It was just two months ago that a swathe of the UK’s leading affiliate companies teamed up to announce a “unified approach” to General Data Protection Regulation (GDPR) compliance.
Many of them direct competitors, this alliance offered to bring a “clear, consistent message” around the regulatory update that threatened to turn the European data-driven marketing industry on its head. Though made with the best intentions, however, the announcement did little to quell concerns among the affiliates themselves, and efforts to pursue a unilateral approach were swiftly disbanded as networks realised the logistical scale of restructuring processes to an industry plane.
Instead, groups chose to focus their efforts internally, pursuing their own idiosyncratic approaches and laying them out in communications on their company sites, among correspondence with clients, and at industry events.
In efforts to draw out the - in many cases, nuanced - distinctions between the approaches of leading networks in the UK and provide some additional clarity, PerformanceIN asked nine key questions around the impact of GDPR to representatives from TradeTracker, Tradedoubler, Awin, Rakuten Marketing, CJ Affiliate By Conversant and Webgains.
Do you see GDPR as an opportunity or challenge for affiliate marketing?
Philip Keckeis (director of international operations, TradeTracker): Any improvement with regards to professionalising the industry is ultimately an opportunity, and as such the same goes for data protection, albeit the impact it may have on processes. It requires stakeholders to take a good look at how they deal with personal data and safeguard it from being misused.
Chris Russell-Smith (country manager UK/IE, Tradedoubler): If the impact on the industry at this stage is uncertain, GDPR presents both a challenge and an opportunity for affiliate marketing. Short term there are always challenges as the industry moves to accommodate legislative requirements. But affiliate marketing is light touch compared to some digital channels and, as such, there is an opportunity for affiliate marketing to be seen as more desirable by advertisers and secure greater budget as a result.
Kevin Edwards (global client strategy director, Awin): Probably both due to the diverse nature of the affiliate channel. GDPR requires everyone to rethink their businesses and the painful truth is some of them may suffer, but for others, it is a chance to build stronger, more transparent relationships with their users and there has always been a clear value exchange between many affiliates and their users. Also affiliate data is pretty light-touch compared to other channels meaning it’s insulated to a degree.
Nick Fletcher (VP client success, Rakuten Marketing): An opportunity – naturally! The level of transparency in affiliate marketing meant that it came out of the various issues that hit other digital marketing channels (think Marc Pritchard’s IAB speech or the headlines in The Times about advertising funding extremism) with its reputation intact. Affiliate marketing has a great opportunity to set an example for the rest of the digital marketing industry by being clear and upfront about how and why we process data – by proactively gathering consent.
Owen Hancock (head of strategy Europe, CJ Affiliate by Conversant): Both! The enforcement of the GDPR does bring significant risks - both fines and potential reputational damage, as well as a large workload for companies trying to achieve compliance with the new standards. However, there is the opportunity here for the affiliate industry to build accountable best practice into the way that we work. This increased transparency should ultimately hail not just improved consumer experience but also greater commercial opportunity.
Richard Dennys (CEO, Webgains): It's clearly both, however this rebalancing of privacy of the individual versus wider commercial interests has been on the cards for some time (many years in the case of European legislators). In the short term there will be winners and losers, however, this is a highly innovative and intelligent industry so long term never has "survival of the fittest" been more apt to describe this current period of market evolution in the handling of personal data.
What will be the most significant impact of GDPR to your affiliate partners?
PK: Affiliates will need to assess their activities, processes and promotions similar to other parties involved in affiliate marketing. Due to various technologies used by affiliates, keeping records of the data they interact with may be challenging to more long-tail operators.
CRS: As a data processor, Tradedoubler’s publishers will not see such a great impact from GDPR as long as they have undertaken their own obligations to be compliant. Publishers that use email or retargeting will have had the greater challenges ensuring that they have secured sufficient permissions from their users. Longer term though, this can only increase the quality of interaction.
KE: GDPR will require everyone to rethink how they process data and to clearly document their policies around processing, but the greater impact will be how GDPR changes existing consent obligations under the ePrivacy Directive. This is significant because the standard of consent necessary for GDPR now needs to be unambiguously obtained but it’s important to remember data consent is different to cookie consent and Awin will not be pushing a GDPR consent burden onto publishers.
NF: Rakuten Marketing is taking a 'consent-first' approach, so the biggest impact will likely be the addition of consent tools to both publisher and advertiser websites. We will, however, still be able to track all transactions on the basis of Legitimate Interest, so our partners shouldn’t expect to see an impact on sales.
OH: The biggest impact that we see currently from the GDPR is how it is delaying decision-making. For both advertisers and publishers, each decision is now subjected to an increased level of scrutiny, adding time which means that some opportunity is lost. Building technical solutions for compliance has further added a burden that impacts publisher and advertiser activities. Thankfully, long-term the GDPR will give consumers more control over their personal data and therefore more trust, leading to improved conversions and greater profitability across the board.
RD: Most significant now, we believe, is around the short-term uncertainty. Longer term will be the scrutiny of industry good and bad data and privacy management practice.
How will you approach the role of consent for tracking and attribution?
PK: Consent is only one of the legal bases to process personal data. Parties need to evaluate their own legal basis. In digital marketing, the two most commonly used are consent and legitimate interest. A third one – based on contract – is often used by publishers like registered portals, cashback sites, email or other types of membership enabled entities.
CRS: Tradedoubler is taking the ‘legitimate interest’ route for consent. This means that for our publishers, working with us should be relatively easy. We have developed a Tradedoubler standard Data Processing Agreement for Advertisers and have adjusted our Publisher Agreement to comply with GDPR. This specifies that Tradedoubler operates as a Data Processor, and process personal data for tracking services on behalf of the Data Controller and in accordance with the applicable data protection law.
KE: For GDPR there is no consensual industry approach to consent, but for PECR it’s clear that consent needs to be unambiguous which could be achieved by changing the wording within existing or available cookie banner alerts. Awin will offer an optional consent solution and, in some cases, consent could also be obtained by continuing to navigate a website by clicking internal or external links (provided that cookies aren’t set before this point).
NF: We’re advising all our partners, both publishers and advertisers, to gather consent for personalised advertisements run through Rakuten Marketing. Our partners are welcome to use whatever consent tool they wish – we simply ask that it plugs into the IAB Europe’s Consent Framework. We will also be providing our own consent tool (naturally this will utilise the IAB framework).
OH: CJ uses the same cookies and universal profiles for tracking sales and consumer behaviour for our advertisers and publishers in order to collate the other information we use on the network for cross-advertiser and -publisher insight.
The implementation of GDPR will change the definition of consent in the current ePrivacy Directive. Many affiliate networks, advertisers and publishers will require unambiguous consent to read and write cookies. To solve this, we have built a Consent Tool for any advertiser and publisher in the industry to gather consent for themselves and their ad-tech partners. We have also built an On-Click Consent Solution which doesn’t require any implementation work for partners.
Sharing the Consent Tool industry-wide means that we can help bring best practice, ensuring affiliate is not at the centre of compliance controversy after May 25th. In addition, our CJ Cookieless tracking solution for sale attribution enables advertisers to compliantly track sales when CJ has not received consent ensuring that publishers are properly attributed commission even when cookie consent is not present.
RD: Our latest tracking solution works with the advertiser’s user consent, adds no extra steps or disruption to user journeys. Webgains 'maximum compliance' approach began in Jan 2017.
How do you suggest your partners approach the role of consent?
CRS: It is important that all our partners understand their obligations as a business for GDPR and make any necessary amendments to be compliant. Our partners should review their consent mechanisms to make sure they meet GDPR requirements when processing personal data. There are a variety of options and free consent tools available online which are intended to ensure GDPR and ePrivacy compliance.
KE: Awin is happy for affiliates to obtain PECR consent however they see fit. For example, it will be sufficient in most cases to change existing cookie notices to explain an individual gives their consent to an affiliate tracking cookie if external link is clicked without changing browser cookie settings. Awin’s approach will follow this methodology. PECR consent is not straightforward, especially for smaller publishers, and we want to minimise the burdens of compliance wherever possible.
NF: It is the future – embrace it! As we’ve seen with Mark Zuckerberg recently appearing in front of the Senate – companies processing personal data are increasingly in the spotlight. We agree with the ICO when they state that “Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.” Remember, the GPDR is only phase one of tighter regulations around the use of consumer data in the EU’s plan for privacy - looking at the proposed e-Privacy Regulation.
OH: Where consent is required, it’s important that it is collected in a way that is specific and unambiguous. We have worked with the IAB EU, who have developed a framework for collecting consent that’s clear and transparent for users and site owners. Our customer-facing Consent Tool writes to this framework and it’s available industry-wide for advertisers and publishers to gather consent in one place for all of their ad-tech partners (not just CJ).
But of course, always get legal advice on the requirements specific to your company. Both advertisers and publishers will need to review the personal data they’re collecting and ensure they have a proper legal basis for processing this, as well as an auditable trail.
RD: Consent should be treated respectfully and with openness, by any marketing business. Under GDPR you should gain clear consent when you capture personal data, and pretending otherwise is damaging to trust in both business and customer relationships. We believe user journeys shouldn't be unduly compromised by gaining consent.
Will you operate as a data controller or processor, and why?
PK: In facilitating performance marketing programmes TradeTracker operates as joint controller because a data controller is the entity which determines the purpose and manner for which data is processed, either by itself or alongside others. This means that the data controller determines ‘why’ data is processed. A key essential element of processing is which personal data to process. Therefore if a data processor, while assisting the data controller in achieving its purposes, decides what data should be processed to achieve those aims, it will most likely become a data controller jointly with the first controller. That said there is other types of data, like those of our employees, in which case TradeTracker is the sole data controller. Each activity requires its own position.
CRS: Because we operate predominantly in affiliate marketing with no need to directly handle or store consumers personal data, Tradedoubler will act as a Data Processor and process personal data on behalf of, and for the benefit of our Advertisers. As a Data Processor, we will also implement appropriate technical and organisational measures to ensure that personal data is processed in accordance with the requirements in the applicable data protection law, the conditions in our Service Order and our DPA.
KE: We believe we are a joint controller with advertisers and most publishers. In the context of our tracking services, the purpose or essential elements of data processing will be determined by our advertisers - they determine whether to run an advertising campaign - but in the operation of the network, we decide certain aspects and offer account management services that interpret data which pushes into controller status.
NF: We will operate as a controller - independent controllers not joint or dual - of the data because of how regulators view ad technology and all of the services we provide: affiliate matching, determining commissions, detecting fraud, etc.
OH: CJ is a data controller. This is because we use one cookie/profile across multiple advertisers and publishers, thus allowing us to provide services as a network beyond our direct contractual commitments with individual advertisers and publishers - benchmarking, fraud prevention, advertiser recruitment recommendations, cross-device enhancement, personalisation, for example. Given the change in the ePrivacy Directive on 25th May (to reference GDPR for the definition of consent) CJ will be obtaining our own unambiguous consent to read and write cookies, rather than pushing this liability to publishers and advertisers as other networks have suggested they will.
RD: Webgains is a data processor. Unlike some others, Webgains doesn't process data of our advertisers' visitors or customers for our own purposes. We only act on their instructions or requests.
In order to make final preparations for GDPR, where should your partners focus their efforts?
PK: With regards to the activities operated, maintain a list of all processing undertaken in accordance with Article 30 and ensure that this processing is kept up to date. Privacy policies will have to be overhauled in light of the GDPR. The requirements for what information needs to be provided to consumers are more extensive than the old regime and must be provided in a concise, transparent, intelligible and easily accessible way. But above all, don’t inadvertently use or share personal data.
CRS: Since each business is different, GDPR will have more of an impact on some organisations than on others and therefore there’s no real tailored advice. Although we recommend following the IAB UK GDPR checklist and GDPR Guide from ICO to get an overview of the key points to know about the potential implications of the GDPR.
KE: GDPR requires businesses to get their ducks in a row; so following the guidance of the ICO in determining why, what and how data is tracked are all fundamental questions partners should address. Storing that information centrally and then understanding how GDPR and, crucially, ePrivacy rules coexist is important.
NF: Focus on areas that have the biggest potential impact on the consumer – after all the fundamental ethos behind GDPR is to protect individuals. As well as ensuring your privacy statements and policies are updated, make sure you can answer any access requests that come in and that your partners are ready to help you with these requests.
OH: Lots of businesses we’ve spoken to are daunted by GDPR, but ultimately it has to be dealt with head-on. The most critical thing is to have an audit trail to show to the DPAs.
Show that you’ve reviewed your business and are making efforts to comply. Beyond auditing and leveraging a consent management provider such as our Consent Tool, the main advice I would offer is to consider all the personal information that your business depends upon, not just your own personal data. If you work with third parties that leverage personal data, then you may want to support them in gathering consent for their own use.
RD: Collaboration and alignment with partners is key to making a success of GDPR. This should be the same for all parties, whether an advertiser, a publisher or data processor or sub-processor.
What has been the main concern among your partners in regard to GDPR?
PK: A lack of clear knowledge and examples with regards to activities, an extensive overview of types of data or one-stop solution to solve any potential issues. The internet and digital marketing are still very fragmented and a broad spectrum of opinions is shared. Any stakeholder would like to have a simple yes or no answer to questions, although they are often answered with ‘if’ or ‘but’. Nonetheless, parties need to take a well thought-out position and make arrangements accordingly.
CRS: For many, the details of implementation remain far from clear. There is an uncertainty about consent disclosure and how it will affect user experience and opt-in. At Tradedoubler, we have allocated local experts in each market and have created teams of associates from cross-functional business lines to manage our GDPR preparation and advise our partners.
KE: A lack of consensus among affiliate networks and SaaS platforms. Some companies are choosing the processor position for example and others controllers. Additionally, some networks use affiliate data for profiling and remarketing which results in a greater use of personal data and therefore potentially places greater demands on some networks over others, especially if there’s a lack of clarity over which of those needs consent. What must be hoped is eventually a clearer route emerges.
NF: Lack of guidance and clarity from governmental and industry bodies. Guidance from the ICO in the UK, the CNIL and France, and other authorities is often very different and seems to fluctuate. Businesses are understandably extremely nervous about the potential fines, and yet crystal-clear advice on how to be compliant is difficult to find.
OH: The lack of clarity and fully thought-through advice from some networks along with attempts to pass responsibility for consent gathering onto clients and away from networks. Affiliates need to have a legal basis for themselves and their partners (e.g. networks) to process data and need to evaluate if consent is needed, and this isn’t when EPR is enforced in the coming year or two – it’s from 25th May. From then on, the ePD will link to the GDPR for their reference of consent for writing cookies meaning that consent must be specific and unambiguous. The overall lack of clarity around GDPR, alongside the enormous potential fines, has created a financial nervousness for many partners.
RD: Our partners are mainly concerned about mixed messages and inconsistent positions through the affiliate and performance marketing community. At Webgains we've always been consistent in both communities.
What support do you offer to partners in regard to GDPR and where can they seek further one-to-one advice up until and after the update?
PK: TradeTracker will organize Q&A sessions for merchants and affiliates jointly with advisors with regards to the GDPR. Partners can subsequently get in direct contact to address any issues they may still face on an individual basis. How the GDPR impacts each business varies greatly, so general advice can be provided only.
KE: We’re regularly publishing updates via a dedicated page on our website. Eventually, this will feature additional information including a data processor arrangement for joint controllers, a privacy impact assessment and a banner consent tool that we’re offering out to our partners. Networks are in a tricky position because they’re unable to offer legal advice, but the longtail will expect us to provide more concrete guidance on how to become compliant.
NF: Firstly, we have an extensive resource centre on our website, with GDPR-specific sections and content. Secondly, all our teams have gone through GDPR-training – so feel free to speak to any of us. You can also contact me directly at firstname.lastname@example.org.
OH: Firstly, we’ve released the Consent Tool for any publisher and advertiser to gather consent – not just those who work with CJ.
We also held a GDPR Summit for our partners to hear directly from privacy team, the IAB EU and IAB UK on how they should approach GDPR. We’ll be publishing videos and downloadable resources from that event in the coming days, and we’re hosting webinars in the coming weeks that will follow the same format.
While we’ve been guiding partners through the process of gaining compliance step-by-step if any partners we haven’t reached out to yet want more detailed advice then they can reach out to me directly.
RD: For over a year Webgains has been rolling out internal updates and training to our global teams. Our partners should continue to use their usual Webgains point of contact for GDPR related questions and advice. For more detailed and specific queries, we have internal escalation processes to our local and central Data Protection Officers as well as at our parent company in Germany. We’re satisfied that in the main, outside of updating our tracking technology and our terms, the way our network partners work with us from May 25 will hardly change.
In light of varied approaches, what advice would you give to partners active across multiple networks?
PK: Each party needs to evaluate their own position and act accordingly. All should start by reading about the GDPR and understand the roles of data controller and data processor in the use of personal data. A data controller is an entity which determines the purpose and manner for which data is processed, either by itself or alongside others. This means that the data controller determines ‘why’ data is processed. The data processor, on the other hand, does not make decisions as to why the data should be processed. However, it can make some limited decisions about ‘how’ the data should be processed.
CRS: It is important that our partners refer to every affiliate network they are active with and explore the full scope of GDPR to get familiar with best practices in data security and privacy and work to comply before the law goes into effect in May.
KE: Ask what is expected of them to continue doing business with the network after May 25. Networks may also ask their partners to signed updated agreements so, again, ask what the changes are for and what is required. Also, get clarity on why those compliance measures are being pursued. The important thing to consider is publishers have been required to obtain consent since 2012 under ePrivacy laws but the requirement is heightened under GDPR.
NF: Speak to your different networks and understand how they would tackle this issue, but if in doubt, gather consent. Most advertisers and publishers are not operating within a single advertising channel (search, social, display, affiliate, etc.). As such, each of those channels processing grounds maybe be different and it could be very confusing to end users unless you make it clear. We believe it’s the right experience for the consumer under the spirit of what the GDPR is trying to accomplish.
OH: As ever, start by getting your own legal advice. Understand that the ePrivacy Directive will change on May 25 to reference the GDPR for its definition of consent for writing cookies – this is not an interpretation, it’s a fact. Beyond that, it’s important to speak to each network independently to understand the actions they require from you, as well the legal commitments that they might be placing on you.
But also, harness the benefits. For example, make your business easy for your partners to work with. If you can be transparent about your processes for achieving compliance, then there’s potential commercial benefit from improving your relationship with key advertisers or publishers.
RD: Advertisers working through any network, including Webgains, should run every aspect of GDPR liability through their own legal advisors and make sure that they (i) obtain user consent and (ii) examine the network contracts to ensure the terms are fully and immediately compliant with their PII responsibilities. If running international programmes using multiple networks then the global reach of GDPR means all networks need to run within its framework. Publishers and Advertisers need to ensure all affiliate touch points are GDPR compliant.