Filter by/
Region/  All
Type/  All
Sorted By/  Most Recent

Countdown to D-Day: GDPR and affiliate marketing – will you be ready or devastated?

By / / In Insight /
It’s been in the making for more than four years and is coming into force in less than 12 months’ time: GDPR (General Data Protection Regulation) represents the largest change in data protection and privacy rules in more than 20 years. May 25, 2018 is D-Day for the new GDPR regulation, which is designed to harmonise data privacy and protection laws across Europe. Any business that handles, markets to, tracks or creates profiles of EU citizens must comply with the new regulations. Richard Dennys discusses how affiliate marketers and businesses that utilise affiliate marketing can prepare for the GDPR and ensure their websites are compliant.
gdpr affiliate marketing

As well as enabling individuals to better control their personal data, GDPR also formalises concepts such as the ‘right to be forgotten’ and provides data subjects with ‘data portability’ and access – meaning any organisation collecting EU citizens’ data must provide it to them when asked – and in a machine-readable format.

This is particularly troublesome for affiliate marketers. As affiliate marketing is orientated around a business utilising other websites to drive traffic and/or sales back to their own via referrals (giving those websites a small commission), failing to adhere to the GDPR regulations could be devastating – as every website would now be held accountable.

To ensure they are adequately prepared for the future, organisations need to have addressed their data privacy, protection and processing – yesterday!

Current data protection laws state that data processors (those who process personal data on behalf of another organisation) were exempt from the burden of compliance – that responsibility lay with the data controller (their client).

However, under GDPR, both data processors and data controllers will be held accountable. This means affiliate marketing websites that process visitor data on behalf of controllers will need to adhere to GDPR regulations. In addition, should any of the websites within an affiliate marketing campaign suffer a data breach, that data breach must be reported to the supervisory authority within 72 hours – and if that breach is likely to result in a high privacy risk for individuals, they too must be notified. There are, of course, website elements that these businesses can address to ensure they are GDPR compliant.

Revising your websites ahead of GDPR – the basics

For affiliate marketing networks, GDPR is a collective responsibility. Every individual website must disclose their data collection practices, have a clear trail of consent and inform website visitors on how their data is going to be used. Here are some simple actions that can be taken to get you started with preparing for GDPR.

  • Create appropriate privacy and cookie policies.

This means displaying your cookie collection practices and data privacy regulations as soon as a user arrives on your website – and including a page dedicated to that information and a way for website visitors to opt-out of cookie collection.

Most websites that market globally will already have detailed cookie collection information in place, but here are a few examples to convey what businesses must be doing ahead of GDPR:

gdpr affiliate marketingMacMillan Dictionary Blog

The MacMillan Dictionary Blog (pictured above) is a good example of GDPR-compliant cookie practice. By having a button users must click, they have a way for website visitors to provide their unambiguous consent to being marketed to. In addition, they have a link to their cookie policy page, as well as some brief information on how those cookies are being used.

Websites that don’t offer these elements will face some backlash – as users need to be able to opt-in to the cookie practices – implied consent is not enough – and lines such as ‘by accessing this site you consent to the use of cookies’ will not do.

House of Frasergdpr affiliate marketing

House of Fraser is another good example. Instead of assuming a user is happy to have their data collected by the website’s analytics – their cookie notice requires website visitors to close the message to accept – thereby providing their consent. In addition, they also have a link to their privacy policy via the ‘find out more’ link.


BMW’s website is another good example, the cookie information is right at the top of the browser, before the ‘fold’, meaning any website visitor will notice it. In addition, it requires that website visitors press continue to accept the cookie tracking. They also have the ability to change their cookie settings and find out more regarding BMW’s cookie policy.gdpr affiliate marketing


  • Revise data security and data management protocols and process

Do you have a habit of storing data for unnecessarily long periods of time? Under GDPR, you can only hold data for as long as it is actually needed. Ensure you cleanse your website’s database thoroughly.

  • Provide company information

You need to provide website visitors with an easy way to get in touch with you and include your company’s details across all the communications you send out.

Address website personalisation and interaction

Advanced marketing automation tools and website management platforms will enable businesses and organisations to align content with people who visit their website based on previous interactions. This level of sophistication enables those businesses to deliver targeted content and tailor the user experience accordingly. However, under GDPR, behavioural tracking and mapping practices need to be disclosed to the website visitor. You need to let visitors know how you are using that information, as well as giving them the ability to decline cookie tracking.

GDPR and affiliate marketing – double opt-in and opt-out

Any data you have acquired needs to be double-opted in, this means resending confirmation emails to your existing database requesting their permission to use their information and market to them.

Certain marketing automation platforms will automatically send a confirmation email confirming a website visitor’s interactions on the website. For example, if they download a content asset by filling in a form, the marketing automation platform would then send that user an email asking them to confirm that they are indeed interested in sharing their details and being marketed to. With these elements in place, websites under an affiliate network can comprehensively secure their data and ensure they are in line with GDPR regulations.

Also, if there is the ability to opt in to cookie tracking and data collection, an option to opt out must always be available.

Read also:

GDPR and your data: check you comply . . . then check again

Will you be silenced by the new UK Ofcom rules, affecting outbound calls?

Author: Richard Dennys
CEO at Webgains |

Richard Dennys has more than 20 years’ experience of starting, growing and selling digital businesses. He’s an expert at driving international growth and maximising shareholder value through the optimisation of sales, marketing and digital functions. He has recently been appointed CEO of Webgains Group, taking responsibility for the strategic and operational management of the company across all its operating locations in the US, UK and mainland Europe. He has a deep interest in ‘disruptive’ technologies, particularly their use and efficiency in personal learning and development.

He previously held senior management positions across Europe for the BBC, Qype, Nokia, Moonfruit and UK Government-backed TechCity UK. He was on the senior management team of during its sale to in 2012. He is a Fellow of the UK Chartered Institute of Marketing.

Leave your thoughts

Related reading

  • Keep up to date with global best practice in data driven marketing

  • This field is for validation purposes and should be left unchanged.