The GDPR and Affiliate Marketing: What You Need To Know
At the PMA, we have been receiving a lot of questions about the GDPR and how it relates to affiliate marketing. With the help of the Compliance Council, I have come up with some basic information you need to know plus a roundup of great resources written by PMA members that go into even more detail. At the very least, your company should understand what the GDPR is and the extent to which it does (or does not) impact your business.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a set of data protection regulations (binding legislative acts) governing the use of personal data across the European Union (EU). It takes effect May 25, 2018. Even if your business is not located in the EU, you must comply with the GDPR rules if you “offer goods or services to, or monitor the behaviour of, EU data subjects.”
Personal data is anything that can be used to directly or indirectly identify a person including cookie information, names, email addresses, IP addresses, device IDs, bank details, and more.
Under the GDPR, if you are collecting, processing, or storing applicable personal data from EU customers, you must only obtain that data through opt-in consent, contractual necessity, a legitimate interest, a vital interest, a public task, or a legal obligation. These are all narrowly defined within the regulation and the subject of much of the current discussion surrounding the applicability of the regulation to different business models.
If the GDPR applies to you, you must inform your customers under which basis you are collecting the data and the purpose for the collection. This may include updating privacy policies and cookie notices.
Several PMA members (Awin, Impact Radius, Performance Horizon, Rakuten Marketing) have collaborated with other UK affiliate companies to publish a basic, industry-wide message. In addition, many of them are providing in-depth coverage on their sites regarding not only how their companies are dealing with the GDPR but also general information on how it applies to our whole industry. You’ll find the agreed-upon industry-wide message as well as other great resources below:
None of the above should be construed as legal advice. Seek legal counsel if you believe your company may be impacted by the GDPR.