As well as enabling individuals to better control their personal data, GDPR also formalises concepts such as the ‘right to be forgotten’ and provides data subjects with ‘data portability’ and access – meaning any organisation collecting EU citizens’ data must provide it to them when asked – and in a machine-readable format.
This is particularly troublesome for affiliate marketers. As affiliate marketing is orientated around a business utilising other websites to drive traffic and/or sales back to their own via referrals (giving those websites a small commission), failing to adhere to the GDPR regulations could be devastating – as every website would now be held accountable.
To ensure they are adequately prepared for the future, organisations need to have addressed their data privacy, protection and processing – yesterday!
Current data protection laws state that data processors (those who process personal data on behalf of another organisation) were exempt from the burden of compliance – that responsibility lay with the data controller (their client).
However, under GDPR, both data processors and data controllers will be held accountable. This means affiliate marketing websites that process visitor data on behalf of controllers will need to adhere to GDPR regulations. In addition, should any of the websites within an affiliate marketing campaign suffer a data breach, that data breach must be reported to the supervisory authority within 72 hours – and if that breach is likely to result in a high privacy risk for individuals, they too must be notified. There are, of course, website elements that these businesses can address to ensure they are GDPR compliant.
Revising your websites ahead of GDPR – the basics
For affiliate marketing networks, GDPR is a collective responsibility. Every individual website must disclose their data collection practices, have a clear trail of consent and inform website visitors on how their data is going to be used. Here are some simple actions that can be taken to get you started with preparing for GDPR.
- Create appropriate privacy and cookie policies.
This means displaying your cookie collection practices and data privacy regulations as soon as a user arrives on your website – and including a page dedicated to that information and a way for website visitors to opt-out of cookie collection.
Most websites that market globally will already have detailed cookie collection information in place, but here are a few examples to convey what businesses must be doing ahead of GDPR:
The MacMillan Dictionary Blog (pictured above) is a good example of GDPR-compliant cookie practice. By having a button users must click, they have a way for website visitors to provide their unambiguous consent to being marketed to. In addition, they have a link to their cookie policy page, as well as some brief information on how those cookies are being used.
Websites that don’t offer these elements will face some backlash – as users need to be able to opt-in to the cookie practices – implied consent is not enough – and lines such as ‘by accessing this site you consent to the use of cookies’ will not do.
House of Fraser
House of Fraser is another good example. Instead of assuming a user is happy to have their data collected by the website’s analytics – their cookie notice requires website visitors to close the message to accept – thereby providing their consent. In addition, they also have a link to their privacy policy via the ‘find out more’ link.
BMW
BMW’s website is another good example, the cookie information is right at the top of the browser, before the ‘fold’, meaning any website visitor will notice it. In addition, it requires that website visitors press continue to accept the cookie tracking. They also have the ability to change their cookie settings and find out more regarding BMW’s cookie policy.
- Revise data security and data management protocols and process
Do you have a habit of storing data for unnecessarily long periods of time? Under GDPR, you can only hold data for as long as it is actually needed. Ensure you cleanse your website’s database thoroughly.
- Provide company information
You need to provide website visitors with an easy way to get in touch with you and include your company’s details across all the communications you send out.
Address website personalisation and interaction
Advanced marketing automation tools and website management platforms will enable businesses and organisations to align content with people who visit their website based on previous interactions. This level of sophistication enables those businesses to deliver targeted content and tailor the user experience accordingly. However, under GDPR, behavioural tracking and mapping practices need to be disclosed to the website visitor. You need to let visitors know how you are using that information, as well as giving them the ability to decline cookie tracking.
GDPR and affiliate marketing – double opt-in and opt-out
Any data you have acquired needs to be double-opted in, this means resending confirmation emails to your existing database requesting their permission to use their information and market to them.
Certain marketing automation platforms will automatically send a confirmation email confirming a website visitor’s interactions on the website. For example, if they download a content asset by filling in a form, the marketing automation platform would then send that user an email asking them to confirm that they are indeed interested in sharing their details and being marketed to. With these elements in place, websites under an affiliate network can comprehensively secure their data and ensure they are in line with GDPR regulations.
Also, if there is the ability to opt in to cookie tracking and data collection, an option to opt out must always be available.
Read also:
Will you be silenced by the new UK Ofcom rules, affecting outbound calls?