Blog Post
Web Analytics
Nadine
Wolff
published on:
02.08.2018
What changes are occurring in affiliate marketing after the GDPR?
Table of Contents
Affiliate marketing is just one of many online marketing channels that will undergo significant changes due to data protection reasons following the GDPR.
The GDPR has been in effect for almost three months, and despite some warnings, the major chaos has not occurred. Or should we say, the chaos has NOT yet erupted? After all, the e-privacy directive will follow the GDPR at the end of the year. We want to assure you: This article provides an outlook on what matters in affiliate marketing after the GDPR and what advertisers and publishers should now definitely pay attention to.
May 25, 2018, arrived, and almost no one really knew what to expect. Can I track anything at all anymore? Can I continue to scale my business? In conversations we had with many industry experts up to May 2018, it repeatedly emerged that no one really knew what would happen. Online marketers were trying to follow the initial instructions from their data protection officers, even if they were not 100% sure whether the measures were actually relevant.
Law firms specializing in internet law are well-booked throughout the year. Public institutions that train data protection officers are enjoying almost continuously fully booked class rooms. The industry is temporarily really moving.
We have looked at the relevance of the topics "data protection" and "GDPR" using Google Trends and similarweb and definitely see a trend:
Fig.2 Comparison of GDPR and data protection in Google Trends
Fig.3 Traffic Overview for dsgvo.gesetz.de, July 2018
We see that in Q1 2018, almost no one was really dealing with the topics around the GDPR. Was the extent of the GDPR consequently underestimated? We don't think so, as it probably would have brought little to already adjust to the GDPR at the beginning of the year when it wasn't even fully formulated until May 25. The European Union itself made final adjustments within the directive a few days before the GDPR came into effect.
But now the interest is noticeably subsiding again, although no fewer questions about the topic remain. Through the GDPR, in addition to the use and storage of personal data, especially the documentation of the data and the duration of data storage, are significantly better regulated in all EU member states.
The GDPR regulates that data storage is based on minimal volume and that data must also be deleted after a certain period. This grants consumers more transparency and self-determination over their own data in online traffic.
Personal Data in Affiliate Marketing?
In fact, it is still not finally clarified which personal data are applicable in affiliate marketing. In addition to the consumer master data, it is also about reading their IP address, device tracking, and cookie IDs, which may now supposedly only be traceable to a specific natural person with legitimate interest.
Lead generation in affiliate marketing is still permitted. However, before "contract conclusion," it must be ensured that even in a free sweepstakes or other free offers where ultimately data is paid with, this fact is clearly communicated to users and the data can be deleted. Then consent (to a sweepstakes) can be considered a valid consent (Opt-In). Here too, attention must be paid to the legal data storage duration.
The prohibition on linking consents under § 4a Para. 1 Sentence 1 BDSG remains after the GDPR. The right to object and delete data under the GDPR is also new for consumers.
What Publishers Should Pay Attention to in the Future
Publishers, together with the affiliate network, are considered data processors when an advertising medium is integrated into publisher websites via an affiliate network and data tracking occurs. Publishers can still integrate advertising media independently on their websites without coordinating with advertisers. However, they will have to assume that advertisers will look even more closely at whether the publisher pages comply with current data protection regulations when examining new applications. Here is a summary of what publishers should pay attention to:
Fundamentally important: website with HTTPS certificate!
Updating the privacy policy page
Is there a complete imprint?
Ensure transparency in educating about data collection, storage, and deletion
Avoid aggressive targeting
Consult with affiliate networks and service providers about data protection and tracking
Reference cooperation with an affiliate network on your own website, including a reference to their data protection regulations
Use consent tools
Mark advertising in social media posts
An example of good implementation is the publisher gutscheinpony.de. Here it becomes clear how extensive a data protection page can and should look today.
Even before the GDPR, it was necessary with each cookie tracking to ask for user consent. This is not something new that came with the GDPR. Those who have not implemented this so far have simply been operating untidily for longer.
At least an Opt-Out from tracking should be available to users on the data protection page. To what extent an Opt-In under Art. 6 Para. 1 of the GDPR is necessary will only be decided with the e-privacy directive (although it sometimes sounds like conscious consent by the user is already needed now).
The topic of GDPR, unfortunately, remains fairly opaque – especially in affiliate marketing.
If you want to play it safe and opt for Opt-In now, you will find, for example, a plug-and-play consent tool with the network AWIN, a banner that publishers can integrate into their website to obtain user consent.
Other networks such as Conversant & CJ Affiliate also now offer useful solutions. Here, it is explained in more detail how that can work.
Fig. 4 Example of Consent Tool from Conversant & CJ Affiliate
What Advertisers Should Focus On
The following overview is not fundamentally applicable to every advertiser equally. Affiliate networks do not necessarily store personal data and IP addresses. It should be noted that advertisers must individually decide which measures in affiliate marketing after the GDPR are relevant for them.
The following TODOS might come your way:
Fundamentally important: Your website should have the HTTPS certificate
Update your privacy policy page
Do you use Facebook, Google Maps, Google Analytics? Mention this accordingly!
Do you use a public or private affiliate network? Mention this accordingly!
Check your cookie policies and adjust them if necessary
Appoint an internal data protection officer
Review existing personal data sets for legality
Pay attention to data minimization and data deletion
Create a data processing agreement (DPA) with your affiliate network & external service providers
In profiling/retargeting campaigns, tracking switches & 3rd party providers: Use Opt-In & consent solutions
Effects of the GDPR on SMEs
Affiliate marketing is particularly interesting for companies because advertising does not have to be placed primarily per click, but money is only spent when the target, a conversion, has occurred. Regardless of company size, affiliate marketing has become a fixed part of the online marketing mix for any e-commerce shop. It is all the more important that this channel continues to be data protection compliant and profitable after the GDPR.
At our conference held in June in Berlin, it became clear that our agency focus is on strengthening SMEs through tailored online marketing strategies. Of course, we also accompany our clients on the topic of data protection within what is possible, although we cannot make legally binding statements.
Originally, a uniform data protection regulation was intended to make data misuse and massive data storage more difficult and impossible for global players like Google, Amazon, and Facebook.
We are now finding that smaller and medium-sized businesses are particularly affected by the impact of sanctions and the increased effort of data bureaucracy. They face a much bigger challenge when it comes to implementing the GDPR guidelines.
These exact SMEs and small companies, due to monetary weakness compared to Facebook and others, are simply not able to implement the major GDPR project, which gives the whole thing a certain tragedy.
If in the future Opt-In actually becomes mandatory for all publishers, it could lead to immense performance losses in affiliate marketing. We have already experienced in other projects that Opt-In is accompanied by a large loss of traffic and know that for the affiliate sector, as a channel that stands more at the end of the customer journey, almost no tracking would then be guaranteed.
Fig.5: Will the Internet of Things be slowed down by the GDPR?
The problem is as follows: There is a lack of extensive templates for orientation that could make the general implementation of the GDPR practicable, for example, concerning affiliate marketing. This was simply missed during the two-year lead time of the GDPR. How should this be implementable if, as described at the beginning, the EU is still making changes days before the directive comes into effect and spreads unrest?
The fact is, as the implementation of the GDPR for SMEs goes, small businesses are especially fighting digital diminution of the economy. Better lobbying for SMEs is certainly necessary to prevent future negative impacts of data minimization and data deletion.
Not Every Advertiser Will Be Immediately Warned
Even if it is not officially clarified to what extent the GDPR, and soon the e-Privacy, will affect the internet industry as a whole, we still want to offer hope.
In recent weeks, more and more information from relevant associations and politics has come through. We assume that by the end of the year, clear structures will emerge in dealing with the new data protection regulation. Regular exchanges between agencies, publishers, advertisers, and affiliate networks can also help small businesses become more familiar with the topic.
By the way: Do not immediately fear large warnings and lawsuits running into millions. Even lawyers do not yet know in what framework warnings are legally secure. Only those who act grossly negligent and have not dealt with the GDPR topic to date run the risk of being warned and then actually causing the feared chaos.
Fundamentally, the large wave of warnings will not occur if now all website operators, on the advertiser and publisher side, but also at the agency level and the affiliate networks implement adjustments within their framework, also exchange, and jointly find a practical implementation for the future that works not only for themselves, but especially for their customers.
What Can We Do for You?
Are you looking for a full-service agency to assist you in affiliate marketing? We are happy to assist you and advise you with a holistic online marketing strategy. Contact us. We look forward to your inquiry.
Nadine
Wolff
As a long-time expert in SEO (and web analytics), Nadine Wolff has been working with internetwarriors since 2015. She leads the SEO & Web Analytics team and is passionate about all the (sometimes quirky) innovations from Google and the other major search engines. In the SEO field, Nadine has published articles in Website Boosting and looks forward to professional workshops and sustainable organic exchanges.
no comments yet