GDPR: The new European data protection law and its impacts on affiliate marketers

null

This article is not a legal advice. For accurate consultation on legal matters Admitad strongly recommends readers to speak to a lawyer or visit a legal consultation office which specializes in the GDPR.

We live in a world that is increasingly interconnected as new social media platforms and technologies are released. With so much of our personal data being inputted on the internet, it was only a matter of time before someone used questionable, if not illegal means of obtaining said data. This already happened earlier this year, and Facebook was in the fiery spotlight.

The Cambridge Analytica app asked Facebook users to take a quick survey and then crawled its way into their friends lists, collecting everything from their personal messages to all the info of their contacts. This resulted in 87 million users’ data being leakedand manipulated to fuel Donald Trump’s political campaign.

The Facebook data leak scandal is a perfect example of the reason why we need the General Data Protection Regulation (GDPR) when it comes to protecting data subjects’ rights. While steps are being taken in the right direction for the individual, there are impacts on businesses and marketers which should be considered. Anyone who does business in Europe or even tangentially collects data from EU Citizens needs to be aware of the GDPR. It affects all industries from e-commerce[3] to horse breeders.

Marketers and advertisers who use affiliate networks also must be aware of the GDPR’s impact on their industry. With this sudden shift in privacy laws, affiliate marketers have their own set of questions that they need answered to properly adapt.

Affiliate marketers adapting to the GDPR

From a purely technical point of view, it is already a mainstream approach to develop pop-up consent tools. When you access the website, within a few seconds a dialogue box will appear which explains the updated privacy rules, and the user has the option to accept or decline the new terms of use.

If a user declines, the website will not be able to use any of their subject data. This is not to be confused with being denied access to the website, as many people don’t read the dialogue boxes and accept them, thinking that they will not be allowed to proceed if they decline.

Adaptations of the ‘data privacy’ term

The European Court now treats data privacy as a sensitive matter. Market players are eagerly awaiting the first appeals of the GDPR for resolving court cases related to personal data. European law is built on the basis of precedents. For marketers to clearly understand the new law and avoid double interpretations, they are waiting for the explanations the European Court will give in respect to the existing terminology, based on judicial practice.

For example, on what grounds will all personal data be divided? How should we treat each type of data? What geographic characteristics should this data have in order to be uniquely suited to the GDPR? These are all questions that the European Court needs to answer to clarify the implementation of the GDPR.

Marketers are also waiting for punishment cases of non-compliance with the GDPR, as they will help to further understand its implications. We see the growth of various GDPR-related businesses which help companies comply with the new law (law advisors, technical help, developers, advocates and lobby). Morgan Lewisis one such law advisor which helps companies adapt. Some networks are joining professional organisations, such as the IAB, to collectively lobby their interests. For example, they officially join its Vendors list, which helps protect business interests and access new measurement initiatives.

In the nearest future, another law will come into effect which deals with aspects concerning working with personal data, and stricter than the GDPR -- the e-Privacy law[4]. Companies and marketers are already preparing for it, lining up their terms of use with its requirements.

How are marketers adapting this term to their practical business processes?

The ecosystem around the GDPR is rapidly changing. The EU's independent data protection authority is called the European Data Protection Supervisor (EDPS)[1]. One of the responsibilities of the EDPS is to intervene in cases before the Court of Justice of the European Union (CJEU) and the General Court.

The EDPS will only intervene in cases that it believes to be relevant to its responsibilities. So far, the EDPS has not brought a case before the CJEU. This means that the EDPS' right to intervene in court cases is not limited to cases where personal data has been processed by European institutions or bodies, but rather extends to all matters affecting the protection of personal data, either on EU or Member State level.

The European judicial system’s multilevel nature makes it quite complicated. For example, the European Court stands above the EU as a whole; however each country has its own court and by-laws detailing certain aspects of the GDPR (general law for the EU) and different interpretations of the law within the framework of individual EU member states. This all needs to be taken into account.

A changing affiliate marketing industry and future predictions

Some companies will shift their business focus from the EU to other parts of the world. The GDPR applies to all market players who somehow collect data about users. Personal data is the main aim of the GDPR, and businesses are uncertain of whether or not they will be able to adapt to the GDPR.

Companies will try to transfer the focus of their business from the EU to other regions of the world such as Japan. This could result in a reduction of their dependence on the European market and risk a smaller share of their business processes. With such strict changes to data collection laws, it’s understandable that some companies would rather move their market than adapt.

Then, the GDPR will help the affiliate marketing industry earn more trust from internet users. Market players who comply with the GDPR will demonstrate more transparency as they treat personal data carefully, and show that their operations related to data collection are legal. Once users begin to place more trust in marketers, it could result in more comfort for consumers who understand that ads are being catered to their true needs, based on information about themselves that they were willing to share.

Finally, every internet subject will be a part of the market change no matter how big said changes will be. For example, under GDPR law, if the company (data controller, Art. 33 of the GDPR) inadvertently allowed the leakage of personal data of EU citizens, it is obliged to notify the personal data breach to the supervisory authority in accordance with Article 55[3] within 72 hours.

None of the previous laws had this requirement, and it will diversify the corporate approach of all market players towards personal data, including changes in their business processes or even business structures.

The impacts of the GDPR on how affiliate marketing networks operate

In affiliate marketing, as well as generally on the internet, all participants are linked and interdependent. In essence, this means that the internet is the global network. There are no state borders on the internet, which can be physically experienced offline.

It's hard to track how the personal data was leaked on the Internet. There are many legal and illegal ways to retrieve personal data. In this regard, according to the GDPR, participants in the affiliate marketing process can play various roles. They can be either a data controller or a data processor, and be responsible for the violations prescribed by the GDPR in accordance with the specific role. Everyone who, depending on the role, has not taken appropriate action, will be responsible for the consequences detailed by the GDPR.

The EU legal authorities understand the difficulties of the public. The European Court of Justice (ECJ) recently shed light on who is a ‘Data Controller’ Under GDPR. The ECJ rendered a judgmenton July 10 that explains, amongst other things, what a (joint) data controller is. The judgment is on the “old” EU Data Protection Directive 95/46/EC[2], but the provisions in the General Data Protection Regulation (GDPR), Art. 4 and 26, are very similar.

Some practical consequences include:

  • The status of a (joint) controller does not require that the controller have data access;
  • Written guidelines or instructions from the controller on the purpose and means of processing are not required;
  • Manual records/notes are also covered by the GDPR;
  • The level of ‘control’ of the controller “in determining the purposes and means of processing of personal data” is the decisive factor;
  • The judgment will probably lead to a more intense discussion as to who is a (joint) controller;
  • One decisive factor will be to determine who “organised, coordinated and encouraged” the data processing;

The terms ‘data controller’ and ‘data processor’ among the European community and business are still being defined. Everyone needs to get a clear explanation of many sides and details of the new law.

This is where the chaotic nature of the changes in the EU digital market emerges. Big players are trying to decide which role they will play according to the GDPR. Are they a data controller, or a data processor?  A new trend called “self-determination” has marketers selecting one role instead of another, because they consider that if they choose one specific role, it will bring less responsibility and risk. Yet, no one knows for sure. The current understanding of the GDPR among the affiliate marketers is still very vague.

Given the recent enactment of the GDPR, affiliate marketers and lawyers alike are awaiting the first round of legal cases that appeal concepts of the GDPR in relation to personal data collection and use. Everyone is patiently anticipating the explanations which will come from the European Court, when it comes to the existing terminology. Some of the questions include how the law will outline the division of personal data, how the types will be separated, and so on.

Furthermore, there are new businesses and positions being set up to help with issues relating to the GDPR. Affiliate marketers and other businesses are eyeing another new law coming to light in the EU -- the e-Privacy law -- which is considered more strict than GDPR. 

Alexander Bachmann, CEO and founder, Admitad
Image source: Shutterstock/Wright Studio