With one month until GDPR comes into force, it’s important publishers are clear on their legal obligations.
One of the GDPR concepts that has been widely discussed and may be broadly familiar is ‘consent’ and whether this needs to be obtained from consumers for publishers to continue running affiliate marketing activity.
Here we’ll give you a quick tour of how consent works and what Awin’s position is. We’ll also outline what steps publishers can take to achieve compliance with the new data privacy laws.
Definitions of consent
It’s initially important to state that there is a great deal of confusion around consent. This is partly because there is no industry consensus on the topic but primarily because, alongside GDPR consent, there is also consent related to the existing ePrivacy Directive (commonly referred to as the Cookie Directive).
These laws are separate but also co-exist. If data privacy is considered as a whole, think of the GDPR Regulation as being all-encompassing and broad on all aspects of data. ePrivacy by contrast is specifically concerned with Direct Marketing and the functions of online tracking.
Inevitably there is some overlap which arises because cookies often contain personal data, but it is a mistake to assume that cookies and personal data are one and the same.
In this article we will refer to:
- consent for the use of cookies under the ePrivacy Directive as Cookie Consent
- consent for processing personal data under the GDPR as Data Consent
While there are two types of consent, it is not necessarily easiest or required to obtain both at the same time.
Under GDPR, there are plenty of ways to legally process personal data without relying on Data Consent.
In fact, it is fair to say that Data Consent is the least convenient and most burdensome legal basis for data processing.
You can read about the six legal bases for processing personal data here.
Under the 2012 ePrivacy Directive, Cookie Consent is always required to set cookies, unless the cookies are strictly necessary to deliver a service requested by the individual. So, cashback and reward publishers, for example, may not need a Cookie Consent for affiliate cookies because affiliate cookies are necessary for a cashback or rewards-based type of service to work.
Data Consent under GDPR
Obtaining Data Consent isn’t without its challenges. In doing so the onsite user experience may be negatively impacted and the individual may refuse to consent anyway.
When personal data is processed based on Data Consent, the individual is given greater data rights, which will need to be respected in future. Furthermore, the Data Consent must be managed and recorded at a particular level of detail. Additionally, providing a service or content cannot be denied to consumers and users because they have refused to give Data Consent, unless the service depends on that Data Consent.
Perhaps most importantly, to obtain valid Data Consent, the individual must be provided with enough information to make an informed decision.
This is why Awin is using a different legal basis for processing personal data under GDPR, known as legitimate interest and Awin does not require Data Consent from publishers or advertisers to legally track transactions.
This applies to the processing of personal data as individuals travel from the publisher website to advertiser websites, via our domains, tracking the confirmation of the transaction and the subsequent reporting available in the user interface.
Awin can take this approach because we are a pureplay affiliate network.
Awin uses personal data for tracking referrals to advertiser websites, the consequent transactions and our reporting, but we never reuse this data to:
- Build behavioural user profiles
- Behaviourally profile
- Market for any other purposes
To be undertaken lawfully, those types of processing tend to require a Data Consent because they are perceived to have a greater impact on individuals’ privacy.
By avoiding this type of processing, Awin can rely on legitimate interest to justify its processing and avoid requirements for Data Consent.
The ICO definition of legitimate interest is available here.
Cookie Consent under ePrivacy
Since the ePrivacy Directive was implemented into national laws across the EU, everyone is required to obtain Cookie Consent when setting cookies.
Presently, this is frequently done on an implied basis; the individual is presented with a notice explaining that cookies are being set but does not have to take steps to affirm their Cookie Consent, (commonly done by opting in). The nature of a Directive is its legal interpretation may differ from country to country.
In some EU jurisdictions, an individual’s implied consent is not acceptable and so for several years they have been asked to affirm their Cookie Consent, but these jurisdictions are in the minority.
Awin has required publishers to obtain Cookie Consent under our terms with publishers since 2012. This is to make sure that publishers comply with these rules, but also to obtain Cookie Consent for Awin’s cookies, on behalf of Awin. This is typical of networks like ours, which don’t have a natural or convenient opportunity to engage with individuals to obtain Cookie Consent.
Why are we talking about Cookie Consent all over again?!
Cookie Consents are back under discussion because, in most EU member states, laws implementing the ePrivacy Directive rely on the definition of consent in local data laws for the Cookie Consent definition.
So, when GDPR replaces local data laws, the definition of used for Cookie Consents is also replaced.
It is significant because the standard of consent necessary for GDPR is higher than under existing local data laws; the key difference being that consent must be unambiguous.
How does GDPR impact Cookie Consent?
The upshot is that obtaining Cookie Consent is now more involved. The specific difference being that, because Cookie Consent must be unambiguous, the common approach of using implied consent is unlikely to be sufficient. Cookie Consent should also be given before cookies are set.
To obtain a valid Cookie Consent under the new consent definition, the individual must do something to indicate their agreement. You may be familiar with a growing focus on universal consent tools; a piece of technology that serves up a message when a user arrives on a website and seeks permission to track that consumers onsite activity.
Therefore, publishers may choose to use consent tools, but consent could also be obtained, for example, by continuing to navigate a website by clicking internal or external links (provided that cookies aren’t set before this point).
So how are Cookie Consent and Data Consent different?
Because cookies are inherently less complicated than all of the things that could be done with personal data, complying with the increased consent standards is much easier when obtaining Cookie Consent than when obtaining Data Consent for cookies.
There is less to explain to the individual, fewer record keeping obligations and fewer additional rights to offer the individual.
The compliance risk is also much less, because the huge fines brought in by GDPR do not apply to Cookie Consent, unlike Data Consents used for cookies.
Even though laws implementing the ePrivacy Directive rely on the GDPR for the definition of consent, they still have their own fines and penalties for non-compliance.
How does this change the way I work with Awin?
We recognise that, because of this change in the definition of consent, complying with your existing obligations has been made harder. This is unless, of course, you operate in a jurisdiction like the Netherlands, which already requires individuals to indicate their consent to cookies.
Cookie Consent will continue to be required by Awin for its publishers to obtain Cookie Consent both for themselves and for the cookies set by Awin’s domain.
We will also be continuing to review publishers compliance with these requirements and asking them to correctly obtain Cookie Consent if it appears to us that they are not.
However, Awin does not mandate how Cookie Consent must be obtained.
Awin will be offering a consent tool which may be used for Cookie Consent, but we are also happy for you to use other consent tools, or to obtain valid consent in other ways. For example, it will be sufficient in most cases to change existing cookie notices to explain that an individual will be giving his or her consent to an affiliate tracking cookie if they click an external link without changing their browser cookie settings. Awin’s approach will follow this methodology.
We recognise GDPR is not straightforward, especially for smaller publishers, and we are trying to minimise the burdens of compliance for our publishers in whichever ways are possible.
One way is to justify our data processing on the basis of legitimate interest, so we do not need to ask publishers to obtain any Data Consent for us. This is not an option for Cookie Consent; if a business does not need to set the cookie to deliver a service requested by an individual, Cookie Consent cannot be avoided. However, as Cookie Consent is more straightforward than Data Consent to cookies, we can at least be flexible in the methods of lawful Cookie Consent that are acceptable to us.
We will be continuing to issue guidance to assist both publishers and advertisers in advance of 25 May 2018 including details of our consent tool.
We hope you understand we are not able to offer legal advice.