodity; those with a more established trust and authority among their audiences could be better able to leverage user consent through access to content in a ‘value exchange’. 

With the ICO (Information Commissioner’s Office) leaving the new guidelines open to interpretation, the varied interpretations are “not necessarily the network’s fault”, said A, but shared the concern that approaches to GDPR could be being used to “gain a competitive advantage” by some.

Despite the best efforts of the consortium to release a joint statement of clarity on GDPR, there is an overriding opinion that with just under three months to go, there is a “worrying” level of uncertainty around an update that has the potential to reap a “huge negative impact” on affiliate revenue, with publishers potentially having to regather consent from all existing customers.

While the statement released today may not have provided quite the “clear, consistent” message it set out to, it admits itself that the situation and impact on the affiliate industry remains “uncertain”; it has at least elevated the discussion and raised a case for further conversation and affirmative action from all industry members before deadline day.  

For publishers looking to make general progress implementing GDPR compliancy, the statement features some initial steps that should be taken: 

  • Publishers should pay attention to ensuring transparency to consumers and decide the most appropriate legal basis for collecting and processing personal data from site visitors.
  • Publishers should assess and upgrade privacy policies and cookie notices to provide transparency and upgrade consent capture.
  • Publishers should seek their own legal advice. This communication should not be read as legal advice.
  • Publishers should refer to their individual affiliate networks and platforms for any specific guidance or requirements to comply with GDPR.