Like all aspects of digital marketing, affiliate marketing is going to be impacted by GDPR in meaningful ways. However, unlike a lot of other digital marketing channels, affiliate marketing is probably better equipped to handle those challenges.
Decision Making - Data Controller or Data Processor?
The first thing to establish when doing any GDPR analysis is “Who is the controller and who, if anyone, is the processor?”. This is important because the controllers have far more obligations under GDPR than processors.
A controller determines why and how data is processed. They can do this alone or with other controllers. Processors can decide how data is processed on behalf of the controller, but this is limited to secondary aspects. If a processor decides what data to process, for example, that processor can become a joint controller with the first controller. This will happen if they like it or not. It's a question of fact, so it all comes down to what people are actually doing at the time.
Some networks are arguing they are data processors, on the basis that their advertisers make all major decisions about data. This is technically possible, but I do not think this reflects how affiliate networks really work.
Ordinarily, affiliate networks decide technical aspects of the tracking and reporting, and also provide account management, which usually means deciding what data to process in order to achieve the advertisers’ objectives. The consequence is that they end up taking on the data controller role jointly with the advertiser.
Under data processor status, the network can never really make any important decisions about data when running its business. The network could make suggestions about data processing to the advertiser and the advertiser may instruct the network on the basis of that suggestion, but equally, they may not. Practically, things like platform or tracking upgrades then become very difficult, because all advertisers on the network would need to agree to the processing of any new data. This scenario flows down to publishers with the similar consequences. A publisher which acts as the network’s sub-processor loses most of its decision making power in respect of data when running its business.
With joint controllers, this problem does not arise. Another benefit of a joint controller relationship is that there is no need to enter data processing agreements. From the network’s point of view, they do not end up liable for publishers who would otherwise be acting as sub-processors.
One thing is for sure if any network or publisher argues they’re a processor, they had better get this right; If on the facts, they are considered to be a data controller by a regulator, they will find themselves in breach of most of the GDPR's key obligations applicable to controllers.
Legal Basis – Legitimate Interest or Consent
I am quite comfortable that tracking, even when tracking is undertaken across devices, can be done on the legal basis of legitimate interest. This is significant because it is a non-consent basis for lawful processing. The impact of this processing on individuals is fairly low and there are also lots of useful safeguards that can be put in place to protect people.
It is not yet clear what success websites will have in obtaining consent, but we have to assume that a significant portion of the market will decline. In my view, that is enough of a reason to avoid consent as a legal basis. From a legal perspective, consent is more difficult than other legal bases. Consents need to be managed, made revocable and they afford individuals much greater rights. Processing pseudonymous data (i.e. data which relates to a single person, but doesn’t allow that person to be identified) on the basis of legitimate interest brings minimal rights for individuals and therefore a much lighter compliance burden for businesses.
If you’re considering doing both, I’d think twice. It is not possible to combine consent and legitimate interest, for example, by using legitimate interest as a secondary legal basis. The regulators have made it clear in their guidance that this arrangement is unfair on people because it creates a scenario where a person who has not consented and as a result expects that they will not be tracked, is then tracked anyway.
What about ePrivacy and cookie consent?
Probably the biggest area of confusion that I have seen relates to the relationship between ePrivacy and GDPR because both have a consent concept but they’re fundamentally different.
Under GDPR, consent is one of a number of legal bases for processing personal data. Under ePrivacy, consent is the only way to lawfully set a cookie (unless that cookie is strictly necessary to deliver a service requested by the individual).
However, this does not mean that the two consents are actually the same; ePrivacy consent is much easier to obtain and manage and the risks, if you get it wrong, are far less.
Under GDPR, there is much more information to be delivered to the individual in order to inform them before they give consent. ePrivacy consent is also unlikely to require many of the additional obligations which come along with GDPR’s consent – the main change caused by application of the GDPR consent standard into ePrivacy is to require the individual to do something to indicate their consent (rather than just ignore a cookie banner).
Another interesting distinction between the consents of ePrivacy and GDPR is that the latest draft of the new ePrivacy laws permits companies to refuse access to their websites if ePrivacy consent isn’t given by the individual. This is bound to help consent opt-in rates - for GDPR consent, refusing access to those that don’t consent is expressly prohibited – the website has to be offered anyway, which gives little reason for individuals to consent to data processing. For now, it isn’t clear whether this permission applies to existing ePrivacy law and it may not make it into the final text of any new ePrivacy laws.
If the consent is not obtained properly under ePrivacy, the likelihood of enforcement is much lower than the GDPR (for a variety of reasons that I won’t go into right now). Most significantly, ePrivacy fines remain capped at £500 K, whereas GDPR fines are up to €20 million or 4% of group global turnover, if higher.
My advice is therefore always to use legitimate interest instead of GDPR consent whenever possible, even though we will all need to obtain ePrivacy consent to a higher standard. In fact, we already do, but it will soon become a more involved process.
For some affiliate networks using legitimate interest is impossible because they are making use of tracking data for a second purpose, often related to programmatic advertising and behavioural profiling. This puts networks in an awkward position because they depend on publishers to obtain GDPR consent for them.
A publisher which monetises primarily by CPA should think twice before obtaining consent for a third party to data processing that may not benefit them. Not only does the user experience suffer, but if the consent is refused, the tracking necessary to claim the CPA isn’t possible and that revenue is lost.
When reading the recent network Q&A posted by PerformanceIN, I was surprised to see such a lack of consensus. This is not helpful for publishers. As always, but especially in the absence of any generally accepted industry practice, I would recommend publishers think for themselves when considering which approach to GDPR is best for them.
Agree or disagree with Eitan's comments, or have something else to add? Let us know below, or if you'd like to post a reply, email us at firstname.lastname@example.org.
*Sheridans is a law firm providing legal advice to Awin; the opinions provided in this piece are not necessarily the views or interpretations of legal experts advising other affiliate networks.