Stuart McMaster, Partner at international law firm Mishcon de Reya tells Trafﬁcology about the potential impact of the forthcoming general data protection regulations on the affiliate industry.
When it comes to personal data, how do regulators find the right balance between allowing the digital economy to thrive, and protecting the privacy rights of individuals? This is one of the great questions of the digital age, and the General Data Protection Regulation (GDPR) pushes the needle towards giving individuals greater control over their own personal data.
Many of the GDPR’s principles are already contained in our existing data protection laws, however, it does introduce a number of new principles and concepts, and - if they haven’t already done so - affiliates must assess whether their business models need to be upgraded in preparation.
On 25 May 2018 the GDPR will apply with immediate effect. One of the major changes is that the GDPR has global reach; it will apply to any affiliate that handles personal data relating to end-users located in the EU, regardless of where the affiliate is located. The GDPR will also apply to any affiliate that is located in the EU even if they only handle personal data relating to end-users located outside the EU.
Affiliates can engage in a wide-range of marketing activities, which involve different levels of contact with personal data. Some activities involve a heavy degree of contact with personal data, such as running prize competitions in order to compile marketing lists, or profiling end-users.
The starting point for an affiliate is to identify how much personal data it actually handles. It is important to note that “personal data” can cover much more than just lists of names and contact details for end-users. Personal data is any information relating to an individual, as long as that individual could (with reasonable effort) be identified directly or indirectly from it.
So any dataset which can be organised by IP address, MAC address, or cookie identifier, and used to create profiles of end-users and identify them, may count as a list of personal data. While this is already reflected to some extent in current law, the GDPR cements the point and moves it slightly further forward (e.g. by mentioning location data as something which could constitute personal data). Note that the GDPR does not apply to fully anonymised data (e.g. data which has been hashed in a way which cannot subsequently be reversed).
The GDPR applies to everything that an affiliate could possibly do with personal data. That includes collecting it, using it, or transferring it to others. It also covers more basic actions such as simply storing the data or erasing it. Each of those actions counts as the ‘processing’ of personal data, and each action must be carried out in accordance with certain key principles.
One of the main principles is that each processing action must be “lawful”. Processing will only be lawful in certain conditions, such as where the end-user has freely given their consent to their data being processed for a particular purpose; or where the affiliate (or operator) has a legitimate interest in the processing being carried out, and that interest outweighs any countervailing privacy concerns that end-users could conceivably have.
The GDPR makes it somewhat harder for affiliates to rely on consent as the lawful basis for their processing activities. First, the end-user must be readily given the ability to withdraw their consent at any time. Secondly, the GDPR indicates that pre-ticked consent boxes will no longer satisfy as legislation compliance. If affiliates have previously relied on pre-ticked consent boxes, it may become necessary for them to obtain fresh consents which the end-user actively ticks. This may lead to a decline in the number of end-users who choose to opt-in.
At the time of writing, we are waiting for further guidance from the regulators regarding consent. One of the key outstanding questions is whether it will be necessary for affiliates to get end-users to actively tick multiple consent boxes (with a separate tick box for distinct processing activities). Affiliates should note that further changes to the way in which consent is used for direct marketing are on the horizon, with the proposed e-privacy directive progressing in the background.
Affiliates may be able to rely on legitimate interests instead of consent to provide a lawful basis for their processing activities. The GDPR does helpfully indicate that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. However, in order to rely on legitimate interests, it may be necessary for a formal written privacy impact assessment to have been carried out by the affiliate (or the operator, where applicable).
These privacy impact assessments are designed to assess any possible risks for the end-users, so that those risks can be mitigated or avoided altogether. And, in the same way that end-users can withdraw their consent to the processing of their data, so end-users can challenge whether an affiliate or operator does have a legitimate interest in processing their data.
It will be interesting to see how much uptake there is from affiliates in using ‘legitimate interests’ rather than consent as the lawful basis for their processing activities. Of course, many affiliates will still need to obtain consent for their direct marketing activities (as distinct from their processing activities). So would it be better to just use consent for everything (and avoid the need to carry out written privacy impact assessments)? The best way forward may be to rely on a mixture of consent for direct marketing activities and legitimate interests for processing activities, especially if this minimises the number of boxes that end-users need to actively tick.
As well as explaining how personal data will be handled, it is also necessary to explain why the use of the data is justified. If the legal basis for handling data is that the end-user has given their consent, then the end-user must be informed of their right to withdraw that consent at any time. There is still some uncertainty about just how explicit privacy policies will need to be when explaining what will be done with personal data (especially as they are also meant to be concise and easy-to-read); further guidance on the topics of consent and transparency is expected by the end of 2017.
There are a number of other principles that affiliates must comply with whenever they handle personal data. For example, personal data must be kept securely, so that it cannot be hacked or stolen. Given its intrinsic value, affiliates tend to score highly when it comes to data security. There are other principles that affiliates need to consider more carefully, such as the principle that personal data should not be held for longer than is necessary, and should be deleted once it is no longer fit for purpose.
One of the key changes introduced by the GDPR is that it is no longer only the data controllers who can be fined; for some breaches of the GDPR, the regulator will be able to go after both the data controller and the data processor (unless one of them is able to show that it was not in any way responsible for the breach). Affiliates should comply with the principles set out in the GDPR whenever they handle personal data, even the personal data is not their own data.
For example, if an operator sends a list of self-excluded players to an affiliate (so that the affiliate can ensure that it does not send marketing materials to those players), then the affiliate will be required to comply with some of the key GDPR principles as regards that list. Security would be a key concern here (given the possible sensitivities for any individual whose name is on a self-exclusion list); amongst other things, the list would need to be suitability encrypted, and handled by as few people as possible.
In general terms, the GDPR seeks to re-balance the relationship between businesses and consumers by making it easier for consumers to take control of “their” data. This has resulted in the introduction of some new rights for individuals, including the right to be forgotten, and the right to data portability. The first gives individuals the right to have their personal data deleted by an affiliate where there is no compelling reason for its continued processing. If an affiliate has already shared the data with an operator, it will need to inform the operator of the deletion request (unless this would be impossible or would involve disproportionate effort).
The right to data portability means that end-users can ask any business which holds their data to transfer certain aspects of it to another business. The right to data portability does not apply in all circumstances, but there has been some speculation as to whether this will lead to operators and/or affiliates attempting to get hold of the detailed player profiles held by other businesses, by incentivising their customers to make data portability requests.
The final point to note is that the GDPR also increases the potential fines which can be imposed by regulators for non-compliance.
In the UK, the maximum possible fine will increase from £500k up to €20m (or, if higher, 4% of global annual turnover). It is safe to say that compliance with data protection laws will be an ever-increasing focus for affiliates and operators.
To view a PDF of the article click here.
This article was originally published by Trafficology Affiliate Magazine.