The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. Make sure you’re prepared.
After four years of preparation and debate the GDPR was approved by the EU Parliament on 14 April 2016.
Enforcement date: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.
The GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” (from the official GPDR website)
In short, it will streamline data privacy across the EU, and put in place new privacy protections for EU citizens.
GDPR is about giving people more control over their personal data and how others are allowed to use their data. For email marketing, that means providing more transparency and clearer consent agreements when signing up new subscribers.
If you currently reside in the EU, or have subscribers that reside in the EU, you need to be GDPR-compliant.
GDPR applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Conditions of Consent:
Companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Unambiguous consent will be required in order to read or write information to or from a consumer’s device. Unambiguous consent requires clear and affirmative action be taken by the consumer. The GDPR states that “silence, pre-ticked boxes or inactivity should not … constitute consent.”
This means, that by taking an action, such as clicking a box or link to accept, or continuing to browse, the consumer is providing consent—as long as it is clearly and prominently disclosed that this consent allows us to drop cookies, process consumer information, and states the intended uses.
Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach.
Right To Access:
Data subjects have a right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller needs to provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency.
Right to be Forgotten:
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Data controllers need to hold and process only the data absolutely necessary for the completion of its duties.
Rights of Children:
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
(Consult with a lawyer for specific recommendations for your business. Please take the following as suggestions, and understand they should not be considered legal advice.)
Every time you collect an email address, a name, home address or phone number, you are obtaining someone’s personal data. If any of those people are citizens of the European Union, you must adhere to the new rules.
On any forms or landing pages you use, you should state your intentions specifically and very clearly.
Will you send them regular newsletters, occasional offers, or share this list with anyone else?
If someone purchases your product on another platform, will they be added to your list?
Your subscribers should be aware of how their sensitive information (email and any other data you collect) will be handled.
Marketing to people who have given their consent is a best practice that is one of the foundations of successful email marketing. If you’ve been building your list by getting user consent first, then GDPR will not change your life much.
On the other hand, if you have old lists or market to people who have not given proper consent, it’s time to change your practices. Although you might not grow as fast as you want, the long-term results will be much better, not to mention you will also be complying with the GDPR.
Active consent means your subscribers need to initiate the consent. You can no longer include the checks within the checkbox and make the user remove it. The user must click the checkbox.
Explicit consent means that you need to clearly communicate exactly what the user is agreeing to and what the data is being collected for.
If you are not sure that the people on your current lists gave consent or you don’t have a record of it, you need to re-validate all of your EU subscribers.
Even before GDPR, MailerLite always required its users to be transparent with subscriber opt-in. So the good news is that your email practices shouldn’t change much since their current terms and anti-spam policies are already quite strong. That said, there are a few new features that they will implement to ensure that you have all the right tools to comply to GDPR.
MailerLite allows customers to download user data if someone makes a ‘right of portability’ request. As seen in the screenshot below, you can export and save subscriber data to a PDF (Print) or a Json file (most popular format to transfer data).
MailerLite makes it easy for you to revalidate with a new GDPR template. You can simply go to Create New Campaign > Template Gallery > GDPR Template to find the pre-built template. We created the template with specific text to help you explain GDPR with a focus on re-validating your subscribers.
The way that ConvertKit is getting compliant as a US company is by becoming a Certified Privacy Shield Member.
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
Privacy Shield was created specifically for US companies, and may have a different set of regulations or requirements than a company operating in the EU.
Convertkit is building four new tools you can use to find your EU subscribers, establish explicit consent, and comply with the GDPR.
AWeber is already self-certified with both the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, and they comply with lawful transfers of EU/EEA personal data to the U.S. in accordance with their Privacy Shield Certification.
Google’s EU User Consent Policy is being changed to the updated version (effective May 25, 2018) to reflect the new legal requirements of the GDPR. It sets out your responsibilities for making disclosures to, and obtaining consents from, end users of your sites and apps in the EEA. The policy is incorporated into the contracts for most Google ads and measurement products globally.
In the cases of DoubleClick for Publishers (DFP), DoubleClick Ad Exchange (AdX), AdMob, and AdSense, Google and its customers operate as independent controllers of personal data that is handled in these services. These new terms provide clarity over the respective responsibilities when handling that data and give both you and Google protections around that controller status.
By May 25, 2018 Google will also introduce new terms for AdSense and AdMob for customers who have online terms.
If you use Google Analytics (GA), Attribution, Optimize, Tag Manager or Data Studio, whether the free or paid versions, Google operates as a processor of personal data that is handled in the service. Data processing terms for these products are already available for your acceptance (Admin → Account Settings pages). If you are an EEA client of Google Analytics, data processing will be included in your terms shortly. GA customers based outside the EEA and all GA 360 customers may accept the terms from within GA.
To comply, and support your compliance with GDPR, Google is:
We’ve selected the areas of the GDPR we believe are most relevant at the present time for the affiliate industry. However, it is important to familiarise yourself with the full details as there are many more implications that need to be understood. In addition, we have provided useful links at the end of this communication.
1. Personal Data
Consumers’ personal data sits at the heart of the GDPR and the classification of personal data is broadened under the GDPR. This means data the affiliate industry relies on that is not currently considered personal data may under the GDPR now be classified as such. Whilst a definitive list of personal identifiers does not exist for affiliate marketers, we can safely assume it will include information such as cookie IDs, customer numbers, IP addresses, device IDs etc. These are identifiers that many networks and platforms capture as part of their standard tracking.
Publishers using affiliate tracking will therefore have an obligation to ensure they are legally compliant with the new regulation.
2. Legal Basis for Processing Personal Data
Businesses will require a legal basis to process personal data. There are six legal bases available; the two most commonly used in the digital advertising sector are consent and legitimate interest.
Legitimate interest is distinct from consent. According to the ICO, “It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing”. Should a business choose legitimate interest they have to be confident in demonstrating this as an appropriate legal basis.
Where consent is considered necessary the Information Commissioner’s Office (ICO) states, “Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation”.
“Contract” is also a legal basis which may be applicable in some cases. It refers to instances where there are specific contract agreements in place between a business and its customers (data subjects) which allow the business to collect and process personal data. Some publishers (such as cashback businesses) may well have such agreements in place with their users.
Given the diverse nature of the affiliate channel and the variety of digital channels affiliates use to generate sales, it is difficult for networks to offer recommendations. Where prescriptive requirements and necessary, individual networks will state this in due course.
3. The ePrivacy Directive
The GDPR does not supersede the ePrivacy Directive, rather it runs concurrently. This Directive is currently under review to ensure it aligns with the GDPR, once finalised. A focus of the revision is to improve transparency to consumers and introduce stricter opt-ins for cookies (and similar tracking technologies). Under the existing ePrivacy Directive, the ICO has made clear consent is necessary for “cookies and similar technologies”. Thus, regardless of which legal basis is used for processing personal data under GDPR rules, the ePrivacy Directive remains in place meaning that unambiguous consent is required for the use of many cookies because the GDPR only considers consent sufficient if it is “unambiguous”. This means that publishers should be reviewing their consent mechanisms along with ICO guidance and making changes accordingly.
4. An Industry Consent Solution
Given the potentially significant impact on all forms of online advertising the industry has collaborated to create general standards and approaches. In November 2017 IAB Europe announced a technical standard for online consent and industry stakeholders are building a consent tool which is intended to ensure GDPR and ePrivacy Directive compliance in time for the May deadline. Please sign up for updates here.
If you choose to feature a consent solution on your website you may be able to use free versions that are available online. A number of businesses are developing consent tools; we advise you assess other possible consent solutions appropriate for your business. There are a variety of options and tools available online and we advise that solutions should be assessed to ensure they can be implemented to comply with the regulation.
5. Next Steps Checklist for Publishers
- Publishers should assess how GDPR impacts their business and document the measures taken to comply with the rules.
- Publishers should pay attention to ensuring transparency to consumers and decide the most appropriate legal basis for collecting and processing personal data from site visitors.
- Publishers should assess and upgrade privacy policies and cookie notices to provide transparency and upgrade consent capture.
- Publishers should seek their own legal advice. This communication should not be read as legal advice.
- Publishers should refer to their individual affiliate networks and platforms for any specific guidance or requirements to comply with GDPR.
The GDPR signifies changes that all businesses will have to make and the impact on the industry at this stage is uncertain. However, these impacts can be mitigated with demonstrable understanding, effort and measures to comply with the rules. Whilst the deadline is 25th May 2018 it marks the start of this new age of data privacy.
It is important that you understand your obligations as a business for the GDPR and make any necessary amendments to be compliant. Please do review the links below for more information and consider following our advice above.
ClickBank vendors and affiliates must take several steps to comply with GDPR.
You can download ClickBank’s GDPR guide.
ClickBank itself is also taking measures, such as order forms that will be automatically served to EU customers and include a checkbox for handling personal data.
Affiliates must be able to comply with customer requests to remove personal data.
Most important advice: Don’t leave this matter to the last minute, check your compliance and what your email service provider is doing to comply with the regulations.